Consider the following game between a worm and an alert1 over a network of n nodes. Initially, no nodes are infected or alerted and each node in the network is a special detector node independently with small but constant probability. The game starts with a single node becoming infected. In every round thereafter, every infected node sends out a constant number of worms to other nodes in the population, and every alerted node sends out a constant number of alerts. Nodes in the network change state according to the following four rules: 1) If a worm is received by a node that is not a detector and is not alerted, that node becomes infected; 2) If a worm is received by a node that is a detector, that node becomes alerted; 3) If an alert is received by a node that is not infected, that node becomes alerted; 4) If a worm or an alert is received by a node that is already infected or already alerted, then there is no change in the state of that node.
We make two assumptions about this game. First, that an infected node can send worm messages to any other node in the network but, in contrast, an alerted node can send alert messages only through a previously determined, constant degree overlay network. Second, we assume that the infected nodes are intelligent, coordinated and essentially omniscient. In other words, the infected nodes know everything except for which nodes are detectors and the alerted nodes' random coin flips i.e. they know the topology of the overlay network used by the alerts; which nodes are alerted and which are infected at any time; where alerts and worms are being sent; the overall strategy used by the alerted nodes; etc. The alerted nodes are assumed to know nothing about which other nodes are infected or alerted, where alerts or worms are being sent, or the strategy used by the infected nodes.
Is there a strategy for the alerted nodes that ensures only a vanishingly small fraction of the nodes become infected, no matter what strategy is used by the infected nodes? Surprisingly, the answer is yes. In particular, we prove that a simple strategy achieves this result with probability approaching 1 provided that the overlay network has good node expansion. Specifically, this result holds if d ≥ α and α/β)1-γ > 2d/c, where α and β represent the rate of the spread of the alert and worm respectively; γ is the probability that a node is a detector node; d is the degree of the overlay network; and c is the node expansion of the overlay network. Next, we give empirical results that suggest that our algorithms for the alert may be useful in current large-scale networks. Finally, we show that if the overlay network has poor expansion, in particular if (1-γ)β > d, then the worm will likely infect almost all of the non-detector nodes.
[1]
Martin E. Dyer,et al.
Sampling regular graphs and a peer-to-peer network
,
2005,
SODA '05.
[2]
Ayalvadi J. Ganesh,et al.
On the effectiveness of automatic patching
,
2005,
WORM '05.
[3]
Miguel Castro,et al.
Can we contain Internet worms
,
2004
.
[4]
Antony I. T. Rowstron,et al.
Pastry: Scalable, Decentralized Object Location, and Routing for Large-Scale Peer-to-Peer Systems
,
2001,
Middleware.
[5]
Hao Wang,et al.
Towards automatic generation of vulnerability-based signatures
,
2006,
2006 IEEE Symposium on Security and Privacy (S&P'06).
[6]
Miguel Castro,et al.
Vigilante: end-to-end containment of internet worms
,
2005,
SOSP '05.
[7]
Zhenkai Liang,et al.
Fast and automated generation of attack signatures: a basis for building self-protecting servers
,
2005,
CCS '05.
[8]
Steve Chien,et al.
A First Look at Peer-to-Peer Worms: Threats and Defenses
,
2005,
IPTPS.
[9]
Alan M. Frieze,et al.
Random graphs
,
2006,
SODA '06.
[10]
Stefan Savage,et al.
Inside the Slammer Worm
,
2003,
IEEE Secur. Priv..
[11]
Miguel Castro,et al.
Peer-to-Peer Systems IV, 4th International Workshop, IPTPS 2005, Ithaca, NY, USA, February 24-25, 2005, Revised Selected Papers
,
2005,
IPTPS.
[12]
Samuel T. King,et al.
Detecting past and present intrusions through vulnerability-specific predicates
,
2005,
SOSP '05.
[13]
R. Srikant,et al.
Peer to Peer Networks for Defense Against Internet Worms
,
2007,
IEEE Journal on Selected Areas in Communications.