Information Technology Reference
In-Depth Information
say,
N
= lim
t→∞
i
n
(
t
). By assumption
I
0
≤
i
b
(
T
0
), and clearly
i
b
(
T
0
)
<
N
.The
conclusion follows immediately.
It is interesting to compare this result—which says if one
limits
the initial
infection of the counter-worm you can bound the peak scan rate from above,
with the spreading-patch defense results which turn these inequalities around.
With the spreading-patch defense a minimum size of the release needs to be
I
0
>i
b
(
T
0
) to give it enough mass to overtake the original worm. But because
the nullifying worm fights by decreasing the number of scanning worms, it gets
by with a smaller initial counter-worm population.
Another capability a nullifying defense could have is that it stop all defensive
scanning, upon centralized command. This would help mitigate against over-
whelming the network with scans from the defenses (a characteristic reported of
the counter-worms seen in the wild). Denote the defensive worm stopping time
by
t
s
. The modified state equations after time
t
s
are
ds
(
t
)
dt
=
−
βs
(
t
)
i
b
(
t
)
(2)
di
b
(
t
)
dt
=
βs
(
t
)
i
b
(
t
)
(3)
di
g
(
t
)
dt
=0
(4)
Figure 2 illustrates the evolution of system state where the nullifying defense is
propagating without stopping. Also shown, is the resulting peak total population
(directly related to peak bandwidth in our model) as a function of stopping
time
t
s
. Taking the time at which the defensive worms are stopped as a control
parameter, we see that the minimized peak scan rate obtained by optimally
selecting the stopping time is no larger than the peak scan rate if the defenses
are never turned off. This capability can only improve the peak scan rate over
that of the earlier nullifying defense we considered.
For
t<t
s
thescanrateisproportionalto
i
b
(
t
)+
i
g
(
t
); the peak scan rate
achieved after
t
s
is proportional to
i
b
(
t
s
)+
s
(
t
s
), for the original worm will
eventually infect all hosts left unprotected once we stop the defensive scans.
Examination of derivatives shows that
d
(
i
b
(
t
)+
i
g
(
t
))
dt
=
β
(
i
b
(
t
)(
s
(
t
)
−
i
g
(
t
)) +
s
(
t
)
i
g
(
t
))
which we observe is positive at least as long as
s
(
t
)
≥
i
g
(
t
). Likewise, derivatives
show that
i
b
(
t
)+
s
(
t
) is a decreasing function :
d
(
i
b
(
t
)+
s
(
t
))
dt
=
−
βi
g
(
t
)(
i
b
(
t
)+
s
(
t
))
.
If the nullifying defense scans are stopped at
t
s
with
s
(
t
s
)
≥
i
g
(
t
s
)weare
assured that the peak scanning rate of the system is
max
{
i
b
(
t
s
)+
i
g
(
t
s
)
,i
b
(
t
s
)+
s
(
t
s
)
}
.
