A Queuing Theory Based Model for Studying Intrusion Evolution and Elimination in Computer Networks

In this paper we present a virus propagation and elimination model that takes into account the traffic and server characteristics of the network computers. This model partitions the network nodes into perimeter and non-perimeter nodes. Incoming/outgoing traffic of the network passes through the perimeter of the network, where the perimeter is defined as the set of the servers which are connected directly to the internet. The non-perimeter network nodes, i.e. the computers with no direct internet connection, form a kind of isolated internet connected to the outside world through the perimeter nodes. All network nodes are assumed to process tasks based on the M/M/1 queuing model. Thus, the model behaves as an open network of M/M/1 queues. We study burst intrusions (e.g.denial of service attacks) at the network perimeter and how the intrusion evolves given that, in parallel with the intrusion, anti-virus tasks also propagate in the network and kill intruder tasks. We propose a realistic kind of interactions between these agents that results in a product form steady state distribution of the agent numbers for each network node, much like the product form solution for the distribution of network tasks for Jackson open networks of queues.