Information Technology Reference
In-Depth Information
400000
350000
300000
250000
200000
150000
100000
50000
susceptible
infected and scanning
nullifying hosts
peak #scanning if stopped at t
0
0
2
4
6
8
10
12
14
16
Hours
Fig. 2.
Peak bandwidth used by the nullifying defense (and original worm) as a function
of when it is switched off
So long as the first argument is increasing and the second argument is decreasing,
the stopping time that minimizes the maximum occurs when the arguments are
equal, e.g., when
i
g
(
t
)=
s
(
t
); since
i
b
(
t
)+
i
g
(
t
) is still monotone at this point,
t
s
minimizing the peak aggregate scanning rate satisfies
i
g
(
t
s
)=
s
(
t
s
).
We are in a position now to quantify the performance of a defensive worm. We
can show that the minimal peak number of hosts scanning is at least (1
/
3)(
s
(0)+
I
0
), provided that
I
0
≥
i
b
(
T
0
), a result which we state formally.
Theorem 4.
Consider a nullifying defense that is launched at time
T
0
with
I
0
≥
i
b
(
T
0
)
initial instances, and whose scans can be stopped on command. The
stopping time
t
s
which minimizes peak scanning is the unique solution to
i
g
(
t
s
)=
s
(
t
s
)
. A lower bound on the peak number of hosts scanning is
(1
/
3)(
s
(0) +
I
0
)
.
Proof.
We first note that under the assumption
I
0
=
i
g
(
T
0
)
>i
b
(
T
0
), that
i
g
(
t
)
T
0
. This is a result of both the worm and the counter-
worm competing for exactly the same pool of susceptible hosts—at the same rate
(per host)—with the counter-worm starting with at least as many hosts as are
in the infection at the time the counter-worm is released. A consequence is that
the time
t
s
when
s
(
t
s
)=
i
g
(
t
s
) occurs before the time
t
b
that
s
(
t
b
)=
i
b
(
t
b
). This
fact turns out to be important as we ask for conditions under which
i
g
(
t
)
≥
i
b
(
t
) for all
t
≥
i
n
(
t
),
where
i
n
(
t
) is the number of infected hosts that have been nullified. We know
that
i
g
(
T
0
)
>i
n
(
T
0
); analysis of the derivative of
i
g
(
t
)
≥
−
i
n
(
t
) shows that this
difference grows so long as
s
(
t
)
i
b
(
t
)—a condition which can only occur after
the stopping time
t
s
. Finally, we note the invariant
≥
