TY - GEN
T1 - Comparing passive and active worm defenses
AU - Liljenstam, Michael
AU - Nicol, David M.
PY - 2004
Y1 - 2004
N2 - Recent large-scale and rapidly evolving worm epidemics have led to interest in automated defensive measures against self-propagating network worms. We present models of network worm propagation and defenses that permit us to compare the effectiveness of "passive" measures, attempting to block or slow down a worm, with "active" measures, that attempt to proactively patch hosts or remove infections. We extend relatively simple deterministic epidemic models to include connectivity of the underlying infrastructure, thus permitting us to model quarantining defenses deployed either in customer networks or towards the core of the Internet. We compare defensive strategies in terms of their effectiveness in preventing worm infections and find that with sufficient deployment, content based quarantining defenses are more effective than the counter-worms we consider. For less ideal deployment or blocking based on addresses, a counter-worm can be more effective if released quickly and aggressively enough. However, active measures (such as counter-worms) also have other technical issues, including causing additional network traffic and increased risk of failures, that need to be considered.
AB - Recent large-scale and rapidly evolving worm epidemics have led to interest in automated defensive measures against self-propagating network worms. We present models of network worm propagation and defenses that permit us to compare the effectiveness of "passive" measures, attempting to block or slow down a worm, with "active" measures, that attempt to proactively patch hosts or remove infections. We extend relatively simple deterministic epidemic models to include connectivity of the underlying infrastructure, thus permitting us to model quarantining defenses deployed either in customer networks or towards the core of the Internet. We compare defensive strategies in terms of their effectiveness in preventing worm infections and find that with sufficient deployment, content based quarantining defenses are more effective than the counter-worms we consider. For less ideal deployment or blocking based on addresses, a counter-worm can be more effective if released quickly and aggressively enough. However, active measures (such as counter-worms) also have other technical issues, including causing additional network traffic and increased risk of failures, that need to be considered.
UR - http://www.scopus.com/inward/record.url?scp=16344391431&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=16344391431&partnerID=8YFLogxK
U2 - 10.1109/QEST.2004.1348012
DO - 10.1109/QEST.2004.1348012
M3 - Conference contribution
AN - SCOPUS:16344391431
SN - 0769521851
SN - 9780769521855
T3 - Proceedings - First International Conference on the Quantitative Evaluation of Systems, QEST 2004
SP - 18
EP - 27
BT - Proceedings - First International Conference on the Quantitative Evaluation of Systems, QEST 2004
T2 - Proceedings - First International Conference on the Quantitave Evaluation of Systems, QEST 2004
Y2 - 27 September 2004 through 30 September 2004
ER -