Abstract—Recently, cellular phone networks have begun allowing third-party applications to run over certain open-API phone operating systems such as Windows Mobile, Iphone and Google’s Android platform. However, with this increased openness, the fear of rogue programs written to propagate from one phone to another becomes ever more real. This paper proposes a countermechanism to contain the propagation of a mobile worm at the earliest stage by patching an optimal set of selected phones. The counter-mechanism continually extracts a social relationship graph between mobile phones via an analysis of the network traffic. As people are more likely to open and download content that they receive from friends, this social relationship graph is representative of the most likely propagation path of a mobile worm. The counter mechanism partitions the social relationship graph via two different algorithms, balanced and clustered partitioning and selects an optimal set of phones to be patched first as those which have the capability to infect the most number of other phones. The performance of these partitioning algorithms is compared against a benchmark random partitioning scheme. Through extensive trace-driven experiments using real IP packet traces from one of the largest cellular networks in the US, we demonstrate the efficacy of our proposed counter-mechanism in containing a mobile worm. I.

An encounter-based network is a frequently-disconnected wireless ad-hoc network requiring nearby neighbors to store and forward data utilizing mobility and encounters over time. Using traditional approaches such as gateways or firewalls for deterring worm propagation in encounter-based networks is inappropriate. We propose models for the worm interaction approach that relies upon automated beneficial worm generation to alleviate problems of worm propagation in such networks. We study and analyze the impact of key mobile node characteristics including node cooperation, immunization, on-off behavior on the worm propagations and interactions. We validate our proposed model using extensive simulations. We also find that, in addition to immunization, cooperation can reduce the level of worm infection. Furthermore, on-off behavior linearly impacts only timing aspect but not the overall infection. Using realistic mobile network measurements, we find that encounters are non-uniform, the trends are consistent with the model but the magnitudes are drastically different. Immunization seems to be the most effective in such scenarios. These findings provide insight that we hope would aid to develop counter-worm protocols in future encounterbased networks.

Abstract. Consider the following game between a worm and an alert 3 over a network of n nodes. Initially, no nodes are infected or alerted and each node in the network is a special detector node independently with small but constant probability. The game starts with a single node becoming infected. In every round thereafter, every infected node sends out a constant number of worms to other nodes in the population, and every alerted node sends out a constant number of alerts. Nodes in the network change state according to the following four rules: 1) If a worm is received by a node that is not a detector and is not alerted, that node becomes infected; 2) If a worm is received by a node that is a detector, that node becomes alerted; 3) If an alert is received by a node that is not infected, that node becomes alerted; 4) If a worm or an alert is received by a node that is already infected or already alerted, then there is no change in the state of that node. We make two assumptions about this game. First, that an infected node

Abstract — An encounter-based network is a frequently-disconnected wireless ad-hoc network requiring immediate neighbors to store and forward aggregated data for information disseminations. Using traditional approaches such as gateways or firewalls to deter worm propagation in encounter-based networks is inappropriate. We propose a worm interaction approach that relies upon automated beneficial worm generation to alleviate problems of worm propagations in such networks. To understand the dynamics of worm interactions and their performance, we mathematically model worm interactions based on major worm interaction factors, including worm interaction types, network characteristics, and node characteristics using ordinary differential equations and analyze their effects on our proposed metrics. We validate our proposed model using extensive synthetic and trace-driven simulations. We find that all worm interaction factors significantly affect the pattern of worm propagations. For example, immunization linearly decreases the infection of susceptible nodes, while on-off behavior only impacts the duration of infection. Using realistic mobile network measurements, we find that encounters are “bursty”, multi-group, and non-uniform. The trends from the trace-driven simulations are consistent with the model, in general. Immunization and timely deployment seem to be most effective in countering worm attacks in such scenarios, while cooperation may help in a specific case. These findings provide insight that we hope would aid in the development of counter-worm protocols in future encounter-based networks. I.

Internet worms, which spread in computer networks without human mediation, pose a severe threat to computer systems today. The rate of propagation of worms has been measured to be extremely high and they can infect a large fraction of their potential hosts in a short time. We study two different methods of patch dissemination to combat the spread of worms. We first show that using a fixed number of patch servers performs inadequately against Internet worms. We then show that by exploiting the exponential data dissemination capability of P2P systems, the spread of worms can be halted effectively. We compare the two methods by using fluid models to compute two quantities of interest: the time taken to effectively combat the progress of the worm, and the maximum number of infected hosts. We validate our models using simulations.

Contents lists available at ScienceDirect

Despite considerable efforts in both research and development strategies, software errors and subsequent security vulnerabilities continue to be a significant problem for computer systems. The accepted wisdom is to approach the problem with a multitude of tools such as diligent software development strategies, dynamic bug finders and static analysis tools in an attempt to eliminate as many bugs as possible. Unfortunately, history has shown that it is very hard to achieve bug-free software. The situation is further exacerbated by the exorbitant cost of system down-time which some estimates place at six million dollars per hour. In the absence of perfect software, retrofitting error toleration and recovery techniques, in systems not designed to deal with failures, becomes a necessary complement to proactive approaches. Towards this goal, this dissertation introduces and evaluates a set of techniques for recovering program execution in the presence of faults by effectively retrofitting legacy applications with exception handling techniques, Error Virtualization and AS-SURE. The main premise of the approach is that there is a mapping between faults

Abstract. Consider the following game between a worm and an alert over a network of n nodes. Initially, no nodes are infected or alerted and each node in the network is a special detector node independently with small but constant probability, γ. The game starts with a single node becoming infected. In every round thereafter, every infected node sends out β worms to other nodes in the population for some constant β; in addition, every alerted node sends out α alerts for some constant α. Nodes in the network change state according to the following three rules: 1) If a worm is received by a node that is not a detector and is not alerted, that node becomes infected; 2) If a worm is received by a node that is a detector, that node becomes alerted; 3) If an alert is received by a node that is not infected, that node becomes alerted. We allow an infected node to send worm messages to any other node in the network, but, in contrast, allow the alerts to only be sent over a special precomputed overlay network where every node has O(log n) degree. We assume that the infected nodes collaborate with each other, and know everything except which nodes are detectors, and the alerted nodes ’ random coin flips. We show, for this game, that it is possible to design an algorithm that can prevent any worm from infecting more than a vanishingly small fraction of the nodes in logarithmic time. In particular, we describe an algorithm and a network that ensures with high probability that atmost o(n) nodes can be infected in O(log n) time steps by any worm for α a fixed constant depending only on β and γ. In addition, our algorithm ensures that the number of nodes that may receive a spuriously generated “false alert” is polylogarithmic in n. We complement our theoretical analysis with simulations on networks of size up to 2 25. 1

Worms cause correlated failure of many systems in a short span of time. Therefore, automated defensive approaches have been proposed to counter growth of worms. However, in addition to worms, many other kinds of cyber-attacks also exhibit significant correlation, albeit with slightly different properties. We argue that those specific correlation properties manifest because of the interaction between the attacker and the defender strategies. We survey the design space of defensive approaches and observe the extent of clustering (correlation) in attacks that these approaches are likely to induce. We highlight the implications of attack clustering on individual firms deploying these various approaches and also on global actors like government and cyber-insurance providers. We use 19 months of honeynet attack data to estimate clustering for some non-worm type attacks. 1

Abstract—“War of the worms ” is a war between opposing computer worms, creating complex worm interactions. For example, in September 2003 the Welchia worms were launched to terminate the Blaster worms and patch the vulnerable hosts. In this paper, we try to answer the following questions: How can we explain the dynamic of such phenomena with a simple mathematical model? How can one worm win this war? How do other factors such as locality preference, bandwidth, worm replication size and reaction time affect the number of infected hosts? We propose a new Worm Interaction Model (based upon and extending beyond the epidemic model) focusing on random-scan worm interactions. We also propose a new set of metrics to quantify effectiveness of one worm terminating other worm. We validate our worm interaction model using extensive ns-2 simulations. This study provides the first work to characterize and investigate multiple worm interactions of random-scan worms in multi-hop networks. With less than 7 % errors, our model shows very accurate approximation of simulated infected hosts for all types of interactions. Furthermore, our estimations in worm interaction model are only off by 4 % for simulated total infected hosts and 9 % for the simulated infectious period when varying reaction times. The main finding of this study is that maximum number of infectives can be drastically affected by the type of interaction. I.