The 9th International Conference for Young Computer Scientists
Propagation Model of Active Worms in P2P Networks
Chaosheng Feng, Zhiguang Qin
School of Computer Science & Engineering
University of Electronic Science and
Technology of China
Chengdu, China
jamesjiangfeng@163.com
Abstract
P2P worms pose heavy threatens to P2P networks.
P2P worms exploit common vulnerabilities in member
hosts of a P2P network and spread topologically in the
P2P network, a potentially more effective strategy than
random scanning for locating victims. Considering
that the topology of P2P networks has important effect
on P2P active worm spreading, it is very difficult to
model propagation of P2P active worms. For this
reason, so far few propagation models are proposed.
In this paper, we propose a propagation model of
active worms in P2P networks based the discrete-time
method. The analysis on simulation results shows that
there exists some threshold value during spreading of
active worms and different infection strategies result in
different infection results in P2P networks.
Keywords: Active worms, model, propagation,
simulation, P2P networks
1. Introduction
Peer-to-peer (P2P) overlay networks enjoy
enormous and ever increasing popularity in real-life
deployment. Listed on the website of Kazaa, a popular
P2P software, there have been almost 39 millions
downloads in total and more than 0.8 millions
downloads in a single week (November 14, 2005) [1].
The eDonkey2000 network alone typically has over 2
million users connected at any given time [2], while
the number of users of the BitTorrent[3] , the most
popular P2P file-transferring system, is more than 10
millions.
The widely-deployed P2P systems used by end
users, however, have strong security implications. P2P
networks provide an ideal venue for new types of
worms that prey on common vulnerabilities on the
hosts in a P2P network. These worms identify new
978-0-7695-3398-8/08 $25.00 © 2008 IEEE
DOI 10.1109/ICYCS.2008.237
Laurence Cuthbet, Laurissa Tokarchuk
Department of the Electronic Engineering
Queen Mary, University of London
London, UK
victims simply by following P2P neighbor information
on infected hosts. They are different from the currently
popular scanning worms, which probe addresses
randomly for new victims, in three important ways.
First, they spread much faster, since they do not waste
time probing unused IP addresses. Second, they do not
generate high rates of failed connections. Finally, they
can blend into the normal traffic patterns of the P2P
network. The lack of abnormal network behavior
makes P2P worms a potentially more deadly threat
because most existing defense mechanisms against
scanning worms are no longer effective. Because the
number of subscribers to a P2P network such as
BitTorrent is estimated to be in the millions, P2P
worms have the potential to compromise a significant
fraction of the Internet population[4].
In this paper, we focus on studying unstructured P2P
file-sharing networks such as BitTorrent and eDonkey.
Most worms target these networks. Our purpose is to
model the spreading of P2P active worms in P2P
networks. In next section, we will introduce active
worms in detail. This paper contributes as follows.
1) Propose a propagation model of P2P active
worms based on the discrete-time method.
2) Use numerical simulating software, which is
developed by us ourselves, to simulate.
3) Refer to the impact of varying initial infection
strategies on worm spreading.
The rest of this paper is organized as follows. We
simply introduce the existing studies of worm
propagation in Section 2. In Section 3, we present a
propagation model of active worms. In Section 4, we
analyze the properties of worm spreading with
simulating experiments. Finally we conclude in
Sections 5.
2. Related work
2.1. P2P Worm Classification
1908
 According to scanning strategies, Worms can be
classified into two classes. one is called as scanning
worms, and the other non-scanning worms. Many
notorious Internet worms employ a random scanning
strategy to find the potential victims. P2P worms tend
to use neighbor list to find the potential victims instead
of scanning, so P2P worms are non-scanning.
According to different attacking ways, we identify three
types of non-scanning worms that could leverage P2P
networks: passive worms that hide themselves in
malicious files and trick users into downloading and
opening them; reactive worms that only propagate with
legitimate network activities; and active worms that
automatically connect to and infect known peers using
topological information [5]. Note that the reactive and
active worms are analogous to contagion and
topological worms.
2.2. P2P Networks
A P2P networks is a group of Internet nodes that
construct their own special-purpose networks on top of
the Internet. Such a system performs application level
routing on top of IP routing. There are two types of P2P
networks: structured P2P and unstructured P2P
networks. The structured P2P networks are systems in
which nodes organize themselves in an orderly fashion,
while unstructured P2P networks are ones in which
nodes organize themselves randomly. Structured P2P
networks boast an efficient lookup mechanism by
means of DHTs (Distributed Hash Tables). In the
structured P2P system, all P2P nodes maintain the same
topology degree, which defines the number of
neighbors for each P2P node. For example, one node in
d-dimensional CAN maintains 2d neighbors [6].
Conversely, unstructured P2P networks use mostly
broadcast search, like the BitTorrent system [7]. In this
system, the topology degree is a variable for each P2P
node. In this paper, we use BitTorrent system to
represent the generalized unstructured P2P networks.
2.3. Existing Modeling Work on Worms
Modeling and analysis of the propagation of worms
have been studied for several years. Staniford et al.
used the classical simple epidemic model to model the
spread of Code Red worm [1,8]. They also concluded
that P2P system is well suitable for contagion worm
propagation, but they didn't give detailed modeling and
analysis. Zou et al. presented two-factor worm model
that considered human countermeasures and network
congestion effect [9].Chen et al. presented discrete-time
version worm model that considered patching and
cleaning effect [10]. Yu et al. researched propagation
1909
models of Peer-to-Peer system-based worms in
Internet[11,12,13]. Existing work on P2P networks
shows that the P2P topologies approximately power-
law distributions[14,15].
3. P2P active worm propagation model
Studying worm propagation using the aggregated
properties of P2P networks typically assumes a static
topology, in which a node stores the addresses of all
neighbors with which it had communicated. P2P
networks are complex systems and it may not be
feasible to use an analytical approach to model worm
propagations without making overly simplified
assumptions. Instead we present a unified simulation
framework, driven by a P2P workload model, to study
the active P2P worms. To model in the discrete-time
method, it is necessary to explain these parameters and
assumptions employed in the following model.
3.1. Model Parameters and Assumptions
The intent of our modeling is to predict the
propagation behaviors of a worm which spreads
through a P2P network. We make the simplifying
assumption as follows.
1) The topology of P2P networks is unchanged,
including the number of peers and the degree
distribution. This assumption is reasonable for the
reason that P2P active worms spread very fast.
2) It takes a time unit that a peer transits from a state
to another.
Table 1. Parameters in models
Parameters Descriptive
S(t) Proportion of susceptible peers at time unit
t. Here, S(t)+I(t)=1
I(t) Proportion of infected hosts at time unit t.
Sk(t) Proportion of susceptible peers among all
peers(susceptible or infected) with degree k
at time unit t. Here, Sk(t)+Ik(t)=1
Ik(t) Proportion of infected peers among all
peers(susceptible or infected) with degree k
at time unit t.
β Average infection probability, at which a
susceptible peer is infected by an infected
neighbor.
γ Average recovery probability, at which an
infected peer returns to be susceptible.
~ Average degree of a P2P networks
k
P (k ) Proportion of peers with degree k among all
peers.
 In order to formally analyze attack strategies and
epidemiological modeling of P2P worms, we list the
most parameters in table 1, which will have an impact
on worm attack effects.
3.2. SIS Model
To address the effect of the topology of P2P
networks in epidemic spreading we shall use the SIS
epidemiological model. In this model, peers can only
exist in two discrete states, namely, susceptible and
infected. These states completely neglect the details of
the infection mechanism within each individual. The
P2P active worm transmission is also described in an
effective way. At each time unit, each susceptible node
is infected with probability β if it is connected to one
infected nodes. At the same time, infected nodes are
cured and become again susceptible with
probability γ . Peers run stochastically through the
cycle susceptible → infected → susceptible, hence the
name of the model. The SIS model does not take into
account the possibility of peer removal due to death or
acquired immunization.
Lemma 1 In a P2P network with initial infected nodes,
the probability that any susceptible node is infected is
p = βkΘ( I (t )),
kp( k ) I k (t ) ~ + (1 − γ )
where Θ( I (t )) = ∑ ∑ sP(s)
k
= k −1
s
Proof ： for any node with degree k , beacuse the ratio
of the number of infected neighbor nodes to the one
of all neighbor nodes is I k ( t ), there are kI k ( t ) nodes
infected in all its neighbors. Thus, the average number
of infected neighbors in the network is
Because the average number of neighbor nodes is
~
k = ∑ s
sP ( s ), the average infected proportati on of
kp ( k ) I k ( t )
neighborso f a node is ∑ or
k ∑
s
sP ( s )
~ −1
k
k
∑kp ( k ) I k ( t ), which is denoted as Θ ( I (t )).
Because a node with degree k has kΘ ( I (t )) intected
neighbor node and the probabilit y ofa susceptibl e node components, such as infected probability and initial
being infected by one of its infected neigbors β , therfore, infected peers. Almost all the peers are initialized to be
the probabilit y that the node is infected attime t is
p = β k Θ ( I (t )).
Theorem 1 In a time unit, the rate at which the
proportion of infected node among all nodes with
degree k changes is
I k (t＋1） − I k (t ) = β k (1 − I k (t ))Θ( I (t )) − γI k (t ) Proo
f: According to Lemma 1, a susceptible node with
degree k is infected by the probability of β kΘ( I (t )) .
And at time unit t, the proportion of susceptible nodes
among all nodes with degree k is (1 − I k (t )) . Hence,
there are β k (1 − I k (t ))Θ( I (t )) susceptible nodes to
become infected in a time unit. Meanwhile, there are
γI k (t ) infected nodes returning to be susceptible.
Therefore, the change rate of the proportion of infected
nodes with degree k in a time unit is
I k (t＋1） − I k (t ) = β k (1 − I k (t ))Θ( I (t )) − γI k (t )
Theorem 2 In a time unit, the change rate of the
proportion of infected nodes in a P2P network is
~
I ( t + 1) − I ( t ) = β k (1 − Θ ( I ( t ))) Θ ( I ( t )) − γ I ( t )
Proof:
I k (t＋1） − I k (t ) = βk (1 − I k (t ))Θ( I (t )) − γI k (t )
I k (t＋1） = βk (1 − I k (t ))Θ( I (t )) + (1 − γ ) I k (t )
p( k ) I k (t＋1）
= βkp( k )(1 − I k (t ))Θ( I (t )) + (1 − γ ) p( k ) I k (t )
⎛ ⎞
∑ p(k ) I k (t＋1） = β ⎜⎜
⎝
∑ kp(k ) −∑ kp(k ) I ⎟
k (t ) ⎟Θ( I (t ))
⎠
k k k
∑ p ( k ) I k (t )
∑ kp(k ) I
k
k (t ) k
~ ~
I (t + 1) − I (t ) = β ( k − k Θ( I (t )))Θ( I (t ) − γI (t )
~
I (t + 1) − I (t ) = βk (1 − Θ( I (t )))Θ( I (t )) − γI (t )
∑ kp ( k ) I
k
k ( t ). 4. Simulation experiments
4.1. Simulation Description
In order to analyze and study on the propagation
properties of P2P active worms, we implemented a
simulation system based on the simulation platform
Peersim. Simulating involves in two steps. First, we
use the Brite ， a popular topology generator, to
generate a power-law topology. Second, we run the
simulation software with the topology to get simulation
results. The simulator first initializes various
susceptible and only quit a few nodes are initialized to
be infected. To clearly compare theory values with
simulation values, we put them on the same plots. To
1910
simplify simulation, the same assumptions are abided Figure 4 examines the effect of initial infected peers
by in the simulator. with varying degrees on the propagation of active
worms. Intuitively, for the initial infected peers with
4.2. Simulation Evaluation larger degrees, the active worm would spread faster
and reach the steady state with larger stationary and
According to Figure 1-3, no matter what the value of constant value of prevalence of infected peers. Figure
δ (= β / γ ) (called as valid infection rate) is, when it 4, however, shows that for initial infected peers with
reaches or surpass some value(the threshold), the varying degrees, the values of prevalence are same.
epidemic spreading of P2P active worms will reach an Indeed, initial infected peers with larger degrees will
endemic state with stationary and constant value of the lead to faster spreading of active worms, which
prevalence of infected peers. Moreover, when it suggests that the propagation of active can be throttled
reached or surpass some larger value, all peers will be by keeping those peers with larger degrees from
infected(Figure 1). On the contrary, when it is smaller worms.
than the threshold, all peers will be susceptible in some
time(Figure 3). 0.5

Proportion of Infected Peers

1.2 0.45
Proportion of Infected Peers

0.4 Selected infection(Max)

1
Delta=90
0.35 Random infection
0.8
Delta=70 0.3 Selected infection(Min)

0.6 Delta=50 0.25

0.2
0.4
0.15
0.2 0.1
0.05
0
1 3 5 7 9 11 13 15 17
0
Time Units 1 7 13 19 25 31 37 43 49 55 61 67 73 79
Figure 1. The simulation results with varied Time Units
values of δ (large)
Figure 4: Comparison of infectious prevalence with
1 different infection strategies Selected infection(Max)
Proportion of infected peers

0.9
0.8 refer to the case of initial infected peers with 10
0.7 maximum degrees, while Selected infection(Min) with
0.6 Delta=2/3
0.5 Delta=1
10 minimum degrees.
0.4
Delta=2
0.3
0.2 5. Conclutions
0.1
0
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29
Time Units
In this paper, we aim at modeling P2P active worm
propagation in the discrete-time method. Large scale
Figure 2. The simulation results with varied values simulations are done in P2P networks with scale-free
of δ (middle) topology. According to the simulation results, we
analyze on the spreading properties of active worms in
P2P networks. The analysis on simulation results shows
0.18 that there exists some threshold value during spreading
Proportion of infected peers

0.16 of active worms. When the valid propagation rate

0.14 Delta=0.2 reaches or surpass the threshold value, the epidemic
0.12 Delta=0.1
0.1
spreading of P2P active worms will reach an endemic
Delta=0.05
0.08 state with constant value of the prevalence of infected
0.06 peers. Or else the infection dies out fast. The simulation
0.04 results also shows that different infection strategies
0.02 result in different infection results, which is helpful for
0
us to propose the methods of throttling spreading of
1 3 5 7 9 11 13 15 17 19 21
worms.
Time Units

Figure 3. The simulation results with varied

values of δ (small)
Acknowledgment

1911
 The author would like to thank the anonymous
reviewers for their valuable comments and suggestions
that improve the presentation of this paper. This work is
supported by the National Natural Science Foundation
of China under Grant No.60473090 and the joint
research project funded by the Royal Society in the UK
and by the National Natural Science Foundation of
China (NSFC) under Grant No.60711130232. This
work is also supported by the important project of
Sichuan Normal University of China under Grant
No.07ZD018.
References
[1] S. Staniford, V. Paxson, and N.Weaver. How to Own the
Internet in Your Spare Time. In Proceedings of the 11th
USENIX Security Symposium, San Francisco, CA, Aug.2002.
[2] “eDonkey2000 server list,” http://ocbmaurice.no-
ip.org/slist/serverlist.html.
[3] Bittorrent Protocol Specification v1.0,
http://www.bitconjurer.org/BitTorrent/protocol.html
[4] L. Zhou, L. Zhang, F. McSherry, N. immorlica,M. Costa,
and S. Chien. A first look at peer-to-peer worms: Threats and
defenses. In Proceedings of the 4thInternationalWorkshop on
Peer-to-Peer Systems, Ithaca,NY, Feb. 2005.
[5] Guanling Chen,Robert S. Gray. Simulating non-scanning
worms on peer-to-peer networks. In Proceedings of the 1st
international conference on Scalable information systems,
Hong Kong, China, 2006.
[6] S. Ratnasamy, “A Scalable Content Addressable
Network”, Proceedings of ACM SigComm. , San Diego,
2001.
1912
[7] M. Ripeanu, I. Foster, “Mapping the Gnutella Network:
Macroscopic Properties of Large-Scale Peer-to-Peer
Systems”, Proceedings of 1-thInternational Workshop on
Peer-to-Peer Systems(IPTPS), 2002.
[8] D. Moore, C. Shannon, and k claffy. Code-Red: a case
study on the spread and victims of an Internet worm. In
Proceedings of the Second ACM Internet Measurement
Workshop, 2002.
[9] C. C. Zou, W. Gong, and D.Towsley, "Code Red Worm
Propagation Modeling and Analysis", In Proceedings of9-th
ACM Conference on Computer and Communication
Security(CCS), Washington DC, November 2002.
[10] Z. Chen, L. Gao, and K. Kwiat, "Modeling the Spread of
Active Worms", IEEE INFOCOM, 2003.
[11] Wei Yu, "Analyze the Worm-Based Attack in Large
Scale P2P Networks", In Proceedings of8th IEEE
International Symposium on High Assurance Systems
Engineering (HASE'04), 2004.
[12] Wei Yu, "Analyzing the performance of Internet worm
attack approaches", In Proceedings of 13th International
Conference on Computer ommunications and
Networks,2004.
[13] Wei Yu, Corey Boyer, Sriram Chellappan and Dong
Xuan, "Peer-to-Peer System-based Active Worm
Attacks:Modeling and Analysis", In Proceedings ofIEEE
International Conference on Communications (ICC), May
2005.
[14] M. Ripeanu. Peer-to-peer architecture case
study:Gnutella network. In Proceedings of the First
International Conference on Peer-to-Peer Computing,
Linkoping,Sweden, Aug. 2001.
[15] S. Sen and J.Wang. Analyzing peer-to-peer traffic across
large networks. IEEE/ACM Transactions on
Networking,12(2), Apr. 2004.