Dynamic control of worm propagation

In a computer network, network security is accomplished using elements like firewalls, hosts, servers, routers, intrusion detection systems, and honey pots. These network elements need to know the nature or anomaly of the worm in priori to detect the attack. Modern day viruses like Code red, Sapphire and Nimda spread very fast. For example, Sapphire can double its size and infect more than 90% of the vulnerable hosts within 10 minutes. Therefore it is impractical if not impossible for human mediated responses to these modern day fast spreading viruses. Several epidemic studies show that automatic tracking of resource usage and control is an effective method in containing the damage. In this paper we propose a state space feedback control model to detect and control the spread of these viruses by measuring the number of connections an infected host makes. The objective of the mechanism is to slow down the spreading velocity of a worm by controlling (delaying) the total number of connections made by an infected host. As expected, the model showed that the sooner the infection is detected the faster the reduction of the spreading velocity. Additionally, the deployment of a controller at different levels (host and firewall) has shown to be very promising.