Information Technology Reference
In-Depth Information
Models and Analysis of Active Worm Defense
David M. Nicol and Michael Liljenstam
University of Illinois, Urbana, IL 61801
dmnicol@uiuc.edu
http://www.project-moses.net
Abstract.
The recent proliferation of Internet worms has raised ques-
tions about defensive measures. To date most techniques proposed are
passive
, in-so-far as they attempt to block or slow a worm, or detect and
filter it.
Active
defenses take the battle to the worm—trying to eliminate
or isolate infected hosts, and/or automatically and actively patch sus-
ceptible but as-yet-uninfected hosts, without the knowledge of the host's
owner. The concept of active defenses raises important legal and ethical
questions that may have inhibited consideration for general use in the
Internet. However, active defense may have immediate application when
confined to dedicated networks owned by an enterprise or government
agency. In this paper we model the behavior and effectiveness of differ-
ent active worm defenses. Using a discrete stochastic model we prove
that these approaches can be strongly ordered in terms of their worm-
fighting capability. Using a continuous model we consider effectiveness in
terms of the number of hosts that are protected from infection, the total
network bandwidth consumed by the worms and the defenses, and the
peak
scanning rate the network endures while the worms and defenses
battle. We develop optimality results, and quantitative bounds on de-
fense performance. Our work lays a mathematical foundation for further
work in analysis of active worm defense.
1
Introduction
A computer worm is so called because it has a life of its own. Once burrowed into
a susceptible system, it attempts to propagate through the network. The usual
means is through “scans”, it attempts to connect to and infiltrate other hosts
throughout the network. Worms interfere with normal use of computers, and
exact an economic cost of eradicating them and repairing systems infected by
them. Worms have the potential to wreak havoc on the systems they infect, and
on the networks they traverse. This potential has been realized already, several
times.
The large-scale worm infestations in recent years have triggered several ef-
forts to model worm spread in order to understand how the low-level factors in
the propagation mechanism translate into macroscopic behavior, assess threat
levels of different worms, and evaluate the effectiveness of detection methods
and proposed counter-measures. Staniford appears to have been the first to rec-
ognize that the macroscopic propagation of the Code Red v2 worm could be
