Information Technology Reference
In-Depth Information
In [7], Moore et al. note that when considering the effectiveness of defensive
measures, it is preferable to consider the quantiles of infection rather than the
mean number of infections due to the variability inherent in the early stages
of infection growth. However, we prefer to use these mean-value based models,
because they lend themselves to analysis in a way that stochastic simulations do
not. Moreover, we are mainly concerned with the relative performance of different
defenses as we compare them, and we believe that the relative performance can
be credibly determined in terms of the mean, even though the predicted mean
absolute performance should be viewed with caution.
The simple epidemic model we study is suitable only in contexts where the
worm scanning is unaffected by the network topology. This assumption is fine
for worms whose mass and scan rates aren't constrained by bandwidth (as was
the case with Code Red, and others), but is not acceptable when network con-
straints hinder worm growth. In related work we are exploring how to incorporate
network constraints into ecient simulation of worm dynamics [8].
4.1 Spreading Patch Counter-Worm
Consider the spreading patch counter-worm model discussed earlier, and assume
that it uses the same vulnerability and propagation strategy as the original worm.
Under these assumptions the second worm will spread at (approximately) the
same rate as the original worm, seeking the same susceptible population of hosts.
A simple model is:
ds ( t )
dt
=
βs ( t )( i b ( t )+ i g ( t ))
di b ( t )
dt
= βs ( t ) i b ( t )
di g ( t )
dt
= βs ( t ) i g ( t )
where i b refers to infections by the malicious (bad) worm and i g refers to infec-
tions by the spreading-patch (good) worm. Given β and i b (0), system behavior
is governed by the time T 0 at which spreading-patch worms are released, and
the number of worms I 0 released then. We assume that the spreading-patch
worms are launched on “friendly” machines that are not part of the susceptible
or infected set.
Spreading-patch worm effectiveness as a function of response time and initial
population is shown in Figure 1. An effective response requires a combination of
low response time and a suciently large initial population. Launching a single
counter-worm has little effect, and the window of opportunity for launching even
a thousand spreading-patch worms disappears after a couple of hours.
At T 0 , i b ( T 0 ) hosts have succumbed to the original worm and there are s ( T 0 )
remaining susceptibles. How many spreading-patch worms must be launched to
protect a given fraction fraction p of those remaining susceptibles? If we consider
the fraction of infection growth due to the spreading-patch worm
di g ( t ) /dt
di g ( t ) /dt + di b ( t ) /dt =
i g ( t )
i g ( t )+ i b ( t )
Search WWH ::




Custom Search