Recent advancements in Internet worms propagation techniques has generated interest in the development of appropriate defense techniques against such worms. Modeling the behaviour of worm defense techniques to better understand and measure their defense capabilities is crucial to developing effective defenses. This paper presents a discrete-time model of our earlier proposed host-based worm detection and collaborative network containment defense technique, which we referred to as the Analytical Active Worm Containment (AAWC) model. The AAWC model captures the protection capability of the proposed technique by modeling the host population protected from fast spreading, scanning intrusion attack such as worms in a large scale network. Analysing the model alongside an existing discrete-time worm propagation model, we demonstrate quantitatively the effectiveness of our proposed detection and containment technique in defending against fast spreading scanning worms. Based on the host-based worm detection technique, we also develop a continuous-time probability model for worm detection interval which uniquely captures the relationship between worm scanning rate and the detection interval of the worm. Further, we investigate the introduction of immunization to our containment technique and show the resultant effect on a vulnerable population under attack using the developed model. Copyright 2008 ACM.

Additional Metadata
Keywords Active worms, Containment, Detection, Immunization, Intrusion
Persistent URL
Conference 11th Communications and Networking Simulation Symposium, CNS'08
Akujobi, F. (Frank), Lambadaris, I, & Kranakis, E. (2008). Modeling host-based detection and active worm containment. Presented at the 11th Communications and Networking Simulation Symposium, CNS'08. doi:10.1145/1400713.1400750