Information Technology Reference
In-Depth Information
The spreading-patch worm model considered here assumes only that it scans
at the same rate as the original worm. It does not assume any information
about the malicious worm and its behavior. As worms to date have exploited
vulnerabilities that were previously known, it is not unreasonable to suppose
that a patching worm might be developed when the vulnerability is identified
(but before it is announced), against the possibility of needing to use it. Such
a worm would not be launched before needed, because it could be captured
and analyzed for the means to exploit the vulnerability. However, the fact that
the spreading-patch worm has higher impact on the network (Theorem 2) than
no defense at all encourages us to explore counter-worms that have stronger
capabilities in worm identification and suppression, with smaller impact on the
network.
4.2
Nullifying Defense
Next we develop a continuous model of the nullifying defense. Using notation
similar to that for the spreading patch defense, we develop state equations
ds
(
t
)
dt
=
−
βs
(
t
)(
i
b
(
t
)+
i
g
(
t
))
di
b
(
t
)
dt
=
βs
(
t
)
i
b
(
t
)
−
βi
b
(
t
)
i
g
(
t
)
di
g
(
t
)
dt
=
βs
(
t
)
i
g
(
t
)
Here we see a new component to (
di
b
(
t
)
/dt
), the subtraction of hosts due to
being scanned by the counter-worm.
Under our assumptions, in the limit of increasing time
t
, the aggregate scan
rate under the spreading patch defense is proportional to the number of “out-
side” spreading-patch hosts
I
0
plus the initial susceptible population size
s
(0)—
eventually every susceptible host is running either the worm, or the counter-
worm. However, in the case of nullifying worms, the aggregate
peak
scan rate
may be smaller than the aggregate peak scan rate of the unfettered worm.
Theorem 3.
Suppose that
I
0
initial nullifying worms are released at time
T
0
.If
I
0
≤
i
b
(
T
0
)
, then the aggregate peak scan rate using the nullifying worm is less
than the peak scan rate of the unfettered worm.
Proof.
Let
i
n
(
t
) be the aggregate number of infected hosts that a nullifying
defense has identified and contained by time
t
,andlet
e
(
t
)bethenumberof
formerly susceptible hosts that have been “enlisted” to run the nullifying worm.
At any time
t
the aggregate scan rate of a defense is proportional to
i
b
(
t
)+
i
g
(
t
)=
i
b
(
t
)+
I
0
+
e
(
t
). From the invariant
s
(0) =
s
(
t
)+
i
b
(
t
)+
i
n
(
t
)+
e
(
t
) we replace
e
(
t
) in the scan rate expression to see that the scan rate at
t
is proportional to
I
0
+
s
(0)
i
n
(
t
). The maximum value of this term will always be less than
s
(0) if
I
0
<s
(
t
)+
i
n
(
t
) for all
t
. Examination of derivatives shows that
s
(
t
)+
i
n
(
t
)
is monotone decreasing, hence its lowest value is the asymptotic value of
i
n
(
t
),
−
s
(
t
)
−
