Models of Internet Worm Defense

Tuesday, January 13, 2004 - 1:30pm - 2:20pm
Keller 3-180
David Nicol (University of Illinois at Urbana-Champaign)
Internet worms propagate by scanning IP address space, looking for vulnerable hosts. On finding a susceptible host, the worm infects it, essentially replicating itself, and the newly infected host begins scanning, itself. Epidemic models have been used to describe worm propagation, and have the attraction of capturing at a gross scale the pattern of worm spread. We are interested both in modeling worm propagation, and the effect of worm defenses on that propagation. We consider models of both passive and active defenses (e.g. counter-worms), with an eye towards comparing their effectiveness with respect towards both the number of hosts ultimately infected, and the overall impact on the network of scan behavior. We consider models where the worm is slow enough so that network topology does not matter, and models that explicitly account for topology, bandwidth constraints, and failures of the infrastructure.