Stochastic activity networks (SANs) are a widely used formalism for describing complex systems that have random behavior. Sophisticated software tools exist for the modeling and analysis of systems described within a SAN framework. This paper presents a SAN model of a local area network's defense against Internet worm propagation, measuring the effectiveness of a defensive strategy based on removing hosts from the local network once an infection is detected. We consider the problem of deciding whether to allocate resources to remove an infected host (and thereby reduce the threat), or remove a susceptible but as-yet uninfected host, to directly save it from attack. Considering a parameterized range of policies that makes this decision based on the number of infections in the local network, we find marked preference for always removing one type of hosts when possible, over the other, regardless of the infection state. We futhermore see whether preference should be given to infected hosts or susceptible hosts depends on the relative speeds at which they are removed. Finally, we see that a worm attack can be effectively countered provided that the aggregate rate at which hosts can be removed is on the order of the aggregate infection rate at the time the defense is engaged. Our effort demonstrates the utility of using sophisticated modeling tools to study worm defense, and policy decisions surrounding it.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	CERT Coordination Center. CERT Advisory CA-2001-19 'Code Red' Worm Exploiting Buffer Overflow In IIS Indexing Service DLL, July 2001; http://www.cert.org/advisories/CA-2001-19.html.
	2	Cisco Security Advisories. 'Code Red'Worm - Customer Impact, July 2001; http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml.
	3	David Moore , Colleen Shannon , k claffy, Code-Red: a case study on the spread and victims of an internet worm, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, November 06-08, 2002, Marseille, France  [doi>10.1145/637201.637244]
	4	Hal Berghel, The Code Red Worm, Communications of the ACM, v.44 n.12, December 2001  [doi>10.1145/501327.501328]
	5	Mobius. http://www.mobius.uiuc.edu/.
	6	S. Friedl. Analysis of the new 'Code Red II' Variant, Aug. 2001; http://www.unixwiz.net/techtips/CodeRedII.html.
	7	N. Weaver. The Spread of the Sapphire/Slammer Worm, http://www.caida.org/publications/papers/2003/sapphire/sapphire.html
	8	D. Moore and C. Shannon. The Spread of the Witty Worm, http://www.caida.org/analysis/security/witty/.
	9	Linksys. Linksys Data Sheet, http://www.linksys.com/servlet/Satellite?c=L_Product_C2&childpagename=US%2FLayout & cid=1150490915278&pagename=Linksys%2FCommon%2FVisitorWrapper
	10	David M. Nicol, The impact of stochastic variance on worm propagation and detection, Proceedings of the 4th ACM workshop on Recurring malcode, November 03-03, 2006, Alexandria, Virginia, USA  [doi>10.1145/1179542.1179555]