Using predators to combat worms and viruses: a simulation-based study

Large-scale attacks generated by fast-spreading or stealthy malicious mobile code, such as flash worms and e-mail viruses, demand new approaches to patch management and disinfection. Currently popular centralized approaches suffer from distribution bottlenecks which cannot be solved by merely increasing the number of servers, as the number of servers required to eliminate all bottlenecks is impractically large. Recently, predators were proposed as a technique for eliminating automated mobile malware from computer networks. Predators are benevolent, self-propagating mobile programs which have the ability to clean up systems infected by malignant worms/viruses. We propose a number of extensions to the original predator model, including immunizing predators, persistent predators, and seeking predators. We report on a set of simulations which explore the effects of predators on small-scale (800 to 1600 node) networks. Our results indicate that predators hold significant promise as an alternative to the centralized patch distribution mechanism. The results show that predators can be used to disinfect systems and distribute patches rapidly across the network, without suffering from bottlenecks or causing network congestion. The results also show that the new predator models provide significant benefits over the original predator model. The simulation tool is also useful for tuning predator behavior, so that an optimal tradeoff between the peak virus/worm infection rate and the overhead generated by the predator can be chosen before a predator is released.

[1]  Angelos D. Keromytis,et al.  Countering network worms through automatic patch generation , 2005, IEEE Security & Privacy Magazine.

[2]  Roger R. Stough,et al.  A predator prey approach to the network structure of cyberspace , 2004 .

[3]  Yang Wang,et al.  Modeling the effects of timing parameters on virus propagation , 2003, WORM '03.

[4]  David M. Nicol,et al.  Simulating realistic network worm traffic for worm warning system design and testing , 2003, WORM '03.

[5]  Robert K. Cunningham,et al.  A taxonomy of computer worms , 2003, WORM '03.

[6]  Patrick Lincoln,et al.  Epidemic profiles and defense of scale-free networks , 2003, WORM '03.

[7]  Donald F. Towsley,et al.  Monitoring and early warning for internet worms , 2003, CCS '03.

[8]  R. Sekar,et al.  An Approach for Detecting Self-propagating Email Using Anomaly Detection , 2003, RAID.

[9]  Daniel C. DuVarney,et al.  Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits , 2003, USENIX Security Symposium.

[10]  Kevin A. Kwiat,et al.  Modeling the spread of active worms , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[11]  R. Sekar,et al.  Specification-based anomaly detection: a new approach for detecting network intrusions , 2002, CCS '02.

[12]  Donald F. Towsley,et al.  Code red worm propagation modeling and analysis , 2002, CCS '02.

[13]  Hiroshi Toyoizumi,et al.  Predators: good will mobile codes combat against computer viruses , 2002, NSPW '02.

[14]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[15]  Rocco De Nicola,et al.  Software update via mobile agent based programming , 2002, SAC '02.

[16]  M. Takikawa,et al.  Cyber ecology: looking to ecology for insights into information assurance , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[17]  David H. Ackley,et al.  Building diverse computer systems , 1997, Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133).

[18]  Jeffrey O. Kephart,et al.  Directed-graph epidemiological models of computer viruses , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[19]  S. Gorman,et al.  A Network Based Simulation Approach to Cybersecurity Policy , 1978 .