skip to main content
article

On the race of worms, alerts, and patches

Published: 01 October 2008 Publication History

Abstract

We provide an analytical framework for evaluating the performance of automatic patching systems. We use it to quantify the speed of patch or alert dissemination required for worm containment. Motivated by scalability and trust issues, we consider a hierarchical system where network hosts are organized into subnets, each containing a patch server (termed superhost). Patches are disseminated to superhosts through an overlay connecting them and, after verification, to end hosts within subnets. The analytical framework accommodates a variety of overlays through the novel abstraction of a minimum broadcast curve. It also accommodates filtering of scans across subnets. The framework provides quantitative estimates that can guide system designers in dimensioning automatic patching systems. The results are obtained mathematically and verified by simulation.

References

[1]
M. Vojnovic and A. Ganesh, "On the Race of Worms, Alerts, and Patches," Microsoft Research, Tech. Rep. TR-2005-13, Feb. 2005.
[2]
M. Castro, P. Druschel, M. Jones, A.-M. Kermarrec, A. Rowstron, and M. Theimer, SimPastry Version 1.1. 2002 {Online}. Available: http:// www.research.microsoft.com/~antr/pastry/download.htm
[3]
M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham, "Vigilante: End-to-end containment of internet worms," in Proc. SOSP 2005, Brighton, U.K., Oct. 2005.
[4]
C. Gkantsidis, T. Karagiannis, P. Rodriguez, and M. Vojnovic, "Planet scale software updates," in Proc. ACM SIGCOMM 2006, Pisa, Italy, 2006.
[5]
Witty worm. 2005 {Online}. Available: http://www.caida.org/analysis/ security/witty
[6]
G. Kesidis, I. Hamadeh, and S. Jiwasurat, "Coupled Kermack-McKendrick model for randomly scanning worms and bandwidth-staturating internet worms," in Proc. QoS-IP, Feb. 2005.
[7]
D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver, "Inside the slammer worm," IEEE Security & Privacy, vol. 1, no. 4, pp. 33-39, 2003.
[8]
D. Moore, C. Shannon, G. M. Voelker, and S. Savage, "Internet quarantine: Requirements for containing self-propagating code," in IEEE INFOCOM 2003, San Francisco, CA, Mar. 2003.
[9]
S. Ratnasamy, P. Francis, M. Handley, R. Karp, and S. Shenker, "A scalable content addressable network," in ACM SIGCOMM 2001, San Diego, CA.
[10]
A. Rowstron and P. Druschel, "Pastry: Scalable, distributed object location and routing for large-scale peer-to-peer systems," in Proc. IFIP/ACM Int. Conf. Distributed Systems Platforms (Middleware), Heildelberg, Germany, Nov. 2001, pp. 329-350.
[11]
N. Weaver, S. Staniford, and V. Paxson, "How to own the Internet in your spare time," in IEEE Security & Privacy, 2004.
[12]
A. Shwartz and A. Weiss, Large Deviations for Performance Analysis . London: Chapman & Hall, 1995.
[13]
S. Sidiroglou and A. D. Keromytis, "Countering network worms through automatic patch generation," in IEEE Security & Privacy, 2005.
[14]
S. Staniford, "Containment of scanning worms in enterprise networks," IEEE Comput. Security Privacy, vol. 3, no. 6, pp. 41-49, Nov./Dec. 2005.
[15]
I. Stoica, R. Morris, D. Liben-Nowell, D. R. Karger, M. F. Kaashoek, F. Dabek, and H. Balakrisnan, "Chord: A scalable peer-to-peer lookup protocol for internet applications," IEEE/ACM Trans. Networking, vol. 11, no. 1, pp. 33-46, Feb. 2003.
[16]
M. M. Williamson, "Throttling viruses: Restricting propagation to defeat malicious mobile code," in ACSAC, 2002.
[17]
C. Wong, C. Wang, D. Song, S. Bielski, and G. R. Ganger, "Dynamic quarantine of internet worms," in Proc. Int. Conf. Dependable Systems and Networks (DSN-2004), Florence, Italy, Jun. 2004.
[18]
E. Zegura and S. Bhattacharjee, "How to model an internetwork," in IEEE INFOCOM'96, San Francisco, CA, 1996.

Cited By

View all
  • (2019)Group-Based Susceptible-Infectious-Susceptible Model in Large-Scale Directed NetworksSecurity and Communication Networks10.1155/2019/16571642019Online publication date: 1-Jan-2019
  • (2016)Characterising heterogeneity in vulnerable hosts on worm propagationInternational Journal of Security and Networks10.1504/IJSN.2016.07927611:4(224-234)Online publication date: 1-Jan-2016
  • (2016)Virus Propagation Modeling and Convergence Analysis in Large-Scale NetworksIEEE Transactions on Information Forensics and Security10.1109/TIFS.2016.258130511:10(2241-2254)Online publication date: 1-Oct-2016
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image IEEE/ACM Transactions on Networking
IEEE/ACM Transactions on Networking  Volume 16, Issue 5
October 2008
238 pages

Publisher

IEEE Press

Publication History

Published: 01 October 2008
Revised: 25 May 2007
Received: 15 May 2006
Published in TON Volume 16, Issue 5

Author Tags

  1. automatic updates
  2. epidemic
  3. minimum broadcast curve
  4. patching
  5. software updates
  6. virus
  7. worm

Qualifiers

  • Article

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)1
  • Downloads (Last 6 weeks)0
Reflects downloads up to 15 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2019)Group-Based Susceptible-Infectious-Susceptible Model in Large-Scale Directed NetworksSecurity and Communication Networks10.1155/2019/16571642019Online publication date: 1-Jan-2019
  • (2016)Characterising heterogeneity in vulnerable hosts on worm propagationInternational Journal of Security and Networks10.1504/IJSN.2016.07927611:4(224-234)Online publication date: 1-Jan-2016
  • (2016)Virus Propagation Modeling and Convergence Analysis in Large-Scale NetworksIEEE Transactions on Information Forensics and Security10.1109/TIFS.2016.258130511:10(2241-2254)Online publication date: 1-Oct-2016
  • (2013)Optimizing Active Cyber Defense4th International Conference on Decision and Game Theory for Security - Volume 825210.1007/978-3-319-02786-9_13(206-225)Online publication date: 11-Nov-2013
  • (2011)Characterizing internet worm infection structureProceedings of the 4th USENIX conference on Large-scale exploits and emergent threats10.5555/1972441.1972450(6-6)Online publication date: 29-Mar-2011
  • (2011)A Decision Support System for Placement of Intrusion Detection and Prevention Devices in Large-Scale NetworksACM Transactions on Modeling and Computer Simulation10.1145/2043635.204364022:1(1-26)Online publication date: 1-Dec-2011
  • (2009)Deriving a closed-form expression for worm-scanning strategiesInternational Journal of Security and Networks10.1504/IJSN.2009.0273394:3(135-144)Online publication date: 1-Jul-2009
  • (2009)An information-theoretic view of network-aware malware attacksIEEE Transactions on Information Forensics and Security10.1109/TIFS.2009.20258474:3(530-541)Online publication date: 1-Sep-2009

View Options

Login options

Full Access

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media