worm blog: Slowing Down Internet Worms

« Modelling a Computer Worm Defense System | Main | Optimal Control of Treatment Costs for Internet Worm »

Slowing Down Internet Worms

I've taken a liking to solutions that attempt to slow down worms, rather than focusing on stopping them entirely. You'll never win, so why not try for something more tractable. This paper starts to bridge the epidemic models and the thoughts of slowing down worms.

An Internet worm automatically replicates itself to vulnerable systems and may infect hundreds of thousands of servers across the Internet. It is conceivable that the cyber-terrorists may use a wide-spread worm to cause major disruption to our Internet economy. While much recent research concentrates on propagation models, the defense against worms is largely an open problem.We propose a distributed anti-worm architecture (DAW) that automatically slows down or even halts the worm propagation. New defense techniques are developed based on behavioral difference between normal hosts and worm-infected hosts. Particulary, a worm-infected host has a much higher connection-failure rate when it scans the Internet with randomly selected addresses. This property allows DAW to set the worms apart from the normal hosts. We propose a temporal rate-limit algorithm and a spatial ratelimit algorithm, which makes the speed of worm propagation configurable by the parameters of the defense system. DAW is designed for an Internet service provider to provide the antiworm service to its customers. The effectiveness of the new techniques is evaluated analytically and by simulations.

Source: Slowing Down Internet Worms, Shigang Chen and Yong Tang. This paper appeared at ICDCS 2004.

March 19, 2005 in papers | Permalink
Tell others: digg submit | del.icio.us this | Reddit