On Effectiveness of Defense Systems against Active Worms

On Effectiveness of Defense Systems against Active Woms Zesheng Chen, Lixin Gao, and Chuanyi Ji Abstact Active woms use sef-popagating maicious code, and have been a pesistent secuity theat to the Intenet since 988. Recent wom outbeaks have caused pats of Intenet inaccessibe tempoaiy, and cost miions of doas to ecove. Effective defense systems, howeve, have been acking fo fighting against woms. It is thus impotant to povide a basic undestanding of how efficient the cuent systems defend against woms, what key factos detemine the effectiveness of a defense system, and the guideines that can be dawn fo deveoping futue defense systems. In this pape, we investigate these questions though modeing and anaysis. Using a discete-time mode, we show that thee key chaacteistics of wom popagation ae expoited by the cuent defense systems: numbe of vuneabe machines, scanning ate, and time to compete infection. We fist define the pefomance and esouces of defense systems. We then deive and anayze the eationship between the pefomance and the esouces fo fou widey-used o pomising defense systems focusing on the woms that empoy andom scanning. We find that the existing defense systems can be categoized into two goups. One expoits the numbe of vuneabe machines, and the othe focuses on the scanning ate. Ou anaysis shows that a significant amount of esouces is equied fo the existing systems to fight effectivey against active woms. When a singe system can not acquie enough esouces to contain woms, a combined use of a defense systems povides a hope to fight against wom popagation efficienty. To ou knowedge, this is the fist attempt on undestanding the essence of diffeent hostbased defense systems and thei combination quantitativey. I. INTRODUCTION Intenet woms have been a pesistent secuity theat since the Mois wom aose in 988. Afte the Code Red and Nimda woms wee eeased into the Intenet in, Sapphie wom was uneashed with a 76-byte UDP packet and infected at east computes wodwide on Januay 5, [], [], []. These active woms caused pats of the Intenet inaccessibe tempoaiy, and cost both the pubic and pivate sectos miions of doas to ecove. Using sef-popagating maicious code, active woms spead apidy by infecting compute systems and by using infected nodes to disseminate the woms in an automated fashion. The fequency and viuence of active wom outbeaks have inceased damaticay in the ast few yeas, pesenting a significant theat to today s Intenet. It is theefoe of geat impotance to investigate effective defense systems against woms. Defense systems ae used to sow down o even stop the popagation of active woms. Cuenty, a basic technique to defend against woms is patching, which epais the secuity hoes of a compute. Besides patching, thee ae thee othe widey-used o pomising defense systems. LaBea, pesented by Liston, sows the gowth of TCP-based woms such as the Code Red wom []. Wom Popagation Detection and Defense (WPDD) system, deveoped by CERIAS intusion detection eseach goup, concentates on the wom popagation and uses pot-scanning detection to seach fo infected machines [5]. Vius Thotte too, put fowad by Wiiamson, expoits the chaacteistics of oca coeation in noma taffic to suppess high-ate maicious taffic geneated by woms []. These systems ae epesentatives of cuenty avaiabe methods to fight against woms. What ae the common chaacteistics of the diffeent defense systems? How efficient ae the existing defense systems? What ae the key factos that detemine the effectiveness of a defense system? How can a defense system make use of the key chaacteistics to impove its pefomance? In this pape, we attempt to investigate these issues. Ou goa is two-fod: (a) to povide a basic undestanding of undeying pincipes govening the existing defense systems, and (b) to deveop an anaytica appoach fo investigating the pefomance of a defense systems systematicay. As effective defense systems ae sti acking, guideines can hopefuy be dawn fo deveoping futue systems in fighting against woms. Pio eseach on defense systems focuses mosty on deveoping appoaches to defend against active woms. The pefomance and esouces equied have not been investigated systematicay. We define the pefomance as the abiity of a defense system to eithe contain o stop the spead of a wom. Such a pefomance can be chaacteized by the numbe of infected machines. We define the esouce o the cost needed as the numbe of computes that ae eithe patched o instaed with a defense system. We focus on investigating the eationship between the pefomance and the amount of esouces needed fo defense systems. Fo exampe, if a

defense too is instaed in 5% of computes, how many machines woud sti be infected? The pefomance and cost togethe can be used to evauate the effectiveness of a system. To quantify the pefomance of defense systems, we fist chaacteize the spead of active woms. Anaytica Active Wom Popagation (AAWP) mode, deveoped by Chen et. a. [5], can captue the popagation of active woms that empoy andom scanning. Using this anaytica mode, we identify thee key paametes of woms popagation expoited by cuent systems: numbe of vuneabe machines, scanning ate, and time to compete infection. The seveity of wom popagation can be mitigated geaty, if a defense system can educe the numbe of vuneabe machines significanty, decease the scanning ate damaticay, and poong the time that woms need to infect a machine. Taking the Code-Red-v- ike wom as an exampe, we povide a quantitative anaysis on how systems defend against woms though expoiting these paametes. We show that the cuent defense systems shae many commonaities, and can thus be divided into two goups. One expoits the numbe of vuneabe machines, and the othe focuses on the scanning ate. Ou anaysis shows that a significant amount of esouces is equied fo the avaiabe systems to fight against active woms effectivey. Whie a singe system may not acquie enough esouces to contain woms, the combination of a defense systems povides a hope to fight against active woms. The motivation of ou wok is to deveop simpe mathematica modes that can be used to iustate and iuminate the essence of diffeent defense systems. Ou appoach povides a modeing famewok which aows one to assess a mass of defense systems. The emainde of this pape is stuctued as foows. Section II gives a bief eview of wom popagation and the eated wok. Section III descibes the AAWP mode and the key paametes of wom popagation that can be expoited by defense systems. Section IV evauates and compaes fou widey-used o pomising defense systems. Section V concudes a pape with a bief summay and an outine of futue wok. II. BACKGROUND Sef-popagation is a key chaacteistic of an active wom. Fo exampe, when a wom is eeased into the Intenet, it stats out on a singe host and scans andomy fo othe vuneabe machines. When the scan finds a host that can be compomised, the wom sends out a pobe to infect the taget. Afte a new host is compomised, the wom tansfes a copy of itsef to this host. This new host then begins to un the wom and infects othe tagets. Anothe exampe is Sapphie wom. Such a wom uses a singe UDP packet to pobe, compomise, and spead the wom to tagets [], [], []. One othe exampe is hitist scanning wom investigated by Weave [8]. Befoe a wom is eeased, the wom autho gathes a hitist of potentiay vuneabe machines with good connections. The wom, when uneashed into the Intenet, begins scanning down the ist. Afte this ist has been exhausted, the wom tuns to infect othe vuneabe machines. Active woms can empoy diffeent scanning mechanisms to spead, such as andom, ocaized, pemutation, and topoogica scanning [9]. A wom that empoys andom scanning seects taget IP addesses at andom. Theefoe, evey vuneabe machine is equay ikey to be infected. In this pape, we focus on andom-scanning woms, fo the foowing easons. Fist, andom scanning is used by the most widespead Intenet woms, such as Code Red v and Sapphie. Second, many sophisticated scanning mechanisms sti equie cetain foms of andom scanning. Fo exampe, a wom that empoys ocaized scanning scans the machines in a subnet unifomy. Last, the study of the defense system against andom-scanning woms povides a benchmak fo the study of the defense systems against othe sophisticated woms. When a wom speads, some machines may stop functioning popey, focing the uses to eboot these machines o ki some of the pocesses expoited by the wom. This esuts in a death ate of wom popagation. When an infected compute is detected, a patch may be used to escue the compute. This pocess esuts in a patching ate of wom popagation. Thee have been ony a handfu studies on active woms since wom outbeaks have been ae unti ecenty. One cosey eated wok is Intenet Quaantine by Mooe et. a. [6]. This wok investigates the equiements fo containing the sef-popagation code. The focus thee is on two netwokbased defense appoaches: content fiteing and addess backisting. Such appoaches may equie paticipation of netwok sevice povides. The focus of this wok is on host-based o end-netwok-based defense appoaches. Such an appoach does not equie paticipation of netwok sevice povides. Thee ae sevea quantitative studies of modeing the spead of active woms that empoy andom scanning. The fist mode is the Epidemioogica mode, which is gafted fom taditiona epidemioogy by Kephat and White [7]. Anothe mode is the two-facto wom mode extended fom the Epidemioogica mode by Zou, which takes into consideation of the human countemeasue and the wom s impact on Intenet taffic and infastuctue [4]. One othe mode is the Anaytica Active Wom Popagation (AAWP) mode, which uses a discete time mode [5]. Compaing with the Epidemioogica mode, the

AAWP mode consides moe paametes, such as the patching ate and the time that it takes the wom to infect a machine. In this pape we choose the AAWP as ou basic mode. III. MODEL To quantify the pefomance of defense systems, it is impotant to chaacteize the wom spead. In this section, we fist eview the AAWP mode fo wom popagation. We then pesent the paametes that ae citica fo defending against active woms. We finay povide a genea chaacteization of the pefomance of defense systems. A. Modeing the Spead of Active Woms Active woms often spead though andom scanning. Anaytica Active Wom Popagation (AAWP) mode captues this featue using a discete-time mode and a deteministic appoximation [5]. This mode shows that the speed of woms speading is detemined by such paametes as the size of a hitist [8], the tota numbe of vuneabe machines, the size of enty addesses that woms scan, the scanning ate, the death ate, the patching ate, and the time to compete infection. The mode assumes that woms can simutaneousy scan many machines and do not e-infect an infected machine. The mode aso assumes that the machines on the hitist ae aeady infected at the stat of the wom popagation. The mode is deived as foows. Suppose that a wom scans enty addesses and needs one time tick to infect a machine. Fo andom scanning, the pobabiity that a machine is hit by one scan is. Speciay, when the wom scans enty addesses, this pobabiity becomes. Assume that cuenty thee ae infected machines and vuneabe machines, whee is the index of time tick. Then the infected machines send out scans to find the vuneabe machines, whee is the scanning ate. On aveage, thee ae! " $# %& ' newy-infected machines on the next time tick. Meanwhie, given death ate ( and patching ate ), at the next time tick, )*+ vuneabe machines ae patched, and (,,- )* infected machines change to eithe vuneabe machines without being patched ((. ) o invuneabe machines ()/. ). - Theefoe, the numbe of infected machines is, 4+! 5 6&7# % '8 (9-:) on the next time tick. In addition, +; < ) =, giving + ) => )?, whee? is the tota numbe of vuneabe machines. Putting the above equations togethe, and etting @ and A be the aveage numbe of scans and the numbe of newy infected machines at time tick BDC espectivey, the AAWP mode can be deived as: +; E ) ;? () @ F () AG; E = H JI %KML ' () ; ( ) -NA (4) whee OC, > size of hitist, and QPR >?. The ecusion stops when thee ae no moe vuneabe machines eft o when the wom can not incease the tota numbe of infected machines. AAWP mode thus chaacteizes the active woms speading (see [5] fo moe detais). Tabe I summaizes a the notations. The Code Red v wom is a typica exampe of woms that empoy andom scanning. The AAWP mode can be used to simuate a Code-Red-v-ike wom that scans S enty addesses with the foowing paametes: 5, vuneabe machines, stating on a singe machine, a scanning ate of scans/second, a death ate of. /second, a patching ate of. /second, and a time peiod of second to compete infection [5]. In this pape, we mainy focus on the effect of defense systems on the Code-Red-v-ike wom that empoys andom scanning. B. Impotant Paametes AAWP mode eveas the key paametes that constain the speed of woms speading and an utimate pevaence of the woms in genea. These paametes incude the tota numbe of vuneabe machines, the scanning ate, and the time to compete infection. ) Tota numbe of vuneabe machines: To undestand the impact of this paamete, Figue shows the popagation of the Code-Red-v-ike wom with diffeent sizes of vuneabe machines. As the size of vuneabe machines deceases, it takes the wom a onge time to spead. This is because that the scans fom the wom ae ess ikey to hit the vuneabe machines. Fo exampe, if T * 6 vuneabe machines decease to haf, the time that the wom takes to each the peak of the cuve in Figue inceases fom 4.8 hous to 54. hous. Theefoe, educing the numbe of vuneabe machines can be used by defense systems against woms speading. One exampe is the addess backisting defense system [6]. When an IP addess has been identified as being infected, packets aiving fom this addess ae dopped when eceived by the outes with this defense system. In this way, an infected The cuves show the tansient behavio of the numbe of infected machines with espect to time, and ae obtained fom the ecusive eation given by AAWP mode.

U V W X Y Z 4 Notation Expanation TABLE I NOTATION OF THE AAWP MODEL tota numbe of vuneabe machines size of enty addesses that woms scan size of hitist (the numbe of infected machines at the beginning of the spead of active woms) scanning ate (the aveage numbe of machines scanned by an infected machine pe unit time) death ate (the ate at which an infection is detected on a machine and eiminated without patching) patching ate (the ate at which an infected o vuneabe machine becomes invuneabe) [*\ numbe of infected machines at time tick i ] \ numbe of vuneabe machines at time tick i ^ \ _ \ numbe of scans at time tick i numbe of newy infected machines at time tick i.5 4 x 5 tota numbe of vuneabe machines = 5, tota numbe of vuneabe machines = 75, tota numbe of vuneabe machines = 5,.5 4 x 5 scanning ate = scans/second scanning ate =.5 scans/second scanning ate = scans/second.5.5.5.5.5.5.5.5 x 5 Fig.. Effect of size of vuneabe machines. A cases ae fo stating on a singe machine, a scanning ate of scans/second, a death ate of. /second, a patching ate of. /second, and a time peiod of second to compete infection..5.5.5 x 5 Fig.. Effect of scanning ate. A cases ae fo 5, vuneabe machines, stating on a singe machine, a death ate of. /second, a patching ate of. /second, and a time peiod of second to compete infection. host can be isoated fom the Intenet, and the numbe of vuneabe machines is thus educed. The othe exampes ae patching and WPDD system, which we descibe in detai in Section IV. ) Scanning ate: Figue demonstates the effect of the scanning ate on wom popagation. The Code-Red-v-ike wom speads sowy when the scanning ate deceases. Fo exampe, the simuated Code-Red-v-ike wom popagates with a scanning ate of scans/second and infects about `Ma machines in T hous, whie the wom with a scanning ate of scan/second infects about ` machines in Tcb hous. One exampe is the content fiteing defense system [6]. When a wom s signatue has been identified, packets containing this signatue ae dopped when eceived by the outes with this defense system. In this way, the system can bock the scans o the wom copy tansmissions fom the infected machines, and theefoe the scanning ate is educed. Othe exampes ae LaBea and Vius Thotte, which we descibe in detai in Section IV. ) Time to compete infection: Figue descibes the effect of time to compete infection on wom popagation. In the futue, woms can become moe viuent by utiizing any of the foowing such methods: scanning the vuneabe machines ony, inceasing the scanning ate, and expoiting the vuneabiity that many computes may have. One famous exampe is Fash Wom [9], which can food the Intenet within seconds. It is difficut to defend against this kind of apidy-speading woms. Howeve, poonging the time to compete infection can sow down the spead of these 6 * 6 woms. As shown in Figue, the wom ties to infect vuneabe machines with a scanning ate of scans/second. The wom with a time peiod of seconds to infect a machine can compomise about T ` 6 machines in 8 minutes,

d 5 6 x 5 5 4 seconds to infect a machine seconds to infect a machine 6 seconds to infect a machine 5 5 Fig.. Effect of time to compete infection. A cases ae fo,, vuneabe machines, stating on a singe machine, a scanning ate of scans/second, a death ate of. /second, and a patching ate of.5 /second. ) Pefomance: To quantify the pefomance, et us imagine that a defense system can pefom at east one of the foowing tasks: educing the numbe of vuneabe machines significanty, deceasing the scanning ate damaticay, o poonging the time that woms take to infect a machine. Then the numbe of scans,., is much ess than, in a time duation (e.g. a day) afte the bust of the woms. The numbe of newy-infected machines, Ac, can thus be appoximated as: AG <f = A gbh j %i f 4+ k (5) This shows that athough the oigina wom speading is to gow exponentiay, an idea defense system can contain the gowth poynomiay. Theefoe, defense systems that have a good pefomance can eithe stop o sow down woms speading effectivey. whie the wom with a time peiod of 6 seconds to infect a machine can compomise about d machines in 5 minutes. Theefoe, the wom speading can be sowed down significanty when the time equied to infect a machine is poonged. Thee ae two eseach woks on modeing the timing paametes [7], [8]. Both of these woks show that poonging the time to compete infection can sow down the spead of the woms. Howeve, thee is no existing defense system yet that makes use of this paamete against wom popagation. C. Pefomance of Defense Systems The pefomance and the needed esouce of a defense system can then be defined based on these paametes. ) Definition: e The pefomance of a defense system is defined as the maximum numbe of infected machines that active woms can achieve unde the containment of the system. The fewe the numbe of infected machines, the bette the pefomance. e The esouce o cost of a defense system is defined as the numbe of machines which ae eithe patched o instaed with the defense system. A defense system is consideed to be effective when it causes a wom to infect ess than haf of the tota vuneabe machines. The paticua choice of one haf seems to be abitay, but it quantifies a easonabe standad fo evauating defense systems. If anothe faction is chosen as a citeion, the effectiveness in tems of the numbe of infected machines can be computed accodingy using AAWP. IV. EFFECTIVENESS OF DEFENSE SYSTEMS The pefomance measue can now be appied to evauating the effectiveness of defense systems. In paticua, we evauate and compae the pefomance of fou avaiabe defense systems: patching, Wom Popagation Detection and Defense (WPDD), LaBea, and Vius Thotte. AAWP mode is used as a unified appoach to study the functionaity and effectiveness of each defense system in educing eithe the numbe of vuneabe machines o the scanning ate. A. Effectiveness of Patching Patching vuneabe machines is the most diect method and is widey-used fo defending against woms. ) Patching: A patch epais a secuity hoe of a host, which equivaenty educes the tota numbe of vuneabe machines. Statistics show that few woms expoit vuneabiities that ae new and unknown. Popua woms, such as Code Red and Sapphie, attack we-known vuneabiities. Howeve, the pevaence of those woms efects a fact that many peope ae euctant to update patches in time. Then a question ises: How many vuneabe machines shoud be patched befoe woms eease to defend against them effectivey? ) Pefomance of Patching: To answe this question, we begin evauating the pefomance of patching. We assume that machines have been patched befoe a wom is eeased. Then thee ae? vuneabe machines eft.? in Equation () can be epaced by?, i.e., + m )? k (6) Since othe paametes (see Section III-A) ae not ateed, Equations ()n (4) emain the same.

{ { { 6.5.5.5.5 4 x 5 % vuneabe machine patched.5% vuneabe machines patched 5% vuneabe machines patched 5% vuneabe machines patched.5.5 x 5 Fig. 4. Pefomance of patching. A cases ae fo 5, vuneabe machines, stating on a singe machine, a scanning ate of scans/second, a death ate of. /second, a patching ate of. /second, and a time peiod of second to compete infection. The above ecusive eation is a modified AAWP mode due to patching, and is used to demonstate the pefomance. Figue 4 shows the pefomance of patching fo a Code-Redv-ike wom speading. The moe machines ae patched, the moe sowy the wom speads. But to defend against the wom effectivey, the figue shows that at east 5% vuneabe machines shoud be patched. Theefoe, the task of patching is chaenging in a wa between defendes and attackes. B. Effectiveness of Wom Popagation Detection and Defense System Wom Popagation Detection and Defense (WPDD) system is anothe appoach which educes the tota numbe of vuneabe machines. Compaed to patching, the WPDD system has an advantage of dynamicay detecting infection. Once detected, infected machines can be disamed. ) Wom Popagation Detection and Defense (WPDD): This defense system is deveoped by an intusion-detection eseach goup at CERIAS (Cente fo Education and Reseach in Infomation Assuance and Secuity) [4], [5]. The main pupose of the WPDD system is to detect and defend against a cass of woms which apidy scan andomy-seected IP addesses on a fixed pot (i.e., hoizonta scan). This system acts as an end-netwok fiewa that monitos outbound taffic of a netwok. The system monitos a scans eaving the scanning host, and ooks fo a cetain numbe of hoizonta scans that occu within a cetain time peiod to detect abnoma taffic. When an infected machine monitoed by the WPDD system begins to scan the Intenet, a scans geneated by this machine can be examined. Once a cetain numbe of hoizonta scans is counted fom this machine within a cetain peiod of time, the WPDD system geneates an aet, and contains the abnoma taffic fom the infected machine. This appoach can quicky identify the infected machines, and stop the offending pogam. Hee the infected machines that have been detected ae assumed to be isoated fom futhe infection o patched at once. Hence these machines become eithe taffic-boken o invuneabe as seen by the wom. Howeve, WPDD systems might not be abe to detect the a woms. Moeove, some woms may bypass the WPDD system that focuses on the hoizonta scans. ) Pefomance of WPDD: Such an abiity of detecting infection and then isoating/patching infected machines can be chaacteized as foows. Let be the numbe of vuneabe machines that ae monitoed by WPDD system. Let o be then pobabiity that WPDD system detects a wom. At time tick, thee ae A newy infected machines. Among these infected machines, on the aveage oqp ts A machines can be detected and then isoated/patched, whie the est A J o p s A machines begin infecting othe machines. In this context, the wom speading descibed by Equations () and (4) become = ) 4+ g o? s A8 (7) u ( ) /-v o? AG whee DC, A > and wp g -yobp zs g x and () emain the same. Note that if o o. Equations () P, i.e., if neithe woms ae detected no machines ae monitoed by WPDD system, the above equations ae the same as Equation () and (4). Figue 5 shows the pefomance of the WPDD system fo a Code-Red-v-ike wom speading when the woms can be detected with pobabiity. The moe machines ae monitoed by the WPDD system, the moe sowy the wom speads. But to defend against the wom effectivey, the figue shows that at east S{ vuneabe machines shoud be monitoed. Figue 6 demonstates the effect of the detection pobabiity when T vuneabe machines ae monitoed by the WPDD system. This figue shows that the detection pobabiity shoud be at east.8 to defend against the wom effectivey. Convesey, if the WPDD system can detect a wom with the pobabiity.8, it equies that the WPDD system monitos at east T vuneabe machines. Since the vuneabiity expoited by the woms is unknown a pioi, the WPDD system can be instaed to monito andomy-chosen machines. If p T needs to be achieved, of the tota numbe of machines in the Intenet need to be monitoed. That is, if thee ae > computes in (8)

7.5.5.5.5 4 x 5 % vuneabe machines monitoed % vuneabe machines monitoed % vuneabe machines monitoed 5% vuneabe machines monitoed 4 6 8 x 4 Fig. 5. Pefomance of the WPDD defense system (}~y ). A cases ae fo 5, vuneabe machines, stating on a singe machine, a scanning ate of scans/second, a death ate of. /second, a patching ate of. /second, and a time peiod of second to compete infection..5.5.5.5 4 x 5 detection with pobabiity detection with pobabiity.5 detection with pobabiity.8 detection with pobabiity 4 6 8 x 4 Fig. 6. Pefomance of the WPDD defense system ( ~ ƒh ). A cases ae fo 5, vuneabe machines, stating on a singe machine, a scanning ate of scans/second, a death ate of. /second, a patching ate of. /second, and a time peiod of second to compete infection. the Intenet, the WPDD system needs to monito moe than c hosts, in ode to defend against the wom effectivey. The amount of esouces needed is ovewheming fo instaing the WPDD system. C. Effectiveness of LaBea LaBea is deveoped to educe the scanning ate of woms. ) LaBea: LaBea is deveoped by Liston to sow down o even stop the spead of Code Red wom which boke out in The effectiveness of LaBea has been studied in [5]. We intoduce it hee fo the competeness of discussion. Moeove, we wi conside a combination of LaBea with othe defense systems in Section IV-F. [], [5]. LaBea takes advantage of the fact that many woms scan unused IP addesses and use TCP connection to popagate. Specificay, LaBea can take ove unused IP addesses on a netwok and ceate vitua machines that espond to TCP connection-equests. When a scan fom an infected host hits one of these vitua machines, LaBea epies and estabishes a connection with the infected machine. This connection can ast fo a ong time. Howeve, LaBea can ony defend against a wom that scans unused IP addesses and uses TCP connections. Such a too is thus useess fo a ecent wom, Sapphie, that empoys UDP packets. ) Pefomance of LaBea: To evauate the pefomance of LaBea, we need to addess the foowing question. How many unused IP addesses shoud be monitoed by the LaBea too to defend against active woms effectivey? Assume that LaBea is instaed in the Intenet and is monitoing unused IP addesses. These addesses ae among enty addesses scanned by woms. Suppose that cuenty thee ae @ scans fom infected machines beginning to seach the Intenet. Because the LaBea too can tap the scanning theads, afte one time tick, thee ae ˆ @ scanning theads tapped, i.e., thee ae ony ˆ @ scanning theads eft. Given death ate ( and patching ate ), on the next time tick thee ae ( ) @ ˆ od scans eft and s AŠ new scans geneated. Theefoe, Equation () becomes @ ; q ( ) @ - s A8 whee OC, @ >, and A >. Since LaBea does not P ate the tota numbe of vuneabe machines, Equations (), (), and (4) emain the same. It shoud be noted that if, i.e., no unused IP addesses ae monitoed, Equation (9) is the same as Equation (). But as soon as Œ, the scanning ate can be educed by the LaBea too. Figue 7 shows the speading of a simuated Code-Redv-ike wom using the AAWP mode. The figue shows that when LaBea monitos fewe than $Ž unused IP addesses, the wom spead is changed sighty. But when moe than unused IP addesses ae monitoed, the tota numbe of infected machines stops inceasing befoe the wom acquies a haf of the vuneabe machines. Theefoe, seems to be the numbe of unused IP addesses that needed to be monitoed fo the LaBea too to effectivey defend against the wom popagation 4. Howeve, it might not be easy to get so many unused IP addesses. 4 A moe igoous appoach fo obtaining this quantity equies soving the non-inea diffeence equations which is beyond the scope of this wok. (9)

œ š 8.5.5.5.5 4 x 5 monito unused IP addess monito unused IP addesses monito 6 unused IP addesses monito 8 unused IP addesses monito 9 unused IP addesses 4 6 8 4 x 4 Fig. 7. Pefomance of the LaBea too defense system. A cases ae fo 5, vuneabe machines, stating on a singe machine, a scanning ate of scans/second, a death ate of. /second, a patching ate of. /second, and a time peiod of second to compete infection. D. Effectiveness of Vius Thotte The pevious thee defense systems educe eithe the tota numbe of vuneabe machines o the scanning ate, but not both. Vius Thotte educes both the scanning ate of woms speading and the numbe of vuneabe machines. ) Vius Thotte: Vius Thotte is a pesona fiewa ike softwae designed by Wiiamson to defend against a wom which contacts as many machines as possibe and speads as fast as possibe [], []. When a machine sends out a connection equest, the Vius Thotte too instaed on the machine fist detemines whethe this equest is fo a new host based on a shot ist of ecent connections. If so, the equest is put into a deay queue. Othewise, the equest is pocessed immediatey. A time is set in the deay queue so that ony one equest is pocessed duing a timeout peiod. In this way, most noma taffic is unaffected since it is ocay coeated (i.e., it is ikey to have epeated connections to ecenty accessed machines). Maicious taffic geneated by woms is heaviy penaized since such taffic has a much highe ate than that of noma taffic and is not ocay coeated. At the same time, this too can detect and disam woms by monitoing the size o the inceasing ate of the deay queue. When the machine is infected by a wom with a high attack ate, the deay queue gows fast and becomes ong. This speading behavio of the wom can be quicky detected. Theefoe, the infected machine with Vius Thotte instaed can be isoated subsequenty, and then immunized. Hee, we assume that infected machines that have been detected can be eithe isoated fom futhe infection o patched at once. Hence, these machines become tafficboken o invuneabe machines to the wom. Howeve, not a machines instaed the Vius Thotte too can detect a wom fo that diffeent machines configue the too diffeenty. Moeove, we-designed woms can bypass the detection of Vius Thotte. ) Pefomance of Vius Thotte: The abiity of Vius Thotte can be chaacteized fo detecting woms and educing the scanning ate as foows. Assume that vuneabe machines ae instaed the Vius Thotte too, and have a pobabiity o of detecting a wom. At time tick, thee ae AG newy infected machines. Among these infected machines, aveage o<p s AG machines can be detected and then isoated o patched, whie AG o s p A8 machines ae eft undetected. Among the infected machines, aveage g J p g p infected machines ae contoed by the too and g J p g pq infected machines ae not instaed with the too. Fo an infected machine without the too, the scanning ate is. Fo an infected machine with the too, a equests geneated by the wom ae assumed to be put into the deay queue 5. Let,, and š denote the time fo the wom to compete infection, the duation between timeouts in the deay queue, and the numbe of scanning theads geneated by the wom, espectivey. The Vius Thotte too can estict the scanning ate of undetected machines to s &. Fo active woms that speads as fast as possibe, šžœÿt and. Meanwhie, to deay the maicious taffic, the Vius Thotte too equies Œ k. Theefoe, œts &. Taking into consideation that the Vius Thotte too educes the tota numbe of vuneabe machines and deceases, the numbe of scans to g $ p g p Equations (), () and (4) become ) 4 g o @ u o? o s + s - o? o s s s -" g $ p s œ g p &? s A () u ( ) /-v o? AG whee C, A8> and ŸP g -vo s p g x () emains the same. It shoud be noted that if () (). Equation P, i.e., no machines insta Vius Thotte, the above thee equations educe to Equations (), () and (4) of the oigina AAWP. Thee cases can be consideed beow. ) When no machines can detect the wom, i.e., o. Equations () and () ae the same as Equations () 5 Since the ist of ecent connections is shot (ƒª + «) and the wom seects tagets andomy.

p { { 9 4 x 5.5.5.5.5 % vuneabe machine instaation 5% vuneabe machines instaation 5% vuneabe machines instaation 75% vuneabe machines instaation.5 x 5.5.5.5 detection with pobabiity detection with pobabiity.5 detection with pobabiity.8 detection with pobabiity.5.5.5 x 5 Fig. 8. Pefomance of the Vius Thotte too defense system (}~+«). A cases ae fo 5, vuneabe machines, stating on a singe machine, a scanning ate of scans/second, a death ate of. /second, a patching ate of. /second, a time peiod of second to compete infection, and a time peiod of second between timeouts fo the deay queue. and (4), and Equation () educes to @S; t -Fp œ. It shows that the Vius Thotte too deceases the scanning ate fom to p - p œ '4. Figue 8 shows the spead of a Code-Red-v-ike wom unde the containment of Vius Thotte. The figue demonstates the gowth of the numbe of infected nodes with the time fo diffeent pecentages of the vuneabe machines instaed Vius Thotte. The moe vuneabe machines with the too instaed, the moe sowy the wom speads and the fewe machines ae actuay infected. Theefoe, the Vius Thotte too can etain the spead of active woms. Howeve, at east 5% vuneabe machines need to insta the too to defend against the wom effectivey. Fo the Code-Redv-ike wom, š [],, and. If k T n, then @ ; f p, fo =C. Indeed, the too deceases the scanning ate fom to shoud be sufficienty age p 6. Theefoe, p (e.g. at east.5) in ode to educe the scanning ate effectivey. ) When a machines with the too can detect the wom with the pobabiity, i.e., o. Then, Equations (), () and () ae the same as the equations fo the WPDD system. Figue 5 demonstates the pefomance in this case. Simia to the WPDD system, at east S{ machines need to be instaed the Vius Thotte too to defend against the wom effectivey. ±. Figue 9 demonstates the effect of detection pobabiity when ) Effect of detection pobabiity, i.e., o 4 6 8 4 x 4 Fig. 9. Pefomance of the Vius Thotte too defense system ( ~+ ƒh ). A cases ae fo 5, vuneabe machines, stating on a singe machine, a scanning ate of scans/second, a death ate of. /second, a patching ate of. /second, a time peiod of second to compete infection, and a time peiod of second between timeouts fo the deay queue. T vuneabe machines ae instaed with the Vius Thotte too. Simia to the WPDD system, the detection pobabiity shoud be at east.8 to defend against the wom effectivey. Howeve, compaing to the WPDD system (Figue 6), the Vius Thotte has the abiity to deay the wom popagation. That is, the wom needs moe time to achieve the peak unde the containment of Vius Thotte. It is because Vius Thotte educes both the numbe of vuneabe machines and the scanning ate. Since the vuneabiity expoited by the woms is unknown a pioi, the Vius Thotte too can ony be instaed on andomy-chosen machines. To achieve p M{, T nžt a quate to a haf of the tota numbe of machines in the Intenet need to insta the too. If thee ae > computes in the Intenet, the Vius Thotte too needs to be instaed on moe than ²n5 6³ computes to defend against the wom effectivey. The esouce consumption may be ovewheming. E. Compaison of Diffeent Defense Systems Based on the above anaysis, we summaize the defense systems in Tabe II fo compaison. The tabe shows that the defense systems can be divided into two goups: ) Systems that expoit the numbe of vuneabe machines: patching, WPDD, and Vius Thotte. ) Systems that expoit the scanning ate: LaBea and Vius Thotte. We find that in ode to fight against Code-Red-v-ike wom effectivey, Goup equies at east 5% vuneabe machines

{ ' TABLE II COMPARISON OF DIFFERENT DEFENSE SYSTEMS Defense systems Paametes mitigated Resouce equiements Patching numbe of vuneabe machines at east 5% vuneabe machines WPDD numbe of vuneabe machines at east 5% vuneabe machines ( µ c ¹ ) LaBea scanning ate at east º»¼ unused IP addesses Vius Thotte numbe of vuneabe machines and scanning ate at east 5% ½ 5% vuneabe machines to be patched, monitoed, o instaed with the too. Goup needs eithe moe than unused IP addesses monitoed o T n±t M{ vuneabe machines with the too instaed. These data show a chaenge fo defending today s Intenet. F. Effectiveness of Combining Defense Systems Whie the defense systems have been anayzed sepaatey, one inteesting question is whethe diffeent systems can be combined to defend against woms moe effectivey. We conduct an initia investigation of this question though two cases. ) WPDD and LaBea: When the WPDD system and LaBea ae used to defend against active woms at the same time, this combined defense system has the chaacteistics of both WPDD and LaBea, educing both the numbe of vuneabe machines and the scanning ate. Theefoe, Equations (), () and (4) become = ) 4+ g o? s AG () @ ; F ( ) @ - s o? AG (4) ; F ( ) /-t o? AG (5) whee C, =>?, @ ¾ s, P A ¾? P! J&$ ', and À ( ) P -w o p A. is the numbe of compute patched and is the numbe of unused IP addesses monitoed by LaBea. Figue shows the pefomance of this combined system. One cuve coesponds to a combination of monitoing.5% vuneabe machines using WPDD system and monitoing JÁ unused IP addesses using LaBea. The othe cuve coesponds to monitoing 5% vuneabe machines using WPDD without LaBea. The thid cuve is fo monitoing addesses using LaBea ony. These thee cuves have the simia pefomance, showing that the combination does not impove the pefomance. Howeve, whie one specific defense system can not acquie enough esouces to fight against woms, the combination educes the esouce equiement fo each individua system. This povides a hope to use diffeent types of defense systems to win the wa between defendes and attackes..5 x 5.5.5.5 WPDD.5% machines without LaBea LaBea 7 addesses without WPDD WPDD 5% machines without LaBea WPDD.5% machines and LaBea 7 addesses LaBea 8 machines without WPDD 4 6 8 4 x 4 Fig.. Pefomance of combining WPDD (}Â~+«8Ã Ä ) and LaBea. A cases ae fo 5, vuneabe machines, stating on a singe machine, a scanning ate of scans/second, a death ate of. /second, a patching ate of. /second, and a time peiod of second to compete infection. ) LaBea and Vius Thotte: When LaBea and Vius Thotte ae used to defend against active woms at the same time, both the outgoing scans (because of Vius Thotte) and the incoming scans (because of LaBea) ae educed. Hee we ignoe the abiity of the Vius Thotte to detect a wom, i.e. o, in ode to compae the abiity of diffeent systems to estict the scanning ate. Fo the combined defense system, Equation () becomes @ q ( ) @ J - AG? -? s (6) Åš and A > >. In the above ÇP whee ÆC, @ > equation, is the numbe of unused IP addesses monitoed by LaBea and is the numbe of vuneabe machines monitoed by Vius Thotte. and š denote the time fo the wom to compete infection and the numbe of scanning theads geneated by the wom. Fo the Code-Red-v-ike wom, š È [] and. denotes the duation between timeouts in the deay queue of Vius Thotte. Figue shows the pefomance of this combined system, which is a combination of monitoing JÁ unused IP addess using LaBea and monitoing 5% vuneabe machines using Vius

{.5 x 5.5.5.5 LaBea 7 addesses without Thotte Thotte 5% machines without LaBea LaBea 8 addesses without Thotte LaBea 7 addesses and Thotte 5% machines Thotte 5% machines without LaBea.5.5 x 5 Fig.. Pefomance of combining LaBea and Vius Thotte (}Â~=«). A cases ae fo 5, vuneabe machines, stating on a singe machine, a scanning ate of scans/second, a death ate of. /second, a patching ate of. /second, a time peiod of second to compete infection, and a time peiod of second between timeouts fo the deay queue. Thotte. We find that the pefomance of this combined system is simia to that of the system monitoing unused IP addesses using LaBea without Vius Thotte and that of the system monitoing 5% vuneabe machines using Vius Thotte without LaBea. Howeve, fom the view of the time that a wom needs to each the peak, the cuves indicate that a system monitoing 5% vuneabe machines using Vius Thotte without LaBea has the best pefomance to deay the spead of the wom, whie the combined system has bette pefomance than the system that monitos unused IP addesses using LaBea without Vius Thotte. Theefoe, the combined system has the featue of both LaBea and Vius Thotte. V. CONCLUSIONS In this pape, we have investigated the pefomance of diffeent host-based defense systems against active woms using a discete-time (AAWP) mode. We have shown that the abiity of wom popagation is constained by thee paametes: numbe of vuneabe machines, scanning ate, and time to compete infection. We have found that most of the existing defense systems essentiay expoit some of these paametes. Focusing on the Code-Red-v-ike wom, we have pefomed a quantitative study on how we a system can sow down the popagation of woms. Fou avaiabe systems have been investigated: patching, WPDD system, LaBea, and Vius Thotte. These systems ae divided into two goups. One goup expoits the numbe of vuneabe machines, and equies at east 5% vuneabe machines to be patched o monitoed. The othe goup focuses on the scanning ate, and needs moe than unused IP addesses o T nét S{ vuneabe machines with the too instaed. These esuts show a chaenge fo cuent compute systems to possess enough esouces fo fighting against woms. We have expoed the idea of combining diffeent defense systems and found that whie it is had fo a singe system to acquie enough esouces, one coud combine a systems to make the effective defense possibe. As pat of ou ongoing wok, we wi futhe study the optima combination of diffeent defense systems. In addition, we wi study the effectiveness of defense systems on a wom that empoys othe scanning methods, such as ocaized scanning. REFERENCES [] eeye Digita Secuity, Micosoft SQL Sapphie Wom Anaysis, http://www.eeye.com/htm/reseach/fash/al5.htm. [] CERT, CERT Advisoy CA--4 MS-SQL Seve Wom, http://www.cet.og/advisoies/ca--4.htm. [] B. Kebs, Intenet Wom Hits Aiine, Banks, SecuityFocus News, http://onine.secuityfocus.com/news/67. [4] C. C. Zou, W. Gong, and D. Towsey, Code Red Wom Popagation Modeing and Anaysis, 9th ACM Confeence on Compute and Communication Secuity (CCS ), Nov. 8-, Washington DC, USA,. [5] Z. Chen, L. Gao, and K. Kwiat, Modeing the Spead of Active Woms, in INFOCOM, San Fancisco, CA, Api. [6] D. Mooe, C. Shannon, G. M. Voeke, and S. Savage, Intenet Quaantine: Requiements fo Containing Sef-Popagating Code, in INFOCOM, San Fancisco, CA, Api. [7] J. O. Kephat and S. R. White, Diected-Gaph Epidemioogica Modes of Compute Viuses, in Poceedings of the 99 IEEE Compute Society Symposium on Reseach in Secuity and Pivacy, 99, pp. 4-59. [8] N. Weave, Waho Woms: The Potentia fo Vey Fast Intenet Pagues, http://www.cs.bekeey.edu/ nweave/waho.htm. [9] S. Stanifod, V. Paxson, and N. Weave, How to wn the Intenet in You Spae Time, in the Poceedings of the th USENIX Secuity Symposium (Secuity ). [] T. Liston, Wecome to My Tapit The Tactica and Stategic Use of LaBea, http://www.hackbustes.net/labea/labea.txt. [] M. M. Wiiamson, Thotting Viuses: Resticting popagation to defeat maicious mobie code, 8th Annua Compute Secuity Appications Confeence, Las Vegas, Nevada, Decembe,. [] J. Twycoss and M. M. Wiiamson, Impementing and testing a vius thotte, USENIX Secuity Symposium,. [] eeye Digita Secuity,.ida Code Red Wom, Advisoy AL77, Juy, http://www.eeye.com/htm/reseach/advisoies/al77.htm. [4] CERIAS Intusion Detection Reseach Goup, Pudue Univesity, http://www.ceias.pudue.edu/. [5] CERIAS Intusion Detection Reseach Goup, Pudue Univesity, Digging Fo Woms, Fishing Fo Answes, 8th Annua Compute Secuity Appications Confeence, Las Vegas, Nevada, Decembe,. [6] T. Liston, LaBea, http://www.hackbustes.net/labea/. [7] C. C. Zou, W. Gong, and D. Towsey, Wom Popagation Modeing and Anaysis unde Dynamic Quaantine Defense, ACM CCS Wokshop on Rapid Macode (WORM ), Oct. 7, Washington DC, USA,.

[8] Y. Wang and C. Wang, Modeing Timing Paametes fo Vius Popagation on the Intenet, ACM CCS Wokshop on Rapid Macode (WORM ), Oct. 7, Washington DC, USA,.