Information Technology Reference
In-Depth Information
well modeled through the logistic equation [10]. This model and the equivalent
simple epidemic model
from the epidemic modeling literature (see e.g. [3]) have
since been used in several studies [11,6,7,5,13,14]. [12] proposed a model to take
removals into account (based on the
general epidemic model
)and[1]proposed
a discrete time model.
Our work is unique in considering a wide space of defensive capabilities, and
in sample path comparison of them. It is most similar in spirit to [7,1,14] as we
use epidemic models to evaluate proposed worm counter-measures. We extend
simple epidemic models to consider the interaction of worms and counter-worms
and other “active” counter-measures.
For the purpose of illustration the experimental portion of our paper uses
parameters reflective of the Code Red v2 worm, released in July 2001. It is
important to remember that as far as the mathematics goes, time-scale is irrele-
vant. Having said that, it is true that very fast worms have had their propagation
shaped by the impact they have on the network infrastructure, and the simple
mathematical models we develop would not apply.
We focus on worms that spread
autonomously
by probing other systems for
vulnerabilities that can be exploited to propagate from one machine to another.
This class of worms captures the essence of the rapidly spreading large-scale
infestations seen to date, such as Code Red v2, Code Red II, and Nimda in
2001, and Slammer, Blaster, and Welchia in 2003. Thus, we deliberately exclude
most typical email born viruses that require a user action to enable infection.
In contrast, worms such as Slammer have proven that the time-scales involved
for fast moving autonomously propagating worms can be so short that human
intervention to stop them is impossible. Consequently, this class of worms poses
a substantial threat and a trigger for development of automated defensive mech-
anisms, such as those we consider in this paper.
In the wake of one worm attack (Blaster), a counter-worm (Welchia) was
launched that sought hosts infected by Blaster, attempted to patch them, and
use them to find other infected hosts. Whatever the intentions of the authors
might have been, Welchia had consequences as bad or worse than Blaster—it was
harder to get rid of, and effectively created a denial-of-service attack on patch
servers, so that people trying manually to protect their systems had a harder
time doing so. The question is raised therefore of the effectiveness and impact
that an “active defense” might have. We examine this question agnostically and
without overt consideration of the legal and ethical issues raised by wide-spread
active defense. It is enough for us that an organization as large as the United
States Department of Defense could mandate such measures on its own gargan-
tuan networks; we seek to understand the power and the limitations of active
defense deployment, should they be deployed. Our approach is analytic. We con-
sider four aspects of active defense—patching uninfected hosts, increasing the
active defense population by using uninfected hosts that are susceptible to the
worm, suppression of infected hosts discovered through scans, and suppression of
infected hosts discovered through scans
and
trac analysis. Using a very general
discrete stochastic model, we show that adding each capability (in that order)
