research-article

Modeling and analysis of worm defense using stochastic activity networks

Authors:

David M. Nicol,

Steve Hanna,

Frank Stratton,

William H. SandersAuthors Info & Claims

SpringSim '07: Proceedings of the 2007 spring simulation multiconference - Volume 3

Pages 349 - 355

Published: 25 March 2007 Publication History

Get Access

Abstract

Stochastic activity networks (SANs) are a widely used formalism for describing complex systems that have random behavior. Sophisticated software tools exist for the modeling and analysis of systems described within a SAN framework. This paper presents a SAN model of a local area network's defense against Internet worm propagation, measuring the effectiveness of a defensive strategy based on removing hosts from the local network once an infection is detected. We consider the problem of deciding whether to allocate resources to remove an infected host (and thereby reduce the threat), or remove a susceptible but as-yet uninfected host, to directly save it from attack. Considering a parameterized range of policies that makes this decision based on the number of infections in the local network, we find marked preference for always removing one type of hosts when possible, over the other, regardless of the infection state. We futhermore see whether preference should be given to infected hosts or susceptible hosts depends on the relative speeds at which they are removed. Finally, we see that a worm attack can be effectively countered provided that the aggregate rate at which hosts can be removed is on the order of the aggregate infection rate at the time the defense is engaged. Our effort demonstrates the utility of using sophisticated modeling tools to study worm defense, and policy decisions surrounding it.

References

[1]

CERT Coordination Center. CERT Advisory CA-2001-19 'Code Red' Worm Exploiting Buffer Overflow In IIS Indexing Service DLL, July 2001; http://www.cert.org/advisories/CA-2001-19.html.

Google Scholar

[2]

Cisco Security Advisories. 'Code Red'Worm - Customer Impact, July 2001; http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml.

Google Scholar

[3]

C. Shannon, D. Moore, and J. Brown. "Code-Red: A Case Study on the Spread and Victims of an Internet Worm," Proc. Internet Measurement Workshop (IMW), ACM Press, 2002, pp. 273284.

Digital Library

Google Scholar

[4]

H. Berghel. The Code Red Worm, Communications of the ACM, 2001. 44(12):p. 15--19.

Digital Library

Google Scholar

[5]

Mobius. http://www.mobius.uiuc.edu/.

Google Scholar

[6]

S. Friedl. Analysis of the new 'Code Red II' Variant, Aug. 2001; http://www.unixwiz.net/techtips/CodeRedII.html.

Google Scholar

[7]

N. Weaver. The Spread of the Sapphire/Slammer Worm, http://www.caida.org/publications/papers/2003/sapphire/sapphire.html

Google Scholar

[8]

D. Moore and C. Shannon. The Spread of the Witty Worm, http://www.caida.org/analysis/security/witty/.

Google Scholar

[9]

Linksys. Linksys Data Sheet, http://www.linksys.com/servlet/Satellite?c=L_Product_C2&childpagename=US%2FLayout & cid=1150490915278&pagename=Linksys%2FCommon%2FVisitorWrapper

Google Scholar

[10]

D. M. Nicol. The Impact of Stochastic Variability on Worm Detection, In Proceedings of the 2006 ACM Workshop on Rapid Malmare (WORM '06), Alexandria, VA, pp. 57--64.

Digital Library

Google Scholar

Cited By

View all

Yang YZhang YWang AYu MZang WLiu PJajodia S(2013)Quantitative survivability evaluation of three virtual machine-based server architecturesJournal of Network and Computer Applications10.1016/j.jnca.2012.12.00636:2(781-790)Online publication date: 1-Mar-2013
https://dl.acm.org/doi/10.1016/j.jnca.2012.12.006

Recommendations

Worm propagation modeling and analysis under dynamic quarantine defense
WORM '03: Proceedings of the 2003 ACM workshop on Rapid malcode

Due to the fast spreading nature and great damage of Internet worms, it is necessary to implement automatic mitigation, such as dynamic quarantine, on computer networks. Enlightened by the methods used in epidemic disease control in the real world, we ...
Worm propagation modeling considering green worm defense mechanism in complex networks
Abstract
The spread of worms, a type of malware, is a significant threat to complex networks because they can infect network systems and cause widespread disruption. The proliferation of smart devices has heightened concerns regarding malware and worm ...
WORM vs. WORM: preliminary study of an active counter-attack mechanism
WORM '04: Proceedings of the 2004 ACM workshop on Rapid malcode

Self-propagating computer worms have been terrorizing the Internet for the last several years. With the increasing density, inter-connectivity and bandwidth of the Internet combined with security measures that inadequately scale, worms will continue to ...

Comments

Information & Contributors

Information

Published In

SpringSim '07: Proceedings of the 2007 spring simulation multiconference - Volume 3

March 2007

351 pages

ISBN:1565553144

General Chair:
Maurice J. Ades

Publisher

Society for Computer Simulation International

San Diego, CA, United States

Publication History

Published: 25 March 2007

Check for updates

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
55
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 01 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Yang YZhang YWang AYu MZang WLiu PJajodia S(2013)Quantitative survivability evaluation of three virtual machine-based server architecturesJournal of Network and Computer Applications10.1016/j.jnca.2012.12.00636:2(781-790)Online publication date: 1-Mar-2013
https://dl.acm.org/doi/10.1016/j.jnca.2012.12.006

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Abstract

References

Cited By

Recommendations

Worm propagation modeling and analysis under dynamic quarantine defense

Worm propagation modeling considering green worm defense mechanism in complex networks

WORM vs. WORM: preliminary study of an active counter-attack mechanism

Comments

Information

Published In

Sponsors

Publisher

Publication History

Check for updates

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Login options

Full Access

View options

PDF

eReader

Share

Share this Publication link

Share on social media

Affiliations