Abstract
The recent proliferation of Internet worms has raised questions about defensive measures. To date most techniques proposed are passive, in-so-far as they attempt to block or slow a worm, or detect and filter it. Active defenses take the battle to the worm—trying to eliminate or isolate infected hosts, and/or automatically and actively patch susceptible but as-yet-uninfected hosts, without the knowledge of the host’s owner. The concept of active defenses raises important legal and ethical questions that may have inhibited consideration for general use in the Internet. However, active defense may have immediate application when confined to dedicated networks owned by an enterprise or government agency. In this paper we model the behavior and effectiveness of different active worm defenses. Using a discrete stochastic model we prove that these approaches can be strongly ordered in terms of their worm-fighting capability. Using a continuous model we consider effectiveness in terms of the number of hosts that are protected from infection, the total network bandwidth consumed by the worms and the defenses, and the peak scanning rate the network endures while the worms and defenses battle. We develop optimality results, and quantitative bounds on defense performance. Our work lays a mathematical foundation for further work in analysis of active worm defense.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Chen, Z., Gao, L., Kwiat, K.: Modeling the spread of active worms. In: INFOCOM 2003 (2003)
Cisco. Dealing with mallocfail and high cpu utilization resulting from the “code red” worm. (October 2001), http://www.cisco.com/warp/public/-63/ts_codred_worm.shtml
Daley, D.J., Gani, J.: Epidemic Modelling: An Introduction. Cambridge University Press, Cambridge (1999)
Ferrie, P., Perriot, F., Sz or, P.: Worm wars. Virus Bulletin, http://www.virusbtn.com (October 2003), http://www.peterszor.com/welchia.pdf (last accessed October 01, 2003)
Liljenstam, M., Nicol, D., Berk, V., Gray, B.: Simulating realistic network worm traffic for worm warning system design and testing. In: Proc. of the First ACM Workshop on Rapid Malcode (WORM 2003) (October 2003)
Moore, D., Shannon, C., Claffy, K.: Code-red: a case study on the spread and victims of an internet worm. In: Proc. of the Internet Measurement Workshop (IMW), Marseille, France. ACM Press, New York (2002)
Moore, D., Shannon, C., Voelker, G., Savage, S.: Internet quarantine: Requirements for containing self-propagating code. In: Proceedings of the 22nd Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM 2003) (April 2003)
Nicol, D.M., Yan, G.: Simulation of network traffic at coarse time-scales. In: Proceedings of the 2005 Conference on Principles of Advanced and Distributed Simulation (2005)
Ross, H.S.: Stochastic Processes. Wiley, New York (1983)
Staniford, S.: Code Red Analysis Pages: July infestation analysis (2001), http://www.silicondefense.com/cr/july.html
Staniford, S., Paxson, V., Weaver, N.: How to Own the Internet in Your Spare Time. In: Proc. of the USENIX Security Symposium (2002), http://www.icir.org/vern/papers/cdc-usenix-sec02/index.html
Zou, C., Gao, L., Gong, W., Towsley, D.: Code red worm propagation modeling and analysis. In: 9th ACM Conference on Computer and Communication Security (CCS), Washington DC (November 2002)
Zou, C., Gao, L., Gong, W., Towsley, D.: Monitoring and early warning for internet worms. In: Proceedings of 10th ACM Conference on Computer and Communication Security (CCS 2003) (2003)
Zou, C., Gong, W., Towsley, D.: Worm propagation modeling and analysis. In: Proceedings of the First ACM Workshop on Rapid Malcode (WORM) (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Nicol, D.M., Liljenstam, M. (2005). Models and Analysis of Active Worm Defense. In: Gorodetsky, V., Kotenko, I., Skormin, V. (eds) Computer Network Security. MMM-ACNS 2005. Lecture Notes in Computer Science, vol 3685. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11560326_4
Download citation
DOI: https://doi.org/10.1007/11560326_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-29113-8
Online ISBN: 978-3-540-31998-6
eBook Packages: Computer ScienceComputer Science (R0)