Modeling and analysis of worm defense using stochastic activity networks

David M. Nicol, Steve Hanna, Frank Stratton, William H. Sanders

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Stochastic activity networks (SANs) are a widely used formalism for describing complex systems that have random behavior. Sophisticated software tools exist for the modeling and analysis of systems described within a SAN framework. This paper presents a SAN model of a local area network's defense against Internet worm propagation, measuring the effectiveness of a defensive strategy based on removing hosts from the local network once an infection is detected. We consider the problem of deciding whether to allocate resources to remove an infected host (and thereby reduce the threat), or remove a susceptible but as-yet uninfected host, to directly save it from attack. Considering a parameterized range of policies that makes this decision based on the number of infections in the local network, we find marked preference for always removing one type of hosts when possible, over the other, regardless of the infection state. We futhermore see whether preference should be given to infected hosts or susceptible hosts depends on the relative speeds at which they are removed. Finally, we see that a worm attack can be effectively countered provided that the aggregate rate at which hosts can be removed is on the order of the aggregate infection rate at the time the defense is engaged. Our effort demonstrates the utility of using sophisticated modeling tools to study worm defense, and policy decisions surrounding it.

Original languageEnglish (US)
Title of host publicationBusiness and Industry Symposium, BIS 2007 - Proceedings of the 2007 Spring Simulation Multiconference, SpringSim 2007
PublisherAssociation for Computing Machinery, Inc
Pages349-355
Number of pages7
ISBN (Electronic)1565553144, 9781565553149
StatePublished - Mar 25 2007
Event2007 Business and Industry Symposium, BIS 2007 - Norfolk, United States
Duration: Mar 25 2007Mar 29 2007

Publication series

NameBusiness and Industry Symposium, BIS 2007 - Proceedings of the 2007 Spring Simulation Multiconference, SpringSim 2007

Other

Other2007 Business and Industry Symposium, BIS 2007
CountryUnited States
CityNorfolk
Period3/25/073/29/07

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Software
  • Computational Theory and Mathematics
  • Modeling and Simulation

Fingerprint Dive into the research topics of 'Modeling and analysis of worm defense using stochastic activity networks'. Together they form a unique fingerprint.

Cite this