Professional Documents
Culture Documents
Abstract 1. Introduction
120 90
Figure 1. Effectiveness of: LEFT—content filtering as a function of response time and deployment, CENTER—
address blacklisting as a function of response time and deployment, RIGHT—patching worm as a function of re-
sponse time and initial counter-worm population.
some point been infected by the original worm may suf- Comparison I =1000
0
fer ill effects from the intrusion (such as data destruc- 8
−20
80
0
tion, implanted trojans or back-doors), so in our com- −40
−20
7 60
parisons we will focus on the number of hosts “touched” −60 −40 −2
0
−60
3. Comparison: Edge Deployed Passive 5 0 20
Response Time [h]
0
−4
−20 20
Defenses 4 −60 0 0
−40 −20 20
40
20
tainment) deployed in customer networks, i.e., at the
−40
“edge” of the network, with active defenses. 2
−60
1
80
0
−80
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
Probability of open path
For a direct comparison of the effectiveness of the ac-
tive defenses we have described here with containment Figure 2. Direct comparison between content fil-
strategies, we vary response time and containment de- tering and patching worm. Percent infections us-
ployment and fix the remaining active defense parame- ing content filtering minus infections when em-
ter. We first consider the patching worm. Figures 2 and ploying patching worm. When positive, counter-
3 compare the patching worm, using an initial response worm is better. Counter-worm is launched with
population I0 = 1000 hosts, with content filtering and initial population I0 = 1000 hosts.
address blacklisting, respectively. These are contour
plots of the infection percentage for containment mi-
nus bad worm infection percentage while countering
increases, both approaches are ineffective and the dif-
with a patching worm. Consequently, a negative per-
ference diminishes.
centage means that the containment system resulted in
With the counter worm spreading under full con-
fewer infections. The graphs indicate that content fil-
nectivity,
P we can simplify P equations 1–3, P by letting
tering is more effective than a patching worm when it
s(t) = V (t), ib (t) = Pb (t), ig (t) = Pg (t), and
can protect at least 86% of the hosts, and for later re-
removing C(t). In [15] we showed that under these con-
sponses the patching worm is quite ineffective so con-
ditions, the fraction of hosts ultimately protected by
tainment wins also for lower coverage. Address black-
the patching worm (i.e. as t → ∞) is
listing, on the other hand, is more effective only for
very short response delays and near perfect coverage.
ib (T0 )
Thus, there appears to be realistic situations where a p̃patching = ρ 1 −
s(0)
patching worm could protect more hosts from infection
than an address blacklisting defense, at the cost of re- where ρ is the counter worm response population frac-
maining high bandwidth usage. As the response time tion. That is, if the number of counter worms released
Comparison I =1000
where it is known that
0
8 80
i(0)N
ib (T0 ) =
7 70
i(0) + (N − i(0))e−βN T0
Proof. The patching worm is better iff the protected
6 60
fraction for content filtering is less, i.e. p̃cont.f. ≤
5 50 p̃patching . Consequently, when
Response Time [h]
20 20 20
s(T0 ) ib (T0 )
4 40 40 40 40
(1 − p) ≤ρ 1−
60 60 60 N s(0)
80 80 80 30
3
rearranging
2
20
ρN ib (T0 )
p≥1− 1−
80 10
s(T0 ) s(0)
1
60 80
40
20 60 80
For 0 ≤ t ≤ T0 we have a single worm spreading and
0
0
−20
7 −40 7 70
60
0
20 20 20
20
−60
6 6 60
40
−20
40 40 40
−4
0 40
5 0 5 50
Response Time [h]
20
3 60 30
3
−20
40
2 20
2
−40
20
80
1 80 10
1
0
60 80
20 40 60 80
−60 0
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
Probability of open path Probability of open path
Figure 4. Direct comparison between content Figure 5. Direct comparison between address
filtering and nullifying worm. Percent infec- blacklisting and nullifying worm. Percent in-
tions using content filtering minus hosts touched fections using address blacklisting minus hosts
when employing nullifying worm. When posi- touched when employing nullifying worm. When
tive, counter-worm is better. Counter-worm is positive, counter-worm is better. Counter-
launched with initial population I0 = 1000 hosts. worm is launched with initial population I0 =
1000 hosts.
60 60
% infected hosts
% infected hosts
50 50
40 40
30 30
20 20
10 10
0 0
0.5 1 1.5 2 2.5 3 3.5 4 0.5 1 1.5 2 2.5 3 3.5 4
Response time [h] Response time [h]
Figure 6. Infections after 24 hours for core de- Figure 7. Infections after 24 hours for core de-
ployed content filtering compared to counter ployed address blacklisting compared to counter-
worms (with I0 = 1000). worms (with I0 = 1000).