Information Technology Reference
In-Depth Information
of the bandwidth devoted to scanning, the probability of network partition, and
so on. The stochastic ordering asserts that the expectation of each of these is
larger when we use a spreading patch defense than when we use no defense at
all.
4
Epidemic Models
We use a style of modeling based on well known models from the epidemic mod-
eling literature. In typical simple epidemic models we consider a fixed population
of
N
, where each individual is susceptible to infection, and each individual will,
at any given time, be in one of a small set of predefined states. For instance, in
the
simple epidemic model
[3] (aka the
SI
model and equivalent to the logistic
equation) an individual is either in state
S
(susceptible to infection) or
I
(in-
fected). We denote by
s
(
t
)and
i
(
t
) the number of individuals in state
S
and
I
respectively at time
t
, and thus
t, s
(
t
)+
i
(
t
)=
N
. For large enough populations,
the mean rate of state changes
S
∀
→
I
can be modeled as:
ds
(
t
)
dt
=
−
βs
(
t
)
i
(
t
)
di
(
t
)
dt
=
βs
(
t
)
i
(
t
)
where the constant
β
is the
infection parameter
, i.e. the pairwise rate of infection.
β
reflects the aggregate scanning rate of an infected host, as well as the mean
probability of selecting a given address for an individual probe attempt. The
system boundary conditions are given by the number of initially susceptible
hosts
s
(0) and initially infected hosts
i
(0). This model rests on assumptions of
homogeneous mixing
, which correspond well to a uniformly random scanning
worm spreading freely through a network, so in the following we will refer to
this the
Random Scanning Worm Model
.
Other scanning strategies are possible. For instance, worms such as Code
Red II, Nimda, Blaster, and Welchia utilized preferential (rather than uniform)
scanning techniques where addresses close in the address space to the scanning
host's would be probed with higher probability. Other suggested possibilities
include a “Divide-and-Conquer” approach to probing the address space (see
“partitioned permutation scan” in [11]). Here each worm is assigned a disjoint
fraction of the address space to probe.
Other simple tricks for speeding up the propagation have been suggested,
such as the use of pre-compiled hit-lists or using inter-domain routing tables
to only scan routed space [14]. We can incorporate these into our framework;
hit-listed hosts can be made to be infected as a boundary condition, and use
of routing tables just increases
β
to reflect that the scanning is over a smaller
address space.
The early stage of infection is the most critical time for any counter-measures
to be effective. Since the worms behave similarly in the early stages we will, in
the following, focus on random scanning worms as this is the type of worm that
has been observed in the wild to date.
