Models of Internet Worm Defense

Content Filtering
We consider two schemes analyzed by Moore et al. “Requirements for Containing Self-Propagating Code”
Content filtering—Idea is that worm packets look a lot alike. One can find
signatures based on hashes of packet content to recognize I’m told that actual commercial products exist that do this Our model : after a delay T0, worm scans are recognized by packet content.
Filters at local network boundaries protect those networks. Fraction fopen of hosts have “open path” to attack still.
Phase I – the worm spreads before detection.
Phase II – the susceptible population drops from s(T0) to
(1 – fopen) × s(T0), dynamics otherwise are the same.

Address Blacklisting
Address Blacklisting—likely infected hosts are added to blacklists. Fraction fopen hosts remain unprotected.
Our model :
Detection delay T0 of infected host, detection framework started at time
D0
Phase I—original spreading dynamics
Phase II—At time D0 + T0 blacklisting takes effect. Split populations into
that which is covered by blacklisting (sp) and that which is unprotected
(su): At time D0 + T0:

Download file here

Share or Bookmark this post:
  • Print
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
  • LinkedIn
  • StumbleUpon
  • Technorati
  • Twitter
  • Yahoo! Bookmarks
  • Yahoo! Buzz
«
»

One Response to “Models of Internet Worm Defense”

  1. [...] guide for electronics, automotive, software, internet and others everyday equipment. « Models of Internet Worm Defense Worm Evolution Tracking via Timing Analysis [...]

Leave a Reply