Models and Analysis of Active Worm Defense

Nicol, David M.; Liljenstam, Michael

doi:10.1007/11560326_4

David M. Nicol¹⁹ &
Michael Liljenstam¹⁹

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 3685))

Included in the following conference series:

International Workshop on Mathematical Methods, Models, and Architectures for Computer Network Security

871 Accesses
4 Citations

Abstract

The recent proliferation of Internet worms has raised questions about defensive measures. To date most techniques proposed are passive, in-so-far as they attempt to block or slow a worm, or detect and filter it. Active defenses take the battle to the worm—trying to eliminate or isolate infected hosts, and/or automatically and actively patch susceptible but as-yet-uninfected hosts, without the knowledge of the host’s owner. The concept of active defenses raises important legal and ethical questions that may have inhibited consideration for general use in the Internet. However, active defense may have immediate application when confined to dedicated networks owned by an enterprise or government agency. In this paper we model the behavior and effectiveness of different active worm defenses. Using a discrete stochastic model we prove that these approaches can be strongly ordered in terms of their worm-fighting capability. Using a continuous model we consider effectiveness in terms of the number of hosts that are protected from infection, the total network bandwidth consumed by the worms and the defenses, and the peak scanning rate the network endures while the worms and defenses battle. We develop optimality results, and quantitative bounds on defense performance. Our work lays a mathematical foundation for further work in analysis of active worm defense.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Chen, Z., Gao, L., Kwiat, K.: Modeling the spread of active worms. In: INFOCOM 2003 (2003)
Google Scholar
Cisco. Dealing with mallocfail and high cpu utilization resulting from the “code red” worm. (October 2001), http://www.cisco.com/warp/public/-63/ts_codred_worm.shtml
Daley, D.J., Gani, J.: Epidemic Modelling: An Introduction. Cambridge University Press, Cambridge (1999)
Google Scholar
Ferrie, P., Perriot, F., Sz or, P.: Worm wars. Virus Bulletin, http://www.virusbtn.com (October 2003), http://www.peterszor.com/welchia.pdf (last accessed October 01, 2003)
Liljenstam, M., Nicol, D., Berk, V., Gray, B.: Simulating realistic network worm traffic for worm warning system design and testing. In: Proc. of the First ACM Workshop on Rapid Malcode (WORM 2003) (October 2003)
Google Scholar
Moore, D., Shannon, C., Claffy, K.: Code-red: a case study on the spread and victims of an internet worm. In: Proc. of the Internet Measurement Workshop (IMW), Marseille, France. ACM Press, New York (2002)
Google Scholar
Moore, D., Shannon, C., Voelker, G., Savage, S.: Internet quarantine: Requirements for containing self-propagating code. In: Proceedings of the 22nd Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM 2003) (April 2003)
Google Scholar
Nicol, D.M., Yan, G.: Simulation of network traffic at coarse time-scales. In: Proceedings of the 2005 Conference on Principles of Advanced and Distributed Simulation (2005)
Google Scholar
Ross, H.S.: Stochastic Processes. Wiley, New York (1983)
MATH Google Scholar
Staniford, S.: Code Red Analysis Pages: July infestation analysis (2001), http://www.silicondefense.com/cr/july.html
Staniford, S., Paxson, V., Weaver, N.: How to Own the Internet in Your Spare Time. In: Proc. of the USENIX Security Symposium (2002), http://www.icir.org/vern/papers/cdc-usenix-sec02/index.html
Zou, C., Gao, L., Gong, W., Towsley, D.: Code red worm propagation modeling and analysis. In: 9th ACM Conference on Computer and Communication Security (CCS), Washington DC (November 2002)
Google Scholar
Zou, C., Gao, L., Gong, W., Towsley, D.: Monitoring and early warning for internet worms. In: Proceedings of 10th ACM Conference on Computer and Communication Security (CCS 2003) (2003)
Google Scholar
Zou, C., Gong, W., Towsley, D.: Worm propagation modeling and analysis. In: Proceedings of the First ACM Workshop on Rapid Malcode (WORM) (2003)
Google Scholar

Download references

Author information

Authors and Affiliations

University of Illinois, Urbana, IL, 61801, USA
David M. Nicol & Michael Liljenstam

Authors

David M. Nicol
View author publications
You can also search for this author in PubMed Google Scholar
Michael Liljenstam
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

St. Petersburg Intitute for Informaticsand Automation, 39, 14-th Liniya, 199178, St. Petersburg, Russia
Vladimir Gorodetsky
Computer Security Research Group, St. Petersburg Institute for Informatics and Automation, 39, 14 Liniya, 199178, St.-Petersburg, Russia
Igor Kotenko
US Air Force, Binghamton University (SUNYI), 13902, Binghamton, NY, USA
Victor Skormin

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Nicol, D.M., Liljenstam, M. (2005). Models and Analysis of Active Worm Defense. In: Gorodetsky, V., Kotenko, I., Skormin, V. (eds) Computer Network Security. MMM-ACNS 2005. Lecture Notes in Computer Science, vol 3685. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11560326_4

Download citation

DOI: https://doi.org/10.1007/11560326_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-29113-8
Online ISBN: 978-3-540-31998-6
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics