Abstract
Consider the following game between a worm and an alert over a network of n nodes. Initially, no nodes are infected or alerted and each node in the network is a special detector node independently with small but constant probability. The game starts with a single node becoming infected. In every round thereafter, every infected node sends out a constant number of worms to other nodes in the population, and every alerted node sends out a constant number of alerts. Nodes in the network change state according to the following four rules: 1) If a worm is received by a node that is not a detector and is not alerted, that node becomes infected; 2) If a worm is received by a node that is a detector, that node becomes alerted; 3) If an alert is received by a node that is not infected, that node becomes alerted; 4) If a worm or an alert is received by a node that is already infected or already alerted, then there is no change in the state of that node.
We make two assumptions about this game. First, that an infected node can send worm messages to any other node in the network but, in contrast, an alerted node can send alert messages only through a previously determined, constant degree overlay network. Second, we assume that the infected nodes are intelligent, coordinated and essentially omniscient. In other words, the infected nodes know everything except for which nodes are detectors and the alerted nodes’ random coin flips i.e. they know the topology of the overlay network used by the alerts; which nodes are alerted and which are infected at any time; where alerts and worms are being sent; the overall strategy used by the alerted nodes; etc. The alerted nodes are assumed to know nothing about which other nodes are infected or alerted, where alerts or worms are being sent, or the strategy used by the infected nodes.
Is there a strategy for the alerted nodes that ensures only a vanishingly small fraction of the nodes become infected, no matter what strategy is used by the infected nodes? Surprisingly, the answer is yes. In particular, we prove that a simple strategy achieves this result with probability approaching 1 provided that the overlay network has good node expansion. Specifically, this result holds if d ≥ α and \(\frac{\alpha}{\beta(1-\gamma)} > \frac{2d}{c}\), where α and β represent the rate of the spread of the alert and worm respectively; γ is the probability that a node is a detector node; d is the degree of the overlay network; and c is the node expansion of the overlay network. Next, we give empirical results that suggest that our algorithms for the alert may be useful in current large-scale networks. Finally, we show that if the overlay network has poor expansion, in particular if (1 − γ)β> d, then the worm will likely infect almost all of the non-detector nodes.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Costa, M., Crowcroft, J., Castro, M., Rowstron, A.: Can we contain internet worms? In: Proceedings of the 3rd Workshop on Hot Topics in Networks (HotNets-III) (2004)
Spafford, E.: Exploring Grand Challenges in Trustworthy Computing., http://digitalenterprise.org/seminar/spafford2.html
Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the Slammer Worm. IEEE Security and Privacy journal 1(4), 33–39 (2003)
Davis, A.: Computer Worm Snarls Web (2004), http://www.bayarea.com/mld/mercurynews/5034748.html
Lemos, R.: Slammer Attacks May Become Way of Life for the Net (2003), http://www.news.com/2009-1001-983540.html?tag=fd_lede2_hed
Jr., R.O.: Internet Worm Unearths New Holes (2003), http://www.securityfocus.com/news/2186
Sturgeon, W.: Denial-of-service-attack victim speaks out (2005), http://www.zdnetasia.com/insight/business/0,39044868,39233051,00.htm
Baker, S., Grow, B.: Gambling Sites, This Is A Holdup (2005), http://www.businessweek.com/magazine/content/04_32/b3895106_mz063.htm
Garvey, M.: Phishing Attacks Show Sixfold Increase This Year (2005), http://www.informationweek.com/story/showArticle.jhtml?articleID=164302582
Talbot, C.: Phishing Attacks Up More Than 200% in May, says IBM (2005), http://www.integratedmar.com/ecl-usa/story.cfm?item=19703
Leyden, J.: Phishers Tapping Botnets to Automate Attack (2004), http://www.theregister.co.uk/2004/11/26/anti-phishing_report/
Liet, D.: Most Spam Generated by Botnets, Says Expert (2004), http://news.zdnet.co.uk/internet/security/0,39020375,39167561,00.htm
Leyden, J.: ISPs urged to throttle spam zombies (2005), http://www.theregister.co.uk/2005/05/24/operation_spam_zombie/
Preatoni, R.: Prophet Mohammed protest spreads on the digital ground. In: Hundreds of cyber attacks against Danish and western webservers spreading rage in the name of Allah (2006)
Roberts, P.: Al-Jazeera hobbled by DDOS attack (2003), http://www.infoworld.com/article/03/03/26/HNjazeera_1.html
Costa, M., Crowcroft, J., Castro, M., Rowstron, A., Zhou, L., Zhang, L., Barham, P.: Vigilante: End-to-end containment of internet worms. In: Symposium on Operating System Principles (SOSP) (2005)
Rowstron, A.I.T., Druschel, P.: Pastry: Scalable, decentralized object location, and routing for large-scale peer-to-peer systems. In: Proceedings of the IFIP/ACM International Conference on Distributed Systems Platforms, Heidelberg, pp. 329–350 (2001)
Cooper, C., Dyer, M., Greenhill, C.: Sampling regular graphs and a peer-to-peer network. In: Proceedings of the Sixteenth Annual ACM-SIAM Symposium on Discrete algorithms (SODA) (2005)
Joshi, A., King, S., Dunlap, G., Chen, P.: Detecting past and present intrusions through vulnerability-specific predicates. In: Symposium on Operating System Principles (SOSP) (2005)
Liang, Z., Sekar, R.: Fast and automated generation of attack signatures: a basis for building self-protecting servers. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS), pp. 213–222 (2005)
Brumley, D., Newsome, J., Song, D., Wang, H., Jha, S.: Towards automatic generation of vulnerability-based signatures. In: Proceedings of the IEEE Symposium on Security and Privacy, 2–16 (2006)
Zhou, L., Zhang, L., McSherry, F., Immorlica, N., Costa, M., Chien, S.: A first look at peer-to-peer worms: Threats and defenses. In: Castro, M., van Renesse, R. (eds.) IPTPS 2005. LNCS, vol. 3640, Springer, Heidelberg (2005)
Vojnovic, M., Ganesh, A.: On the effectiveness of automatic patching. In: ACM Workshop on Rapid Malcode (WORM) (2005)
Shakkottai, S., Srikant, R.: Peer to peer networks for defense against internet worms. In: Proceedings of the 2006 workshop on Interdisciplinary systems approach in performance evaluation and design of computer and communications sytems (2006)
Bollobas, B.: Random Graphs. Academic Press, London (1985)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Aspnes, J., Rustagi, N., Saia, J. (2007). Worm Versus Alert: Who Wins in a Battle for Control of a Large-Scale Network?. In: Tovar, E., Tsigas, P., Fouchal, H. (eds) Principles of Distributed Systems. OPODIS 2007. Lecture Notes in Computer Science, vol 4878. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-77096-1_32
Download citation
DOI: https://doi.org/10.1007/978-3-540-77096-1_32
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-77095-4
Online ISBN: 978-3-540-77096-1
eBook Packages: Computer ScienceComputer Science (R0)