Information Technology Reference
In-Depth Information
denoted
I
(
D
j
,t
)
≥
st
I
(
D
i
,t
).
D
i
is more powerful in the sense that it does a
better job at preventing susceptible hosts from becoming infected. This stochas-
tic ordering is strong in its implications. It is known that if
X
≥
st
Y
and
f
is
any increasing function, then
E
[
f
(
X
)]
E
[
f
(
Y
)]. This has bearing then for any
system metric that depends monotonically on infection counts, e.g., the prob-
ability of system failure would likely be monotone increasing in the number of
infected hosts.
An active defense may increase the overall scanning activity on the network,
and there is evidence that intense scanning can harm the network [2]. When net-
work health is the principle concern, then measures of scanning history, and/or
scanning intensity are appropriate. If
λ
(
D, t
) denotes the scanning rate due to
both worm and defense
D
, then we assess a defense in terms of its peak scanning
rates over some interval [0
,t
]:
≥
0
<s<t
{
max
λ
(
D, s
)
}
We might also assess it through its aggregate scanning rates (the space-time
product) over some interval [0
,t
]:
t
λ
(
D, s
)
ds.
0
3
Ordering of Defenses
Intuition suggests that the four active defensives (five, if we include the empty
defense) we've outlined might be ordered in terms of power. We now show that
this is exactly the case. In the comparisons made, we use the
Common Sample
Path
assumption, that once a host is infected (or takes on the counter-worm), its
scanning behavior is completely determined by a random number stream that
is independent of any other. When we compare two defenses, we assume that a
host uses that same stream in both systems, which allows us to compare the two
systems on commonly constructed sample paths. The implication is that once
ahostisinfected(orstartstorunacounter-worm), its sequence of inter-scan
delays are the same in both systems, and the pattern of hosts scanned are the
same in both systems. Thus, if the two systems cause a host to be infected at the
same instant, on the sample paths being compared that host will scan exactly
the hosts at exactly the same time, in both systems.
The results to follow are based on a construction we call the Sample Path
Graph (SPG). For every susceptible host
h
i
let
I
i
be a sequence of pairs (
t
i
,dst
i
)
identifying the time since the host started infection scanning, and a destination
dst
i
I
i
is ordered by increasing values of
t
i
. We define
C
i
similarly,
describing the scanning pattern once a host starts running a counter-worm. We
construct a graph whose nodes represent hosts that are assumed to be infected
already at time 0 (and which have scanning sequences), nodes representing hosts
that eventually start counter-worm scans (with their own scanning sequences),
and susceptible hosts. The graph contains a directed edge for every potential
of a scan.
