skip to main content
10.1145/1103626.1103634acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
Article

On the effectiveness of automatic patching

Published: 11 November 2005 Publication History

Abstract

We study the effectiveness of automatic patching and quantify the speed of patch dissemination required for worm containment. We focus on random scanning as this is representative of current generation worms, though smarter strategies exist. We find that even such "dumb'' worms require very fast patching. Our primary focus is on how delays due to worm detection and patch generation and dissemination affect worm spread. Motivated by scalability and trust issues, we consider a hierarchical system where network hosts are partitioned into subnets, each containing a patch server (termed superhost). Patches are disseminated to superhosts through an overlay connecting them and, after verification, to end hosts within subnets. When patch dissemination delay on the overlay is negligible, we find that the number of hosts infected is exponential in the ratio of worm infection rate to patch rate. This implies strong constraints on the time to disseminate, verify and install patches in order for it to be effective. We also provide bounds that account for alert or patch dissemination delay. Finally, we evaluate the use of filtering in combination with patching and show that it can substantially improve worm containment. The results accommodate a variety of overlays by a novel abstraction of minimum broadcast curve. They demonstrate that effective automatic patching is feasible if combined with mechanisms to bound worm scan rate and with careful engineering of the patch dissemination. The results are obtained analytically and verified by simulations.

References

[1]
W. A. Arbaugh. A Patch in Nine Saves Time? IEEE Computer, pages 82--83, June 2004.
[2]
M. VojnoviĆ and A. Ganesh. On the Race of Worms, Alerts, and Patches. Technical Report TR-2005-13, Microsoft Research, February 2005.
[3]
M. Castro, P. Druschel, M. Jones, A.-M. Kermarrec, A. Rowstron, and M. Theimer. Sim Pastry version 1.1. http://www.research.microsoft.com/antr/pastry/download.htm, 2002.
[4]
M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: End-to-End Containment of Internet Worms. In Proc. SOSP2005, Brighton, United Kingdom, October 2005.
[5]
http://www.caida.org/analysis/security/witty, 2005.
[6]
A. D. Keromytis. "Patch on Demand" Saves Even More Time? IEEE Computer, pages 94--96, Aug 2004.
[7]
G. Kesidis, I. Hamadeh, and S. Jiwasurat. Coupled Kermack-McKendrick Model for Randomly Scanning Worms and Bandwidth-staturating Internet Worms. In Proc. QoS-IP, Sicily, Italy, February 2005.
[8]
D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the Slammer Worm. IEEE Security & Privacy, 1(4): 33--39, 2003.
[9]
D. Moore, C. Shannon, G. M. Voelker, and S. Savage. Internet quarantine: Requirements for containing self-propagating code. In Proc. IEEE Infocom 2003, San Francisco, CA, March 2003.
[10]
B. Pittel. On Spreading a Rumor. SIAMJ. Appl. Math., 47(1): 213--223, February 1987.
[11]
S. Ratnasamy, P. Francis, M. Handley, R. Karp, and S. Shenker. Ascalable content address able network. In ACM Sigcomm 2001, 2001.
[12]
A. Rowstronand P. Druschel. Pastry: Scalable, distributed object location and routing for large-scalepeer-to-peer systems. In IFIP/ACM Int'l Conf. on Distributed Systems Platforms(Middleware), pages 329--350, Heildelberg, Germany, November 2001.
[13]
N. Weaver S. Staniford, V. Paxson. How to Own Internet in your Spare Time. In IEEE Security & Privacy, 2004.
[14]
S. Sidiroglou and A. D. Keromytis. Countering network worms through automatic patch generation. In IEEE Security & Privacy, 2005.
[15]
S. Staniford. Containment of scanning worms inenterprise networks. Journal of Computer Security( ToAppear), 2004.
[16]
I. Stoica, R. Morris, D. Liben-Nowell, D. R. Karger, M. F. Kaashoek, F. Dabek, and H. Balakrisnan. Chord: Ascalable peer-to-peer look up protocol for internet applications. IEEE/ACM Trans. on Networking, 11(1), February 2003.
[17]
M. M. Williamson. Throttling viruses: Restricting propagation to defeat malicious mobile code. In ACSAC, 2002.
[18]
C. Wong, C. Wang, D. Song, S. Bielski, and G. R. Ganger. Dynamic quarantine of internet worms.InProc. of the Internationa lConferenceon Dependable Systems and Networks(DSN-2004), Florence, Italy, June 2004.
[19]
E. Zegura and S. Bhattacharjee. How to model an internet work. In Proc. of the INFOCOM'96, San Francisco, California, 1996.

Cited By

View all
  • (2024)Automated Hubs-Patching: Protection Against Malware Spread Through Reduced Scale-Free Networks and External Storage DevicesIEEE Transactions on Network Science and Engineering10.1109/TNSE.2024.340108111:5(4758-4773)Online publication date: Sep-2024
  • (2022)HallMonitor: A Framework for Identifying Network Policy Violations in Software2022 IEEE Conference on Communications and Network Security (CNS)10.1109/CNS56114.2022.9947243(245-253)Online publication date: 3-Oct-2022
  • (2018)Centralized and epidemic dissemination of security patches2018 10th International Conference on Communication Systems & Networks (COMSNETS)10.1109/COMSNETS.2018.8328291(660-664)Online publication date: Jan-2018
  • Show More Cited By

Index Terms

  1. On the effectiveness of automatic patching

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    WORM '05: Proceedings of the 2005 ACM workshop on Rapid malcode
    November 2005
    94 pages
    ISBN:1595932291
    DOI:10.1145/1103626
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 11 November 2005

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. automatic updates
    2. epidemic
    3. minimum broadcast curve
    4. patching
    5. software updates
    6. virus
    7. worm

    Qualifiers

    • Article

    Conference

    CCS05
    Sponsor:

    Upcoming Conference

    CCS '25

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)1
    • Downloads (Last 6 weeks)1
    Reflects downloads up to 15 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)Automated Hubs-Patching: Protection Against Malware Spread Through Reduced Scale-Free Networks and External Storage DevicesIEEE Transactions on Network Science and Engineering10.1109/TNSE.2024.340108111:5(4758-4773)Online publication date: Sep-2024
    • (2022)HallMonitor: A Framework for Identifying Network Policy Violations in Software2022 IEEE Conference on Communications and Network Security (CNS)10.1109/CNS56114.2022.9947243(245-253)Online publication date: 3-Oct-2022
    • (2018)Centralized and epidemic dissemination of security patches2018 10th International Conference on Communication Systems & Networks (COMSNETS)10.1109/COMSNETS.2018.8328291(660-664)Online publication date: Jan-2018
    • (2018)Optimal Dissemination Strategy of Security Patch Based on Differential Game in Social NetworkWireless Personal Communications: An International Journal10.1007/s11277-017-4866-z98:1(237-249)Online publication date: 1-Jan-2018
    • (2016)"They keep coming back like zombies"Proceedings of the Twelfth USENIX Conference on Usable Privacy and Security10.5555/3235895.3235900(43-58)Online publication date: 22-Jun-2016
    • (2013)A holistic immune system against active P2P wormsProceedings of the 2013 International Conference on Information Networking (ICOIN)10.1109/ICOIN.2013.6496346(24-29)Online publication date: 28-Jan-2013
    • (2012)Optimal Dissemination of Security Patches in Mobile Wireless NetworksIEEE Transactions on Information Theory10.1109/TIT.2012.219529558:7(4714-4732)Online publication date: 1-Jul-2012
    • (2012)Defending P2P Networks against Malicious Worms Based on Benign WormsAdvances in Electric and Electronics10.1007/978-3-642-28744-2_85(653-660)Online publication date: 2012
    • (2011)A Social Network Based Patching Scheme for Worm Containment in Cellular NetworksHandbook of Optimization in Complex Networks10.1007/978-1-4614-0857-4_17(505-533)Online publication date: 27-Oct-2011
    • (2010)An Introduction to Models of Online Peer-to-Peer Social NetworkingSynthesis Lectures on Communication Networks10.2200/S00313ED1V01Y201011CNT0083:1(1-125)Online publication date: Jan-2010
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media