Sub-connection Based Isolation Against Network Virus

Lansheng Han, Ming Liu, Qiwen Liu, Mengsong Zou

Sub-connection Based Isolation Against Network Virus

Lansheng Han*, Ming Liu, Qiwen Liu, Mengsong Zou

Laboratory for Information Security, School of Computer Science and Technology Huazhong
University of Science and Technology, Wuhan 430074, China
hanlansheng@hotmail.com, hanlansheng@mail.hust.edu.cn
doi: 10.4156/jdcta.vol3.issue1.han
Further, the network viruses bring more damages with
Abstract network expanding [1]. However, compared to these
network viruses, people do not make full use of the
Taking the superiority of the connection of the connectivity and synergy of the network in fighting
network, computer viruses bring more harm to users.
against them [2, 3]. The most famous antivirus tools,
However few researches focus on the network isolation
against virus. Most existing isolation tools trying to such as Norman Malware Cleaner from Norman in
isolate the faults and protecting the specific Europe, Noton from Symantec in America, Kaspersky
sub-network do not fit to prevent web-spreading from Kaspersky Lab. In Russia, Duba from Kingsoft
network virus. By dividing the network connection into
sub- connections the paper presents sub-connection and KVx from Jiangmin in China [4, 5, 6, 7], are still
based isolation against network virus. The focusing on the virus characteristics cleaning methods
sub-isolation is defined as a set of binary relation from on single computer. So the current prevention of the
the infected area to the susceptible area of the virus.
virus is still passive and separated. Those passive
New formulas are also proposed to measure the
blockage of the isolation on the network. Finally three separated antivirus methods cannot cope with the flood
groups of more than 50 simulation tests are carried out. of network virus. Therefore people should make use of
The test results verify the valid of the sub-connection
the connectivity and collaboration advantages of
based isolation and prove it causes fewer blockages on
the network flow than the existing isolation ways. Thus network which is also necessary in preventing against
the paper opens a new path to prevent the net viruses. network virus in the future. Recently, many researchers
proposed the ways to isolate the computers with
Keywords sensitive information from outside attackers or unau-
thorized users.
Network Virus, Network Isolation, Measurement of
the Isolation, Network Security, Communication
1.2 Concepts and current techniques of the
Network
isolation
1 Introduction
Taking quarantine measures to cut off the spread of
the virus is a basic method in biosphere, more
1.1 Cope with virus
systematical isolation theory in early years was
proposed by M. Bell-more in 1969 [8] who puts
The rapid development of the network brings more
forward an isolation as set of edges that cut off the
convenience for people’s communication. At the same
physical conjunction between nodes which is now
time, it brings large number of computer viruses spread
called physical isolation. And in 1975, N.J.T. Bailey
everywhere. As those viruses have special techniques
defines the biological isolation as a set of tuples which
utilizing the network, the paper names it network virus.

110
 International Journal of Digital Content Technology and its Applications
Volume 3, Number 1, March 2009

can spread the biological viruses [9]. As the
conjunction at that time is simple, the physical
isolation is intuitive feasible. However the theory did
not foresee nowadays the Internet contains so many
dynamic, logical and abstract connections. Recently,
network isolation attracts many attentions. Kwo-Jean
Farn makes a comprehensive study on the requirement
of network isolation for information security [10]. Farn,
K.-J. takes the first step in definition of segregation of
security objects [11]. Wenyuan Kuang presents a new
one-way for isolating file access [12]. Yeu-Pong Lai
provides the implementation guidance of network
isolation with some logical isolation techniques and
management polices [13]. Zhi Yu, Ramani
Subramanian, and Surjit Ahluwalia of the Intel even
discuss the manufacturing methodology for network
isolation [14].
Table 1. Main techniques on the network isolation
Programmable disrupt of multicast USA Patents
packets for secure networks 5539373
Hub-embedded system for automated USA patents
network fault detection and isolation 6079034
Based on those researches, there are some isolation
techniques. For the fault detection and isolation of
specific network, in recent years, there come logical
isolation techniques which use software to realize the
isolation and assure the transmission of not isolated
nodes in the network [15, 16, 17]. There are also some
other studies proposing hybrid isolation of physical and
logical methods in the purpose of protect certain node
in sub-network from unauthorized access and attacks
from the Internet [18, 19, 20]. Table1 lists the main
techniques in network isolation.
Due to the different social environment, the
government of China raises higher security
requirement for the communication network, so there
are more researches on the network isolation in China
in recent years [21-30].
1.3 Dilemma of the current isolation in against
network virus
1.3.1 Summary of the current research on the isola-
tion

Data processing system and method
including a network access connector
for limiting access to the network
Interface device with network isolation
Network abstraction and isolation layer
for masquerading machine identity of a
computer
The secure isolation gap
The network security control device
based on monitoring data exchange for
the physical isolation
The physical isolation switches:
introduction and practice
Sum all those isolation researches and techniques,
USA patents
either logical or physical isolation, they focus on
6754826
access control of the protected sub-network, which is
USA Patent effective when the isolated IP address is fixed. To some
7016358 extent the paper names them IPBI(IP-based isolation).
By the different scope of this isolation they can be
USA patent:
sorted to two categories: One is called EIPBI
20050108407
(exclusive IP-based isolation) whose main idea is that
China Pattern: except some specified nodes is configured safe, all
CN2588677 other nodes are considered unsafe and be excluded
from accessing the sub-network. Some systems with
higher security requirements or internal network in a
China Pattern:
unit use this isolation. The other is called SIPBI
CN1421794
(selective IP-Based isolation) whose main idea is that
China Pattern: all the other nodes are considered safe only some
CN1464403 unsafe nodes are isolated denying of access the sub-net.
SIPBI is often used in some systems with not too high

111
 Sub-connection Based Isolation Against Network Virus
Lansheng Han, Ming Liu, Qiwen Liu, Mengsong Zou

security requirement or some public web-sites of

certain business. Obviously the blockage on network
traffic caused by SIPBI is reduced but the security is
lower than EIPBI. It should be pointed out that
isolation measures of both SIPBI and EIPBI is to cut
off connections completely between isolated nodes, do
not permit any transmitted data get through.

1.3.2 Dilemma of the current isolation and the main

idea of sub-connection based isolation

Different from these threats from the relative fixed

IP nodes or directed at the relative fixed IP nodes. Most Figure 1: The connection and its sub-connection
network viruses do not spread from the fixed IP node
neither directed at specific IP nodes. A trusted IP node 2 Symbols of Some Concepts
might also be the spreading media of the network virus.
Secondly, Nowadays the Internet is a vast and complex Based on the above discussion, and also for conve-
network system, on which running a variety of network nience to describe concepts and algorithm below, the
application platforms, which are also called service. paper presents some symbols’ definitions:
That is to say one end to end connection may contain (1) N denotes the researched network,
many sub- connections of different platform above the
vi ∈ N (i = 1,2,) is a node in network and denotes a
IP layer shown in Figure 1. Most network virus spread
by only one or two sub connection(s). If the sub certain computer system;
connection by which the virus spreads is cut off, the
(2) (vi , v j ) is a tuple and presents a connection
virus cannot spread, while the other sub connections
can still transmit data, that will be more suitable for
from node vi to node v j in network which also tallies
isolating network virus, which is called SBI
(Sub-connection Based Isolation) proposed in this with the direction of data transmission;
article. Obviously SBI will bring fewer blockages on
(3) C t = {cij = (vi , v j ) | vi , v j ∈ N } is the set of
the network traffic.

connection of the network N on time t , viC t is the

set of nodes receiving connection from node vi on

time t , C t vi is the set of nodes sending connection

to vi in network on time t ;

(4) bi is a certain virus, T (bi ) denotes the

112
 International Journal of Digital Content Technology and its Applications
Volume 3, Number 1, March 2009

bursting, we take the second way: tracing and pursuing

network platform by which bi spreading. T (bi )
the virus.
also denotes sub connection meeting the spreading of
Generally speaking, when a node vi is found be
bi ;
infected by bi in the network, vi is neither the first
t
(5) C [T (bi )] is a set of sub-connection which
nor the last one to be infected in the network, it is only
meet the virus spreading in network on time t,
one node in the virus infection chain. If take the vi as
t t
Obviously C [T (bi )] ⊆ C . For example, assume
the breakthrough point, to find the node from which
there are 4 sub connections in network on time
the virus spread to vi , and the nodes to which vi
t : T1 = msn, T2 = QQ ( QQ , liking msn , is an
spread the virus, the former is called Source Tracing of
online instantly chatting platform service used by more the virus, and the latter is called the Pursuing of the
than half network users in China ),
virus, then the whole spreading path of bi is uncovered
T3 = http, T4 = ftp, then C = ∑ [Ti ] .
t 4
i =1
in the network, and further the infected area is
identified.
3 Isolation Algorithm
3.1.1 Pursuing of the virus
The purpose of SBI is to prevent uninfected node
from being infected by the infected node, in other From the above description, a virus’ transmission
words, to prevent the virus from spreading in the from one node to another node corresponds to a tuple,
network. Therefore it is necessary to determine the set successive transmission corresponds to a compound
of infected nodes and the set of susceptible nodes, and tuple. The definition is given below.
then construct the isolating wall between them. Definition 2 Suppose in two successive periods, the

connection sets of a network are C 1 ,C 2 , then

3.1 Identification of the infected area

C 1C 2 = {(vi , v j ) | ∃vk , meet (vi , vk ) ∈ C 1 ,

Definition 1 The infected area, with respects to a
specific virus, is the collection of all infected nodes by
(vk , v j ) ∈ C 2 } is called compound operation of
the virus bi and is denoted by Y .
C 1 ,C 2 .Based on the definition we can get the
Here, two ways were propose to determine the in-
fected area. If the characteristic of the virus can be ex- conclusion as below:
tracted on time, then check all the nodes in the network, Theorem 1 Suppose in continuous periods the set

we will get the Y of bi . However, if the characteristic of connection of the network are C
1
, C 2 ,, C 3 ,then
of the virus can’t be extracted on time, which is the
the virus spreads from vi to v j , if and only if there
common situation in the early stage of the virus

113
 Sub-connection Based Isolation Against Network Virus
Lansheng Han, Ming Liu, Qiwen Liu, Mengsong Zou

are nodes
3.2 Determination of the susceptible areas
vi1 , vi 2 ,, vin −1 meet (vi , vi1 ) ∈ C 1 , (vi1 , vi 2 ) ∈ C 2 ,
Susceptible area denoted as S is the set of nodes
, (vin −1 , v j ) ∈ C n (proof omitted).
suspected to be infected by infected nodes which is the
object of the protection. As the isolation is symmetric,
With the theorem above, when a node v i is found
that is, isolating the infected nodes will protect the
uninfected nodes, which has the same consequence as
be infected by bi on t 0 , then collect connection
isolating the uninfected nodes from being infected.
With respect to the concrete realization of EIPBI and
information C i (i > t 0 , i ∈ N ) of the network and
SIPBI and also to comparing SBI with the both, the
select sub connections that meet the virus’ spreading paper presents three definitions for the susceptible

C i [T (bi )] , then compound operation is successively areas Si :

imposed on
Definition 3 S1 = N − Y − C , where N denotes
1 2 n
C [T (bi )] , C [T (bi )],, C [T (bi )] , the set of
all the nodes in a network; Y denotes the set of
all infected node can be get in infected nodes; C is the set of few nodes that are
being considered absolutely safe and important for the
vi C 1[T (bi )] ⋅ C 2 [T (bi )] ⋅ C n [T (bi )] .
network. By the definition, nodes outsides infected
areas are all regarded as susceptible nodes except
3.1.2 Source tracing of virus for C . As C is very small compared with Y
and S1 , S1 ≈ N − Y . EIPBI strategy is similar to S1 .
Assume node v i was infected by virus bi on
Obviously, definition 3 of susceptible area enlarges
the isolation scope in the network. For example,
time t0 , first get the set Cvi , determine the sub
node vi ∈ N − Y , but ∀v j ∉ Cvi , v j ∈ Y , however
connection of virus T (bi ) , and then get set
by the EIPBI, the communications between node v i and
all the infected nodes in the sub-net is completely cut
C[T (bi )]vi from Cvi , if the set is not null, then
off, to keep so mach uninfected nodes isolated from the
detect each node in the set which are the spreading infected area will take up much resources of the
network and thus block the flow of network very much,
sources of virus in v i , and then source tracing method
in order to reduce the blockage upon the flow of
network, we present definition 4.
can be utilized upon the source of node v i , until to
Definition 4 the susceptible area is set as
the root of the virus in the sub-network. By the above
S 2 = {v j | (vi , v j ) ∈ C , and vi ∈ Y , v j ∉ Y } , that
two steps the infected area Y of the bi can be
is the uninfected nodes having connection to the
determined. infected node is defined as the susceptible node.

114
 International Journal of Digital Content Technology and its Applications
Volume 3, Number 1, March 2009

and the structure is relatively stable. (iii) The

Clearly S 2 is much smaller than S1 , the isolation
connection duration of the sub net is also stable. For
space limited, we only list the general case in the
scope of SIPBI is similar to S 2 . As discussed above,
following table.
virus spreads by only one or two sub connections, even
Table2. Topology of the sub logical net work of
if (vi , v j ) ∈ C , and vi ∈ Y , v j ∉ Y . But all the
Chinese users and their social relations
Occupation Network Degree Edges Nodes
connections in C t − C t [T (bi )] cannot spread the
platform
virus, so this kind of isolation enlarges isolation scope Middle school Email net 3-12 36 12
too. The article is proposing definition 5: student QQ net
Sub-connection Based Isolation: University Email net 3-15 124 23
Definition 5 the susceptible area is set as student QQ net

S 3 = {v j | (vi , v j ) ∈ C[T (bi )], vi ∈ Y , v j ∉ Y } , teacher Email net 5-15 500 45

QQ net office
that is the uninfected nodes having connection to net
infected nodes and the sub connection meet the ordinary stuff Email net 5-12 12000 450
spreading of virus are susceptible node. in company QQ net

Obviously S3 ⊆ S 2 ⊆ S1 , definition 5 has the smallest internal

office net
the isolation scope that would hold up the flow of the Manager Email net 8-21 20000 5000
network most lightly of the three. QQ net
Definition 5 of the paper has the actual background. internal
In 2003, our group began the research on the network office net
virus. When our first epidemic model was constructed House wife Email net 3-5 23 4
[31], we noticed the logical topology of the network ef- QQ net
fects the spreading of the virus, and the logical website
topology has a closed relation to the social network of
With the above definition, the paper can present the
users. After several years of the study on the virus and
isolation more accurate.
the network, we find the logical topology of the sub
network is relatively stable in respect of the spreading
3.3 Establishment of Isolation Wall
speed of most net viruses. For example, most net
viruses can spread though out the ordinary logical sub
3.3.1 Define the isolation wall
net in 3 days and through out the open Internet in 12
days. In China, the connection of this logical sub net is
more stable and has the following properties. (i) The Definition 6 Isolation wall (IW ) is a set of
connection objects of the user is stable that indicates
connections between Y (infected areas) and S
the degree of the user is stable. (ii) The logical sub net
(susceptible areas). According to this definition,
formed by the special network application has the
isolation wall of EIPBI and SIPBI discussed
homogenous structure as its’ user’s social structure,
above respectively are:

115
 Sub-connection Based Isolation Against Network Virus
Lansheng Han, Ming Liu, Qiwen Liu, Mengsong Zou

IW _ EIPBI = {(vi , v j ) | vi ∈ Y , v j ∈ S1} , to v j or (vi , v j ) ∈ C , but (vi , v j ) ∉ C[T (bi )] , it

IW _ SIPBI = {(vi , v j ) | vi ∈ Y , v j ∈ S 2 } , and the implies that although vi connect to v j but the

isolation wall of SBI in this paper is connection does not spread the virus, so

IW _ SBI = {(vi , v j ) ∈ C[T (bi )] | vi ∈ Y , v j ∈ S 3 } , shown (vi , v j ) ∉ IW _ SBI , it is contradict to the

as figure 2. As S3 ⊆ S 2 ⊆ S1 , SBI block the assumption, therefore IW _ SBI is the smallest.

network traffic less than the other two, proof is given As is known, the smaller scale of the isolation wall
below. is, the smaller blockage caused by the isolation wall. A
new problem is that whether the IW_SBI is effective?
Does IW_SBI have any leakage? We have conclusions
below.
Theorem 3 IW _ SBI is complete. Proof(by
contradiction): if IW _ SBI is incomplete, then

(v i , v j ) ∈ C[T (bi )] , but (vi , v j ) ∉ SBI , that is to

say there is sub connection meets the virus, but this sub
connection is not on the isolation wall, then only can
Figure 2: Sub-connection based isolation
deduce the result below: vi , v j ∈ Y or vi , v j ∉ Y the
Isolation wall of SBI is not only a subset of

current connection C but also a subset of C[T (bi )] , former means vi , v j are both infected nodes, the

connection cannot cause a new infection; the latter

that is SBI ⊆ C[T (bi )] ⊆ C . We use T (SBI )
means vi , v j are both uninfected nodes, of cause the
denote the network platform isolated by SBI ,
connection between them cannot cause a new infection,
clearly T ( SBI ) = T (bi ) .
so (vi , v j ) ∉ IW _ SBI .
Theorem 2 IW _ SBI is smallest of the three.
3.3.2 Isolation methods
Proof (by contradiction ): Assume that IW _ SBI
When the infected area and the susceptible area are
is not the smallest, then ∃(vi , v j ) ∈ IW _ SBI ,
identified, there are three ways to realize the isolation
according to def.6 it can be known that with respect to isolation location in the network.
The first way is to realize isolation on the receiver
vi ∈ Y , v j ∈ S3 , but (vi , v j ) ∉ C[T (bi )] , it means
nodes called Receiver End Isolation. For example,

that either (vi , v j ) ∉ C , that is vi did not connect (vi , v j ) ∈ IW _ SBI , vi ∈ S3 , the virus spreading

116
 International Journal of Digital Content Technology and its Applications
Volume 3, Number 1, March 2009

difficult to realize Midway isolation. Because midway

sub connection is T (bi ) , then deny the connection
from v j . Obviously, Receiver End Isolation
emphasizes the safety of the receiver. It is very suitable
for the ordinary individual users.
The second way is to realize the isolation on the
sending node called Sender End Isolation. For example,
vi ∈ Y , the virus spreading sub connection is T (bi ) ,
then do not permit vi to connect vj
(vi , v j ) ∈ IW _ SBI . Obviously, the Sender End
Isolation emphasizes the responsibility of the sending
nodes. It is very suitable for some public web sites.
The last way is to realize the isolation on the midway
of the spreading path such as gateway, hub etc called
Midway Isolation. That is to cut off the sub connection
between nodes which satisfies (vi , v j ) ∈ IW _ SBI .
The midway isolation emphasizes the public safety of
the whole network. It is the job of the network managers.
In our simulation test, we find the first way is the most
effective one and more convenience. The second way is
also effective but cost the sending node more time. The
last way is also effective but blocks the network flow
seriously.
As discussed above, there are all kinds of viruses
with each depending on special network application. So
the isolation technique is different for different kinds of
has no application layer interface, it should detect every
data package that will cost many controlling time of the
network and block the flow of the network heavily. But
management responsibility considered, midway
isolation is necessary for some case.
4 Measurement of Isolation’s Blockage on
Network Flow
The blockage of isolation wall on the flow of the
if
network is a very important indicator to measure the
quality of isolation wall, but network connection is a
dynamic process, and the weights of connections
between nodes are not the same, for example,
cij , ckt ∈ C , transmission data of cij might be more
important than ckt . So it is rather difficult to weight
the wall by accurate standard. While it doesn’t mean
that there is no method to assess the blockage of
network isolation, here we can use representative
statistic data in a certain period to assess the blockage
of isolation. Therefore, a triplet cij = (vi , v j , wij )
can be used to represent connection in a network,
where wij is the weight of the connection. Suppose
the connection set of a certain period is
C = {(vi , v j , wij ) | vi , v j ∈ N }, ∑ wij = 1 . Known
i, j

virus. It should consider both the protocol of the special from the discussion above, even if
application and the convenience to insert the isolating
(vi , v j ) ∈ IW _ SBI , it doesn’t mean that (vi , v j )
module. For example, the virus’ spreading sub
is completely isolated, only the sub connection which
connection is T (bi ) = QQ , only add the forbidden No.
meet the virus spreading is cut off. Assume that cij
of the infected nodes can realize the isolation. If

T (bi ) = Email , only add the name of infected nodes k

includes k connections: cij = ∑ [Tn , wij (Tn )] ,
n =1
to the black mail list of the nodes in the S3 . It is more

117
 Sub-connection Based Isolation Against Network Virus
Lansheng Han, Ming Liu, Qiwen Liu, Mengsong Zou

where Tn represents a sub connection in cij , where | * | denotes the cardinality of *. Even

wij (Tn ) denotes its’ weight in cij , then the though | SIPBI |=| SBI | , as the isolation objects of

SBI are just sub-connections of SIPBI . For the same

connection vi C[T (bi )]v j takes the ratio of the total
example as above:

network is wij (Tn ) × wij . Therefore the percent of IW _ SIPBI % = wij + wst + wim + wnk .While

IW _ SBI in the whole network is IW _ SBI % = wij × wij (TEmail ) + wst × wst (TEmail )

IW _ SBI % = ∑ (w (T ) × w )
( vi ,v j )
ij n ij . For
+ wim × wim (TEmail ) + wnk × wnk (TEmail ) .
example: It is obvious that IW_SBI cause less blockage on
network than IW_SIPBI. The simulation test will prove
IW = {(v i , v j , wij ), (v s , v t , w st ), (v i , v m , wim ),
it.

(vn , vk , wnk )} ; where wij = 0:001, wst = 0:002,

5 Simulation Test
wim = 0:015, wnk = 0:013 . Suppose the sub
The simulation test selects 300 nodes forming a
network, to facilitate and assure the controlling of the
connection by the virus is T (bi ) = Email , the
experiment, and reduce the dependence of the
corresponding proportions of the Email connections in experiment on outside of the simulating network, three
nodes are selected to play the role of Email Server, FTP
the four connection respectively are wij (Email ) =
Server and QQ Server, and sometimes also take the role
of transit node. Besides the three kinds of connection,
21%, wst (Email ) = 24%, wim (Email ) = 30% ,
there are some other kinds of connection but no more
than 30 percent. On any time during the test, the number
wnk (Email ) = 18% , then the blockage on the
of all the connections in the net work is kept around
1000. The length of the connecting time is set as weight
network flow by IW _ SBI would be
of each connection which can be directly obtained by
the connecting log of every computer thus reduce the
IW _ SBI % =21%*0.001+24%*0.002+30%*
subject estimate error by users. The data structure of
0.015+18%*0.013=0.54%. connection information used in the test is set a sequence
of four elements (IP1; IP2; Type; Time), where IP1 is
From the discussion above we know that S1 of
connecting node, IP2 is connected node, Type is the sub
connection, Time is the duration of connecting. The
EIPBI includes S 2 of SIPBI and S3 of SBI ,
isolation module is programmed by sniffer C++. The
that is to say simulation tests are carried out in three terms:

| IW _ EIPBI |≥| IW _ SIPBI |≥| IW _ SBI | ,

5.1 Test on valid of isolation

118
 International Journal of Digital Content Technology and its Applications
Volume 3, Number 1, March 2009

In this term, three kinds of viruses are selected, isolation is. On the contrary, the later the worse is.
spreading by Email, by Ftp and by QQ respectively. However, it must be pointed out that the omitted virus
For each virus, two tests are carried out respectively by is not the leakage of the isolation wall but the leak of
rd th
the time when the isolation is begin on 3 and 5 days tracing virus.
after the virus is planted in the network. The following 5.2 Blockage of three isolation wall on the flow
two tables present the process and the effective of the of the network
isolation.
For convenience, we use the following notation: T The test in this term is set to measure and compare
denotes the sub-connection. C[T]% denotes the percent the blockage of the three isolations, the initial number of
of the T connection among all the connections. |Y| infected nodes is set the same for the three: |Y| =10, 20,
denotes the number of infected nodes. |S| denotes the 30, 40, 50, 60, 70, 80,
number of the suspected nodes |SBI| denotes the
number isolation tuples.

Table3. The effects of SBI with three kind of virus and

their blockage on the network (three days after the
virus is planted)

Email Ftp QQ
C[T%] 21 20 35
|Y| 15 12 32
90.
|S| 43 132 108
|SBI| 87 201 168 Figure 3: The isolation scale with the number of
SBI% 1.8 4.02 5.88 infected nodes
Result Completed Completed Omit 1

Table4. The effects of SBI with three kind of virus and

the blockage on the network (five days after the virus
is planted)

Email Ftp QQ
C[T%] 21 20 35
|Y| 32 56 65
|S| 67 162 212
|SBI| 172 301 436
SBI% 5.3 7.2 12.5 Figure 4: The blockages on the network flow of the
Result Omit 1 Omit 2 Omit 3 three isolations

From the test result, it can be seen that the earlier For the EIPBI, every infected user selects the most
the isolation begins, the better the effective of the impossible nodes to be infected to form set C, and the

119
 Sub-connection Based Isolation Against Network Virus
Lansheng Han, Ming Liu, Qiwen Liu, Mengsong Zou
other of 300- Y- C is to be isolated. For the SIPBI and
SBI, every user selects the possible nodes to form S 2
and S 3 according to their connection history. The two
figure1 and figure 2 illustrate the difference of the three
isolations’ blockage on the flow of the network. The
number of all connection tuples is C = 1000 and the
connection weight of each tuple is the time duration of
the connection.
From the two figures, it can be seen that the scales
of the three isolation walls increase in direct proportion
to the increase of the initial infected nodes, but for the
blockage of the isolation wall on the flow of the network,
the SBI is the smallest no more than 10 percent of the
sum connection.
5.3 The effects of three ways isolation
In this term, Email connection is selected
sub-connection to be isolated. Receiver end isolation is
easier. By the SBI methods above, for each uninfected
nodes, only add their infected friends to the black list.
The test result similar to the predicate of our theory, all
viruses are isolated. In the Sender end isolation, we
insert our module of isolation ”SBI connect isolation”,
the idea is to detect the socket of SMTP connection in
the windows environment, then judge whether the
package heads (IP1; IP2) belongs to IW_ SBI, if it does,
then deny the connection, else permit to connect. The
test result is also valid. For the test of midway isolation,
we use the open codes ”GetEthernetData.rar” and make
program with Sniffer C++, the isolation is stored in a
database, by insert our controlling module in the Email
server, the isolation is also realized. But as there are so
many dynamic factors in the network, it is rather
difficult to compare the results of the three isolation
ways. Considering the implement convenience, the
paper prefers the receiver end isolation.
6 Summary and the Further Research
6.1 Summary the paper
Unlike the isolation object and method in other
papers, the paper subdivides network connection into
sub connections of different application layers by which
viruses spread in the network, and proposes the SBI
(Sub-connection based isolation) to prevent network
virus from spreading. Based on a lot of samples and
statistics of network virus, the paper presents definition
and division for network connection that suitable for
specific virus. Then the infected area and susceptible
area were defined by the paper. The determination
methods of the both areas were also presented in the
actual network environment. Based on those concepts
the paper presents the definition of isolation wall and
the establishment methods. Lastly the paper discusses
the blockage of the isolation wall on the flow of
network. Simulation test are carried out for the isolation
wall, the experimental results verified the valid of the
SBI.
6.2 Further study on the isolation
As the representative of operation system, Microsoft
manufacturing industries has published a white paper
for a security strategy for manufacturing operations, in
the part of securing the network, they provide network
isolation with application gateways. In the part of
secure connectivity for management of the firewall,
they provide network isolation with virtualization.
Considering the simulation test of our theory and the
white paper of Microsoft, we plan to focus on the
following two researches. The first is the design of
isolation as general middle layer software plugged into
different network application of viruses. For the
algorithm and the strategy proposed in the paper is finite,
the second research will focus on the partition of the
network with respect to different network viruses.
6.3 Acknowledgement
120
 International Journal of Digital Content Technology and its Applications
Volume 3, Number 1, March 2009
In the summary of the paper, we would like to thank
Liangwei Chen etc. ten students of 2007 graduation of
school of computer science and technology of
Huazhong University of Science and Technology. The
ten students choose the subject as their final projects for
bachelor degree. They carried the three terms of more
than 50 tests. Without their nearly 6 month of boring job,
we can’t present the paper now. We also express our
appreciation to managers of www.hust.edu.cn for they
supply us the statistics of the users. Last thanks to the
China National Natural Science Funds (NO: 60703048)
and Hubei Province Natural Science Founds (NO:
2007ABA313) for their financial support.
7 References
[1] CSI 2000. ’CSI=FBI Computer Crime and Security
Survey’ Computer Security Issues & Trend.ICSA
2000. ’ICSA Labs 6th Annual Computer Virus
PrevalenceSurvey 2000’: ICSA.net
[2] Kephart, J.O. and White, S.R. 1993. ’Measuring and
Modeling Computer Virus Prevalence’ IEEE Computer
Security Symposium on research in Security and Privacy.
Oakland, California
[3] Kephart, J.O. 1994. ’How Topology Affects Population
Dynamics’ in Langton, C.G. (ed.) Artificial Life III. Reading,
MA: Addison-Wesley
[4] Pastor-Satorras, R. and Vespignani, A. 2001. ’Epidemic
Dynamics and Endemic States in Complex Networks’ .
Barcelona, Spain: Universitat Politecnica de Catalunya
[5] Spafford, E.H. 1994. ’Computer Viruses as Artificial Life’.
Journal of Artificial Life
[6] Wang, C., Knight, J.C. and Elder, M.C. 2000. ’On
Computer Viral Infection and the Effect of Immunization’
IEEE 16th Annual Computer Security Applications
Conference
[7] Wasserman, S. and Faust, K. 1994. Social Network
Analysis: Methods and Applications. Cambridge: Cambridge
University Press. Isolation theory
[8] M.Bellmore, G.Benningon, S.Luhore. A Network
Isolation Algorithm. Proceeding of 35th National ORSA
Meeting in Denver, Colorado, on June 17, 1969
[9] Bailey, N.J.T. 1975. The Mathematical Theory of
Infectious Diseases and Its Applications. New York: Oxford
University Press
[10] Kwo-Jean, Shu-Kuo Lin, Chi-Chun Lo, ”A Study on the
Network Isolation Security Requirements for Cyper Space”,
WSEAS Transactions on Computers, Vol. 5, Issue 5, pp.
1034-1040, 2006
[11] Farn, K.-J., Lin, S.-K., Cheng, T.-S.: First Step in the
Definition of Network Segregation for Security. In:
Proceedings of Information Security Conference 2005,
Kau-Shong, Taiwan (June 2005)
[12] Wenyuan Kuang, Yaoxue Zhang, Li Wei, Nan Xia,
Guangbin Xu, and Yuezhi Zhou. A New One-Way Isolation
File-Access Method at the Granularity of a Disk-Block, in
Proc. of the 4th International Conference on Automatic and
Trusted Computing (ATC-07), Hong Kong, China, July 11-13,
2007, pp. 296-305
[13] Yeu-Pong Lai, Jui-Hen Tai. Network Security
Improvement with Isolation Implementation Based on
ISO17799 Standard. Lecture Notes in Computer Science,
Springer Berlin/Heidelberg, 2007,8,24 69-78
[14] Zhi (Zachary) Yu, Ramani Subramanian, Surjit
Ahluwalia, Innovative and Effective Methodology for
Implementing Network Isolation for Manufacturing
Environments. Intel Corporation Chandler, Arizona, U.S.A
121
 Sub-connection Based Isolation Against Network Virus
Lansheng Han, Ming Liu, Qiwen Liu, Mengsong Zou
[15] Mori Takumi, Ohtakohei, Kato Nei. The Dynamic
Symptom Isolation Algorithm for Network Fault
Management and Its Evaluation. IEICE Transaction on
Communications, Vol. E81-B.No 12 pp.2471-2480
[16] Fernandez, M. Durrant Whyte, H.F. Afailure Detection
and Isolation Algorithm for a Decentralizied Multi-sensor
system. Multisensor Fusion and Integration for Intelligent
Systems, 1994. Vol. 2-5 Oct.1994, pp 27-33 communication
problems
[17] M.Devanand, T. Selvaraj, S. Kumanna. A hybrid fuzzy
Logic- Artificial Neural Network Algorithmbased fault
detection and Isolation for Industrial Manipulator.
International Journal of Manufacturing Research, 2007 Vol. 2,
No. 3, pp.279-302 focus on the technique problems
[18]”anti-virus,”http://www.computer-virus-protection.com
security shield 2008 antivirus protection personal firewall
[19]http://www.windowssecurity.com/whitepapers/serverdom
ain-isolation-IPsec.-overview.html isolation using group
policy and IPsec. Isolation policiesserver management
[20] http://shop.symantecstore.com Block virus and spyware
with advanced protection Networking and Access controlling
[21] Jia Cheng-qiang , Sun Mei-xiao , Zhu Jiansheng,
Discussion on technology of network isolation, Railway
Computer Application, May,11, 2006
[22] Yongsong Liao, Discussion on network isolation scheme
of Intranet,Wuhan Iron and Steel Corporation Technology,
June, 2006
[23] Liu Chaoping , Feng Dengguo, Research and
Realization of the Network Isolation Technology,
ChinaInformation Security, 2005,01012
[24] Wang Fan, Fanwenbing, Guohong, Discussion on
physics isolation technology for internet and
intranet,Metallurgical Standardization & Quality,
April,05,2003
[25] Chao Pan, Research on Network Isolation Between
Electric Network Monitoring System and Information
System, Modern Electric Power. March, 2002
[26] Lizhi Yang, Gan Wu, Physical isolation technology: the
safest way to protect against network attack, China
Information Security,April, 2002
[27] LIU Yan-bao, Physical isolation technology and data
safety transmitting model, Journal of Yanan University
(Natural Science Edition),April, 2004
[28] Yajing Zhang, Yongqiang, Wang, Application in
enterprises of Network Isolation, Computer Knowledge and
Technology,Janury, 2005
[29] Zhang Yuying , Wang Fang, Physics Network Isolation
Technology Applied to E-Government, Journal of College of
Disaster Prevention Techniques, Janury, 2005
[30] Chen Youping , Yin Yong , Li Fangmin , Zhou
Zude,Design and realization of security physical isolation
system, Journal of Southeast University(English Edition)
Janury,2005
[31] Lansheng Han, Hui Liu and Asiedu Baffour Kojo.
Analytic Model for Network Viruses. In Proceedings of the
ICNC2005, LNCS3612, Springer-Verlag, Berlin Heidelberg,
page903-910
122