Models and analysis of active worm defense

Authors:
David M. Nicol;Michael Liljenstam
Affiliations:
University of Illinois, Urbana, IL;University of Illinois, Urbana, IL
Venue:
MMM-ACNS'05 Proceedings of the Third international conference on Mathematical Methods, Models, and Architectures for Computer Network Security
Year:
2005

Citing 7
Cited 5

Code red worm propagation modeling and analysis

Proceedings of the 9th ACM conference on Computer and communications security
Code-Red: a case study on the spread and victims of an internet worm

Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
How to Own the Internet in Your Spare Time

Proceedings of the 11th USENIX Security Symposium
Monitoring and early warning for internet worms

Proceedings of the 10th ACM conference on Computer and communications security
Simulating realistic network worm traffic for worm warning system design and testing

Proceedings of the 2003 ACM workshop on Rapid malcode
Worm propagation modeling and analysis under dynamic quarantine defense

Proceedings of the 2003 ACM workshop on Rapid malcode
Simulation of Network Traffic at Coarse Timescales

Proceedings of the 19th Workshop on Principles of Advanced and Distributed Simulation

On the performance evaluation and prediction of encounter-based worm interactions based on node characteristics

Proceedings of the second ACM workshop on Challenged networks
Encounter-based worms: Analysis and defense

Ad Hoc Networks
Containment of misinformation spread in online social networks

Proceedings of the 3rd Annual ACM Web Science Conference
Analysis of misinformation containment in online social networks

Computer Networks: The International Journal of Computer and Telecommunications Networking
A cutting-plane algorithm for solving a weighted influence interdiction problem

Computational Optimization and Applications

Quantified Score

Hi-index	0.00

Visualization

Abstract

The recent proliferation of Internet worms has raised questions about defensive measures. To date most techniques proposed are passive, in-so-far as they attempt to block or slow a worm, or detect and filter it. Active defenses take the battle to the worm—trying to eliminate or isolate infected hosts, and/or automatically and actively patch susceptible but as-yet-uninfected hosts, without the knowledge of the host's owner. The concept of active defenses raises important legal and ethical questions that may have inhibited consideration for general use in the Internet. However, active defense may have immediate application when confined to dedicated networks owned by an enterprise or government agency. In this paper we model the behavior and effectiveness of different active worm defenses. Using a discrete stochastic model we prove that these approaches can be strongly ordered in terms of their worm-fighting capability. Using a continuous model we consider effectiveness in terms of the number of hosts that are protected from infection, the total network bandwidth consumed by the worms and the defenses, and the peak scanning rate the network endures while the worms and defenses battle. We develop optimality results, and quantitative bounds on defense performance. Our work lays a mathematical foundation for further work in analysis of active worm defense.