TY - GEN
T1 - Modeling and analysis of worm defense using stochastic activity networks
AU - Nicol, David M.
AU - Hanna, Steve
AU - Stratton, Frank
AU - Sanders, William H.
PY - 2007/3/25
Y1 - 2007/3/25
N2 - Stochastic activity networks (SANs) are a widely used formalism for describing complex systems that have random behavior. Sophisticated software tools exist for the modeling and analysis of systems described within a SAN framework. This paper presents a SAN model of a local area network's defense against Internet worm propagation, measuring the effectiveness of a defensive strategy based on removing hosts from the local network once an infection is detected. We consider the problem of deciding whether to allocate resources to remove an infected host (and thereby reduce the threat), or remove a susceptible but as-yet uninfected host, to directly save it from attack. Considering a parameterized range of policies that makes this decision based on the number of infections in the local network, we find marked preference for always removing one type of hosts when possible, over the other, regardless of the infection state. We futhermore see whether preference should be given to infected hosts or susceptible hosts depends on the relative speeds at which they are removed. Finally, we see that a worm attack can be effectively countered provided that the aggregate rate at which hosts can be removed is on the order of the aggregate infection rate at the time the defense is engaged. Our effort demonstrates the utility of using sophisticated modeling tools to study worm defense, and policy decisions surrounding it.
AB - Stochastic activity networks (SANs) are a widely used formalism for describing complex systems that have random behavior. Sophisticated software tools exist for the modeling and analysis of systems described within a SAN framework. This paper presents a SAN model of a local area network's defense against Internet worm propagation, measuring the effectiveness of a defensive strategy based on removing hosts from the local network once an infection is detected. We consider the problem of deciding whether to allocate resources to remove an infected host (and thereby reduce the threat), or remove a susceptible but as-yet uninfected host, to directly save it from attack. Considering a parameterized range of policies that makes this decision based on the number of infections in the local network, we find marked preference for always removing one type of hosts when possible, over the other, regardless of the infection state. We futhermore see whether preference should be given to infected hosts or susceptible hosts depends on the relative speeds at which they are removed. Finally, we see that a worm attack can be effectively countered provided that the aggregate rate at which hosts can be removed is on the order of the aggregate infection rate at the time the defense is engaged. Our effort demonstrates the utility of using sophisticated modeling tools to study worm defense, and policy decisions surrounding it.
UR - http://www.scopus.com/inward/record.url?scp=84874712643&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84874712643&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:84874712643
T3 - Business and Industry Symposium, BIS 2007 - Proceedings of the 2007 Spring Simulation Multiconference, SpringSim 2007
SP - 349
EP - 355
BT - Business and Industry Symposium, BIS 2007 - Proceedings of the 2007 Spring Simulation Multiconference, SpringSim 2007
PB - Association for Computing Machinery
T2 - 2007 Business and Industry Symposium, BIS 2007
Y2 - 25 March 2007 through 29 March 2007
ER -