Information Technology Reference
In-Depth Information
scan described in the sets
whose target was susceptible at time
0. The edge is directed from the source of the scan to the target; an edge will
be called an
infection edge
or
countering edge
, depending on whether it comes
from an infection or counter-worm sequence, respectively. The node for host
h
i
will have values
S
(
h
i
) recording the earliest time it was scanned by an infected
host, and
C
(
h
i
) recording the earliest time it was scanned by a host running a
counter-worm. Some of the edges are labeled with the time of the scan—these
edges are particularly important in our analysis. The values of
S
(
h
i
)and
C
(
h
i
),
the edges labeled and the values of those labels all depend on the particular
defense. However, common to those defenses are the following rules:
{I
i
}
and
{C
i
}
-
All hosts assumed to be already infected at time 0 label each of their edges
with the corresponding scan time;
-
all hosts that are used to start the counter-worm label each of their edges
with
T
0
plus the corresponding scan time offset contained in the scan se-
quence.
The differences between different defense's SPGs are characterized as follows:
Empty Defense
(
D
0
)
1. Thenodeforhost
h
i
defines
S
(
h
i
) to be the smallest label among all labeled
infection edges directed to it;
S
(
h
i
)=
∞
if no such edge exists.
labels the infection edge corresponding to the
j
th
element of
2. A host
h
i
I
i
(say, (
s
j
,
dst
j
)) with value
S
(
h
i
)+
s
j
,
j
=1
,
2
,
···
.
The difference between the simple patch defense and the empty defense is
that susceptible hosts are protected from infection if they are touched by a
countering scan before being touched by an infection scan.
Simple Patch
(
D
1
)
1. Item (1) from the Empty Defense rules.
2. Thenodeforhost
h
i
defines
C
(
h
i
) to be the smallest label among all labeled
countering edges directed to it;
C
(
h
i
)=
if no such edge exists.
3. If
S
(
h
i
)
<C
(
h
i
) the node labels the infection edge corresponding to the
j
th
element of
∞
I
i
(say, (
s
j
,
dst
j
)) with value
S
(
h
i
)+
s
j
,
j
=1
,
2
,
···
.
4. If
C
(
h
i
)
<S
(
h
i
) the node does not label any of its edges.
The difference between a spreading patchdefenseandasimplepatchoneis
that a host that receives a countering scan before any infection scan becomes
host to counter-worm software, and generates its own countering scans.
Spreading Patch
(
D
2
)
1. Items (1) from the Empty Defense rules, (2), and (3) from the Simple Patch
rules.
2. If
C
(
h
i
)
<S
(
h
i
) the node labels the countering edge corresponding to the
j
th
element of
C
i
(say, (
s
j
,
dst
j
)) with value
C
(
h
i
)+
s
j
,
j
=1
,
2
,
···
.
