Information Technology Reference
In-Depth Information
rare. The vulnerabilities that worms exploit are more typically announced when
discovered, often with patches available. More often than not the patch code re-
veals details worm writers use to target as-yet unpatched systems. It is not unrea-
sonable to suppose then that patching defense code could be crafted along with
the patch. A reason for not releasing the patching defense in anticipation of a
worm is that the release would contain the code to exploit the vulnerability, with
no work or further cleverness needed by a worm-writer. A patching defense must
be coupled with a worm-detection mechanism, such as those proposed in [5,13].
One could increase the presence of the active defense by increasing the num-
ber of hosts running the patching logic. So we define a
spreading patch
defense
as one where, when an uninfected susceptible host is scanned, it is endowed with
a counter-worm that both patches, and scans. While the number of patching
hosts remains constant in a simple patching defense, it grows in a spreading
patch defense. Such a mechanism has been seen in the wild [4].
A third presumed defensive capability is worm suppression. Suppose that
when a patching host scans an infected host it is able to identify the host
as infected, and to suppress the infecting scans from being seen elsewhere,
thereafter—it is able to
nullify
the infected host. For example, the spreading-
patch worm might have an ability to cause the infection trac to be filtered
by a nearby router; another way might be if every machine in an organization
had a “lock”, such that when the proper “key” is applied, some or all of that
machine's external communication is inhibited—an organization's active defense
posture would include selective suppression of machines thought to be infected.
For our purposes, the important thing is that the infected host be discovered by
a scan, and that thereafter it is no longer a source of infection. We call this a
nullifying
defense.
A fourth presumed defensive capability takes advantage of the fact that some
attacks are complex enough to require that the attacking host use its legitimate
IP address as source in its packets (and we may anticipate that in the future
the ability to spoof source addresses will become much diminished, through
more active router verification procedures). Because of this, a patching host that
receives
a scan from an infected host could turn around and nullify the infection.
In this
sniper
defense one expects that infected hosts diminish in number faster
than when they are discovered merely by scans.
2.2
Metrics
There are different ways of assessing an active defense. When host integrity is
paramount, then an appropriate metric is the number of hosts infected by the
worm. We define
I
(
D, t
) to be the cumulative number of hosts infected by time
t
under defense
D
. This metric is a random variables; we will say that
D
i
is more
powerful
than
D
j
if for all
t>
0and
n>
0,
Pr
{
I
(
D
i
,t
)
>n
}≤
Pr
{
I
(
D
j
,t
)
>n
}
.
When this relationship holds we say that the distribution (with respect to ran-
domness due to sampling) of
I
(
D
j
,t
)is
stochastically larger
than
I
(
D
i
,t
)[9],
