Worm propagation modeling and analysis under dynamic quarantine defense

Due to the fast spreading nature and great damage of Internet worms, it is necessary to implement automatic mitigation, such as dynamic quarantine, on computer networks. Enlightened by the methods used in epidemic disease control in the real world, we present a dynamic quarantine method based on the principle "assume guilty before proven innocent" --- we quarantine a host whenever its behavior looks suspicious by blocking traffic on its anomaly port. Then we will release the quarantine after a short time, even if the host has not been inspected by security staffs yet. We present mathematical analysis of three worm propagation models under this dynamic quarantine method. The analysis shows that the dynamic quarantine can reduce a worm's propagation speed, which can give us precious time to fight against a worm before it is too late. Furthermore, the dynamic quarantine will raise a worm's epidemic threshold, thus it will reduce the chance for a worm to spread out. The simulation results verify our analysis and demonstrate the effectiveness of the dynamic quarantine defense.

[1]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[2]  Donn Seeley,et al.  A Tour of the Worm , 1988 .

[3]  Jeffrey O. Kephart,et al.  Directed-graph epidemiological models of computer viruses , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[4]  Daryl J. Daley,et al.  Epidemic Modelling: An Introduction , 1999 .

[5]  Donald F. Towsley,et al.  Code red worm propagation modeling and analysis , 2002, CCS '02.

[6]  David Moore,et al.  Internet quarantine: requirements for containing self-propagating code , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[7]  O. Patrick Kreidl,et al.  Feedback control applied to survivability: a host-based autonomic defense system , 2004, IEEE Transactions on Reliability.

[8]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[9]  Jeffrey O. Kephart,et al.  Measuring and modeling computer virus prevalence , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[10]  Matthew M. Williamson,et al.  Throttling viruses: restricting propagation to defeat malicious mobile code , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[11]  Steve R. White,et al.  Computers and epidemiology , 1993, IEEE Spectrum.

[12]  Kevin A. Kwiat,et al.  Modeling the spread of active worms , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[13]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[14]  Donald F. Towsley,et al.  Monitoring and early warning for internet worms , 2003, CCS '03.