[1] D. Moore, Colleen Shannon, Geoffrey Voelker, Stefan Savage, "Internet Quarantine: Requirements for Containing Self-Propagating Code", INFOCOM 2003, paper
[2] Z. Chen, L. Gao, K. Kwiat, "Modeling the Spread of Active Worms", INFOCOM 2003, paper
[3] M. Garetto, W. Gong, D. Towsley, "Modeling Malware Spreading Dynamics", INFOCOM 2003, paper

Summary: These papers discuss about the modeling the spread of active worm.

First Paper

• Used traditional epidemiology method
• Potential interventions to mitigate the threat of worms:
• Prevention: reduce the size of vulnerable population
• Treatment: use disinfection tools and system update features.
• Containment: block infectious communication between infected and uninfected hosts.
• Containment strategy can be fully automated and easy to deploy.
• To model the containment system, there are three simulation factors
• Reaction time – To prevent widespread infection in the Internet, containment system will require automated methods to detect and react to worm epidemics.
• Containment strategy – Content filtering is significantly more effective than address blacklisting.
• Deployment scenario – Nearly all of Internet paths, such as those covered by the 100 largest ASes, needed to employ content filtering for a containment system to be effective.

Second Paper

• Used Analytical Active Worm Propagation (AAWP) to characterize the propagation of worm that employ random scanning.
• AAWP is different with Epidemiological Model in various way, so it gives more precise and accurate model.
• AAWP model is applied in
• Monitoring – Address space of 2^24 addresses is large enough to obtain realistic results, while an address space smaller than 2^20 addresses is not large enough to effectively obtain any realistic information about the spread of worms.
• Detection – Simple sensor detection system is used. More than 2^18 unused IP addresses are needed for the sensors to detect the Code Red v2 like worm in one hour
• Defense System – AAWP model is used to evaluate the performance of the LaBrea tools defense system. An address space of more than 2^18 unused IP addresses is needed by LaBrea to defend against the Code Red v2 like worm effectively.

Third Paper

• Build a stochastic model based on Interactive Markov Chains that provides a probabilistic analysis of the system.
• Interactive Markov Chains can be used to study the dynamics of malware propagation of a network.
• Exact solution of a stochastic model appears to be a major challenge due to high computational complexity.

Discussion – We discussed about how puzzle net can be used to protect sensor IP addresses from DoS or other attack.

Presentation: slides