Modeling and Analysis of Worm Defense Using Stochastic Activity Networks

Nicol, D. M., Hanna, S., Stratton, F., Sanders, W.

Symposium on Simulation of System Security (SSS'07). Spring Simulation Multiconference (SpringSim'07), Vol. 3. Society for Computer Simulation International, San Diego, CA, USA, 349-355, 2007.

Visit Publisher Online Entry:

Stochastic activity networks (SANs) are a widely used formalism for describing complex systems that have random behavior. Sophisticated software tools exist for the modeling and analysis of systems described within a SAN framework. This paper presents a SAN model of a local area network's defense against Internet worm propagation, measuring the effectiveness of a defensive strategy based on removing hosts from the local network once an infection is detected. We consider the problem of deciding whether to allocate resources to remove an infected host (and thereby reduce the threat), or remove a susceptible but as-yet uninfected host, to directly save it from attack. Considering a parameterized range of policies that makes this decision based on the number of infections in the local network, we find marked preference for always removing one type of hosts when possible, over the other, regardless of the infection state. We futhermore see whether preference should be given to infected hosts or susceptible hosts depends on the relative speeds at which they are removed. Finally, we see that a worm attack can be effectively countered provided that the aggregate rate at which hosts can be removed is on the order of the aggregate infection rate at the time the defense is engaged. Our effort demonstrates the utility of using sophisticated modeling tools to study worm defense, and policy decisions surrounding it.

Publication Status:
Publication Type:
Publication Date:
Copyright Notice:

This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted without the explicit permission of the copyright holder.

  1. The following copyright notice applies to all of the above items that appear in IEEE publications: "Personal use of this material is permitted. However, permission to reprint/publish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from IEEE."

  2. The following copyright notice applies to all of the above items that appear in ACM publications: "© ACM, effective the year of publication shown in the bibliographic information. This file is the author’s version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in the journal or proceedings indicated in the bibliographic data for each item."

  3. The following copyright notice applies to all of the above items that appear in IFAC publications: "Document is being reproduced under permission of the Copyright Holder. Use or reproduction of the Document is for informational or personal use only."