i b ( t )+ i g ( t )+ i n ( t )+ s ( t )= s (0) + I 0 .

At the stopping time, s ( t s )= i g ( t s ), and i g ( t s ) >i n ( t s ), whence

i b ( t s )+3 i g ( t s ) >s (0) + I 0 .

It follows that i b ( t s )+ i g ( t s ) > (1 / 3)( s (0) + I 0 ).

We see that under the theorem's assumptions, the capabilities nullifying de-

fensives have over spreading-patch defenses (suppress an infected host's scans,

stop the “good worm” scanning) serve to give it greater power, but the peak num-

ber of hosts scanning (both worm and counter-worm) is still at least one third

of the initial susceptible population. It should be noted that this result depends

signficantly on an assumption that the counter-worm's scan rate is identical to

the worm's. We are exploring the consequences of relaxing this assumption, as

well as pushing on looking for ways of countering worms with increasing power,

while reducing the impact on the network.

5

Conclusions

This paper studies active defenses against Internet worms. We use discrete and

continuous mathematical models to study a hierarchy of worm fighting capabil-

ities. We are able to prove a number of results about these models, including

- strong stochastic ordering of infection counts in a hierarchy of five defense

types;

- that a simple counter-worm defense has a stochastically larger aggregate

scanning intensity than does the unfettered worm;

- that by starting a defense with enough outside hosts scanning to implant

counter-worms, any desired fraction of the remaining susceptible hosts can

be protected from a worm;

- that by starting a nullifying defense with few enough outside hosts, the peak

scanning intensity is less than the unfettered worm;

- even when peak scanning time is minimized under the nullifying defense, it

is still the case that the peak number of hosts scanning is at least 1/3 of the

total number of susceptibles;

There is much work yet to be done. This paper does not address the very

significant problem of quickly and automatically detecting when a worm attack

has been launched—we have looked only at the relative effectiveness of measures

put into place after the detection. Our experiments of effectiveness of defense as

a function of response time (Figure 1) show that rapid detection is absolutely

critical.

Acknowledgements

This research was supported under Award number 2000-DT-CX-K001 from the

U.S. Department of Homeland Security, Science and Technology Directorate.