An Approach against a Computer Worm Attack
Ossama Toutonjiand Seong-Moo Yoo
University of Alabama in Huntsville, Department of Electrical and Computer Engineering, Huntsville, Alabama 35899, USA
{toutono; yoos}@eng.uah.edu
Abstract: Building a realistic model for a network defense system against a worm attack is vital to better understand the effects of a worm attack on network assets and functionality. Traditional epidemic worm modeling does not take into consideration the real network topology or network actual defense measures.
In this paper, we reviewed the network defense systems from different perspectives for defining the level of immunity of different parts of the network and ascertaining the real impact of a worm attack on the network. The idea of immunity came from examining and comparing the immune system in the human body to the defense and security measures of computer networks. Then, we developed a novel, realistic model by splitting the network into the highly immune part of the network (HIN) and the partially immune part of the network (PIN) in order to measure the real impact of worm attack on computer network. Next, we evaluated the effectiveness of this model by implementing network defense measurements adopted from the human immune system. Computer simulations show that the infection waves of worms in HIN have minimal impacts compared to those in the PIN.
Keywords: epidemic worm modeling, highly immune part of the network (HIN), human immune system, partially immune part of network (PIN), worm attack.
1.
Introduction
Worm attack [1, 2, 7, 9, 17, 18, 20, 21, 22] still poses an enormous threat to network security. A destructive, automated, and self replicated behavior of a worm causes bandwidth consumption and corrupt network performance. The design of worm code could go beyond the intention to propagate through the network. A malicious code could be built to delete executable files on the attacked machine, create a backdoor listener, and cause a denial-of-service attack. Generally, a worm is categorized according to the way it propagates, installs or lunches. A worm could spread through e-mails, instant messages, internet relay chat, and file sharing.
Burckhardt [4] proposed a virtual reality modeling of infectious diseases in the human population. The model took into consideration several important factors including; the level of contact between individuals and the duration of immunity in the graveyard stage, which considers the fact that individuals who lack immunity in the recovery state will move back to a stage of susceptibility. Burckhardt’s research suggested new ways to reduce widespread infection by using quarantine and treatment in the human population as a future study [3], [4]. Kim and Bentley explored the similarity between the human immune system, network intrusion detection systems and the possibilities of emulating the human immune system, to design a novel network-based intrusion detection system [5]. Castaneda et al. proposed a
new method that generates an anti-worm after detecting and recognizing the payload of the malicious worm. The results showed the effects of implementing anti-worms with respective propagation schemes and the limitation of anti-worms in practical implementations [6]. These worm models assume that all hosts in the network have the same probability to become infected by worms, and; therefore, the same level of vulnerability when it comes to worm attack. Consequently, the results will lead to an unrealistic prediction of the infection wave.
This paper represents new approaches to modeling a worm attack on a computer network; the study took into consideration the pre-existing conditions in different parts of network topology. We reviewed the network from a network security prospective where different parts of the network have different levels of defense and immunity measures. The idea of immunity came from examining and comparing the immune system in the human body to the defense and security measures of computer networks [13], [14], [15], [16]. Then, we developed a novel realistic model by splitting the network into the highly immune part of the network (HIN) and the partially immune part of the network (PIN) in order to measure the real impact of a worm attack on a computer network. Next, we evaluated the effectiveness of this model by implementing network defense measurements adopted from the human immune system. Computer simulations show that the infection waves of worms in HIN have minimal impacts compared to PIN.
This paper is organized as follows: section 2 contains a detailed description of the similarity between the human immune system and a computer network defense system. In this section, we defined the human immune system and we adopt the same concept to invent a new definition for computer network immunity. Section 3 summarizes existing epidemic modeling used as tools for modeling worm attacks on computer networks. In section 4, we present the theoretical and the mathematical approaches for our new realistic epidemic worm modeling epidemic model. The last section includes the conclusion and possibilities for future research.
2.
Similarity between the Human Immune
System and Network Defense System
In the human body, the immune system is a constellation of responses to outside attacks on the human body [6]. The general population represents a network of individuals that interact with each other. The medical measures taken by a community in general and locally by individuals represent the defense system of human beings against the spread of disease. There are three types of immunity in the human
body: active immunity, passive immunity, and hybrid immunity.
1) – Active Human Immunity is acquired from previous viral infections. When an antigen infects the body, it triggers the immune system to develop antibodies from plasma cells found in the bone marrow. Plasma cells will generate B-cells that synthesize antibody molecules. These antibody molecules bind to the antigens and destroy them. The body will keep a copy of all generated antibodies in the immunologic memory to defend against future identical viral infections.
2) – Passive Human Immunity is acquired from vaccination. The antibody will be transferred from an actively immunized individual to a susceptible individual and will work only for a specific type of virus.
3) – Hybrid Human Immunity is acquired from using Monoclonal antibody cells (Hybridmas) produced in a medical laboratory used to treat more complex and serious illnesses. Hybridmas are hybrid cells produced by fusing myeloma cells with the spleen cells from animals such as mice or rabbits that have been immunized from the desired antigen. The main purpose is to stimulate the patient's immune system to fight tumor cells and to prevent tumor growth by blocking specific cell receptors. By comparison, active immunity is longer-lasting and more effective than passive immunity due to the immunologic memory produced by the patient’s own immune system. Passive immunity is produced outside the body and then implanted inside the patient. Hybrid immunity is a combination of both active and passive immunity. It is both a vaccine and a stimulus which combine the characteristics of both active and passive immune systems.
Network immunity consists of network security processes and defense measures that have been implemented to defend the network against inside or outside attacks. It is the software and the hardware security steps taken to secure network infrastructure [3]. Some key characters of human immunity are similar to network immunity. A computer network has similar active, passive, and hybrid defense systems. We will illustrate the three different types of immunity in computer networks and show the similarity and differences between network immunity and the human immune system.
1)-Active Network Immunity is established by using an effective intrusion detection system (IDS) and safe ethical worms. The (IDS) monitors network traffic and blocks suspicious activities by detecting known malicious codes. In 2004, F. Castaneda et. al proposed an automated method to detect worm attack, analyze the worm’s malicious code, and then generate an anti-worm. The generated anti-worm, or ethical worm, has the same self-replication behavior as the bad worm. The ethical worm will spread through the network and overcome the bad worm. Most network security experts still oppose the idea of using ethical worms due to the fact that they could unintentionally cause a denial-of-service attack by breaking applications or consuming network bandwidth, or they could be used by hackers as a tool for a new vulnerability. Both active human immunity and active network immunity have a memory of invaders’ identities that will help identify an attacker, but the main difference is that
active human immunity is dynamically capable of developing immunity for new antigens where (IDS), or safe ethical worms, are only capable of identifying previously known malicious codes. Building a complete active immune system that generates safe ethical worms against newly invented worms is still in ongoing research.
2)-Passive Network Immunity is established by installing antivirus software, downloading the required update patches, configuring a firewall system, and blocking arbitrary outbound connections [10]. In both passive human immunity and passive network immunity, the required immunity must be transferred to the target system.
3)-Hybrid Network Immunity is established by combining both passive and active immunity. Both hybrid human immunity and hybrid network immunity are capable of dealing with more complex and serious invaders. Like the hybrid human immunity, the combined immunity in a hybrid network is capable of defending against a wider range of network attacks.
By analyzing network infrastructure from a security defense perspective, network immunity levels vary depending on the network security steps that have been taken in different sections of the network. The steps needed to achieve and maintain a secure network can be summarized as follows:
1) Assessment: a technical evaluation of network security and defense systems; includes an organization’s policies, procedures, laws, regulations, budgeting, and other managerial duties [3].
2) Protection: previously established defense counter-measures to prevent network attacks.
3) Detection: process for identifying intrusion. 4) Response: measures that will be taken to overcome new attacks.
From the above-mentioned steps; we may split a network into two parts:
a) Highly immune part of the network (HIN): here all network security defense measures have been implemented.
b) Partially immune part of the network (PIN): here, the network is either missing at least one security measure or at least one of the measures has not been fully implemented.
To determine the true impact of a worm attack on network functionality, we took into consideration our network categories and used different values for our model parameters. Our aim is to develop a new realistic approach to worm modeling. The results gave us a close look at the widespread behavior of worms in different parts of the network and the future strategic measures that need to be taken to fight the impact of destructive worm attacks against networks.
Our model was based on the epidemic model in which a host that lacks immunity may return to the susceptible stage, therefore remaining vulnerable to worm attack and possibly becoming re-infected. We built our assumptions on a factual network and defense measurements that are usually performed by information assurance engineers. In a real functional network, the model’s parameters vary depending
on the level of immunity. In PIN, the probability of worm infection is higher than in HIN, which will lead to higher infection rate. The removal rate is smaller due to a higher number of recovered hosts in HIN compared to PIN. We also experienced that the number of hosts moved back to the susceptible stage in PIN is higher when compared to HIN. Based on these observations, we claim that in more realistic worm attack modeling, various model parameters must be used for different parts of the network that have disparate levels of defense, immunity, and monitoring.
3.
Existing Epidemic Models
In this section, we will summarize the basic epidemic models [4], [8], [11], [12], [19] that have been used to model a worm attack on computer networks. Table 1 shows a list of notation and symbols that have been used to develop the set of differential equations in this section for the basic epidemic models.
3.1 Kermack-McKendrick (KM) model
The KM model [8] is an epidemiological model with three main elements:
a) Susceptible hosts: hosts which are vulnerable to worm attack.
b) Infectious hosts: hosts infected by worms.
c) Removed hosts: hosts which have recovered from an attack and are immune to future infection.
This model is considered an SIR (Susceptible, Infectious, and Removed) model. The hosts in this type of modeling could be in any one of the three states: Susceptible (S), Infectious (I), or Removal (R). The model builds on the assumption that the population size is fixed (no births or deaths) and the population is homogenously mixed. A set of nonlinear differential equations describes the change in the population for the different types of hosts. Equations (1-4) describe the KM epidemic model: ( ) ( ) ( ) ( ) dS t t I t S t dt = −β (1) ( ) ( ) ( ) ( ) ( ) dI t t I t S t I t dt =β −γ (2) ( ) ( ) dR t I t dt =γ (3) S t( )+I t( )+R t( )= N (4) By rearranging equation (2): ( ) ( )( ( ) ( ) ) dI t I t t S t dt = β −γ (5)
From (5), we conclude that S0 > γ / β should be satisfied to cause epidemic growth. Where S0 is the initial number of susceptible hosts, ρ = γ / β represents the epidemic threshold and φ = γS0 / β represents the basic reproduction number of
the infection, and φ > 1 will cause the infectious population to grow. Figure 1 shows a state transition of the KM model.
3.2 SIRS model
In the SIRS model [4], there is a state in which the removed host could lose immunity and move back to the susceptible stage. The model is governed by the following set of nonlinear differential equations:
( ) ( ) ( ) ( ) ( ) dS t t I t S t R t dt = −β +µ (6) ( ) ( ) ( ) ( ) ( ) dI t t I t S t I t dt =β −γ (7) ( ) ( ) ( ) dR t I t R t dt =γ −µ (8)
The SIRS model has the same initial conditions as the SIR model regarding a fixed number of hosts and the threshold value criteria. Figure 2 shows a block diagram of SIRS model.
4.
Proposed Computer Network Realistic
Model
The similarity in the behavior between the spread of infection in a human population and the self-replication of a worm in a network environment makes modeling worm attacks on computer networks similar to modeling the spread of viral infection in a human population. The level of immunity in a computer network determines the impact of a worm attack on the computer network. In realistic worm modeling, a network has various levels of immunity. The susceptible population is divided into two groups: the highly immune population and partially immune population. Disparate types of susceptible hosts will behave differently when confronted with a worm attack.
Susceptible Infectious Removal
Figure 2. SIRS epidemic model
Susceptible Infectious Removal
Figure 1. Kermack-McKendrick epidemic model.
Table 1. Notations and initial values of the model used in Section 3
Notation Explanation
I(t) Number of infectious hosts at time t S(t) Number of susceptible hosts at time t R(T) Number of removed hosts at time t
N Size of total vulnerable population
β Infection rate
µ Re-susceptible rate on a removed host
ρ Epidemic threshold
γ Removal rate
The level of immunity in the susceptible hosts will determine the infection rate, the recovery rate and the re-susceptibility rate of the epidemic model. We examined the value of these rates depending on the network immunity level by looking at the main factors that cause changes in these rates. In doing so, we made a detailed comparison between a human population and a computer network. Table 2 shows a list of notations and symbols that we used in this section.
1) Infection rate: In a human population, the infection rate involves major parameters which include the contact rate between humans (θ, human/time), the proportion of infection in the population (I / N), and the transmission infection probability (η). Since we are interested in the interaction
Table 2. Notations and initial values of the proposed model
Notation Explanation Initial value
Ip(t) Number of infectious hosts in PIN at time
t
Ip(0)=1
IH(t) Number of infectious hosts in HIN at time
t
IH(0)=1
Sp(t) Number of susceptible hosts in PIN at
time t
Sp(0)=350,000
SH(t) Number of susceptible hosts in HIN at
time t
SH(0)=650,00
0 Rp(t) Number of removed hosts from PIN at
time t
Rp(t)=0
RH(t) Number of removed hosts from HIN at
time t
RH(0)=0
P
θ Contact rate of PIN 2
H
θ Contact rate of HIN 2
P
η Transmission infection probability for PIN 1
H
η Transmission infection probability for HIN
0.25
P
λ Recovery rate of infectious PIN 0.1
H
λ Recovery rate of infectious HIN 0.25
P
µ Re-susceptible rate of PIN 0.01
H
µ Re-susceptible rate of HIN 5 * 10-6
I(t) Total number of infectious hosts at time t I(0)=2
N Total number of hosts 1,000,000
between susceptible hosts and the infectious hosts, we defined the force of infection as (θ × η × I / N). The change in the number of susceptible hosts is represented by the equation: ( ) dS t I S N dt = × ×θ η × (9)
By adopting the infection parameters in a human population to a network environment, we assumed that hosts in both (PIN) and (HIN) have the same contact rate, and any host in the network will contact the same number of infectious hosts. In (PIN), more hosts will move from the susceptible stage to the infectious stage due to a lack of immunity, leading to a higher rate of infection.
2) Recovery rate: the recovery rate in a human population depends on the period of infection. The recovery rate for k days’ infection is proportional to 1/k. In a network environment, the recovery rate varies depending on the level
3) Re-susceptibility rate: in a human population, the number of people who move from the recovery stage back to the susceptible stage varies depending on the level of immunity in the community. Having more people immunized against widespread viral infection forecasts a small re-susceptibility rate and vice-versa. In a network environment, the same concept could be applied; Figure 3 shows a realistic SIRS modeling of a worm attack on computer network. The changes in the number of susceptible, infectious, and removed hosts for the (PIN) and (HIN) could be described by the following set of differential equations:
1) The set of differential equations for PIN:
( ) ( ) ( ) ( ) p p p p p dS t I t S t R t N dt = − × ×θ η +µ (10) ( ) ( ) ( ) ( ) p p p p p p dI t I t S t I t N dt =θ η× × +λ (11) ( ) ( ) ( ) p p p p p dR t I t R t dt =λ −µ (12) ( ) p p p I t N
F
=θ η
× × (13) p p p p R λ µθ η× + = 0 p (14)Here, Fp represents the force of infection in the PIN
population, R0P represents the basic reproductive rate for the
PIN population, and it satisfies the condition R0P > 1 for the
epidemic to grow.
2) The set of differential equations for HIN:
( ) ( ) ( ) ( ) H H H H H dS t I t S t R t N dt = − × ×θ η +µ (15) ( ) ( ) ( ) ( ) H H H H H H dI t I t S t I t N dt =θ η× × +λ (16) Susceptible (PIN) Susceptible (HIN) Infectious (PIN) Infectious (HIN) Recovery (PIN) Recovery (HIN) FPSP(t) FHSH(t) λPIP(t) λHIH(t) S I R µPRP(t)+µHRH(t)
( ) ( ) ( ) H H H H H dR t I t R t dt =λ −µ (17) ( ) H H H I t F =
θ η
× × N (18) H H H H R λ µθ η× + = H 0 (19)Here, FH represents the force of infection in HIN
population, R0H represents the basic reproductive
rate for the HIN population, and it satisfies the condition R0H > 1 for the epidemic to grow. Now,
N =S tp( )+I tP( )+R tp( )+S tH( )+I tH( )+R tH( ) (20)
5.
Simulation
To identify the realistic effects of a worm attack on a computer network, we simulated our model by using realistic sets of parameters that emphasize the different level of immunity in the network. Then, we used fixed sets of parameters for the entire network. We also examined the relationship between mitigation technique factors, modeling parameters and the effects of changing these parameters on worm propagation.
A – Effects of a worm attack on PIN and HIN populations: Figure 4 shows a SIRS model simulation for both PIN and HIN.
Figure 4. SIRS model for PIN and HIN
In the model, 35% of the susceptible population is partially immune and 65% is highly immune. The probability of infection and the recovery rate for both the PIN and HIN have been set as follows: a) For PIN, the infection probability is 1, all hosts will get infected, and the recovery rate is 0.1; b) For HIN, the probability of infection is 0.25, and the recovery rate is 0.25.
Both PIN and HIN hosts will experience the same interaction with infectious hosts throughout the simulation so they have the same contact rate.
The results shows, as expected, that the number of infectious hosts in PIN is higher than HIN even though the number of HIN’s population is bigger than the PIN’s population due to better defense and security measurements in HIN.
B - Comparison between Traditional and Realistic Worm Modeling:
To identify the realistic effects of a worm attack on a computer network, we ran our model in three different scenarios. First, we simulated our proposed model, R-SIRS, by considering both PIN and HIN parameters. Then we simulated the SIRS model separately in PIN then in HIN parameters. The solid line represents the R-SIRS model. Tp-SIRS represents a traditional SIRS model in PIN parameters. Th-SIRS represents the traditional SIRS model in HIN parameters. Figure 5 shows a comparison of R-SIRS, Tp-SIRS, and Th-SIRS models.
Figure 5. Comparison between R-SIRS, Tr-SIRS, Th-SIRS models
The results show that using unrealistic traditional worm modeling will yield an incorrect estimate of worm infection. From the figure, Tp-SIRS and Th-SIRS infectious populations are different from the R-SIRS model. The number of infectious hosts in the R-SIRS model stands between Tp-SIRS and Th-SIRS infectious populations. The R-SIRS model gives us the real impact of a worm attack on a computer network.
C- The effect of changing the contact rate in the R-SIRS model:
Quarantine of infected patients is one measure of preventing widespread disease in a human population by decreasing the level of contact between infected and healthy individuals, and thereby reducing the number of infectious individuals in the human population.
We apply the same concept to a network environment by using quarantine as a defense technique to reduce the level of worm infection. We simulated the R-SIRS model for four different values of contact rate (2, 3, 4, and 5).
Figure 6. Effect of contact rate
The result in Figure 6 shows that the infectious population decreases by decreasing the contact rate.
D- The effect of changing the probability of infection in the R-SIRS model:
In a human population, vaccination is used to decrease the rate of infection due to the reduction in the probability of infection. Similarly, adding security measures to network assets will enhance the defensive measures of the network against worm attack and decrease the probability of worm infection in a computer network. To examine the realistic impact of adding new mitigation to a network environment, we simulated the R-SIRS model using four different values of infection probability (0.25, 0.35, 0.5, and 1). Figure 7 shows the effect of reducing the probability of infection of worm attack by adding more security measures to the network. The result shows that the number of infectious populations declines when the probability of infection decreases.
Figure 7. Effect of probability of infection
6.
Conclusion
This paper presents a new approach to modeling a worm attack on a computer network by using the R-SIRS model. We built our R-SIRS model by emulating the human immune
system in a network environment. Building worm attack models by using the same capability of the human body to overcome virus infection is a major step in constructing the necessary network defense system against current and future worm attacks. Our simulation results show that worm infection has disparate impacts on different parts of the network based on different levels of immunity.
By adding new mitigation techniques to enhance network security we are changing the model parameters to discover the real impact of a worm attack on network infrastructure. Using traditional modeling of a worm attack on a computer network without studying network immunization topology may lead to underestimation of the security measures needed to defend network security assets. In future research, we would benefit from the similarity between the human immune system and computer network defense measures. We are going to lunch more detailed comparisons toward building ultimate ways to defend the network against worm attacks and test the impact of worm attack on computer networks.
References
[1] Li, M. Salour, and X. Su, “A Survey of Internet Worm Detection and Containment,” IEEE Communications Surveys & Tutorials, vol. 10, no. 1, pp. 20-35, 1st quarter, 2008.
[2] D. Moore, C. Shannon, and J. Brown, “Code Red: a Case Study on the Spread and Victims of an Internet Worm,” Proc. 2nd ACM SIGCOMM Workshop on Internet Measurement, Marseille, France, Nov. 2002. [3] Protecting the Military Cyber Space: DARPA Gears to
Counter Network Worms: website: http://www.defense-update.com/features/du-3-05/feature-worms.htm
[4] F. Burckhardt, “Modeling Infections Deceases in Virtual Realties”.
[5] J. Kim, S. Radhakrishnan, S. K. Dhall “Measurement and Analysis of Worm Propagation on Internet Network Topology,” Proc. IEEE 13th Intl’l Conf. on Computer Communications and Networks (ICCCN ’04), Chicago, 2004, pp. 495-500.
[6] J. Kim, P. Bentley “The Human Immune System and Network Intrusion Detection,” Proc. 7th European Conf. on Intelligent Techniques and Soft Computing (EUFIT ’99).
[7] F. Castaneda, E.C. Sezer, and J. Xu, “Worm vs. Worm: Preliminary Study of an Active Counter-Attack Mechanism,” Proc. 2003 ACM Workshop on Rapid Malcode (WORM’04), pp. 83-93, Washington, DC, Oct. 2004.
[8] C.C. Zou, W. Gong, and D. Towsley, “Code Red Worm Propagation Modeling and Analysis,” 9th ACM Symp. on Computer and Communication Security, pp. 138-147, Washington DC, 2002
[9] D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford,, and N. Weaver, “Inside the Slammer Worm,” IEEE Magazine of Security and Privacy, vol. 1, no. 4, pp. 33-39, 2003.
[10]Ed. Skoudis, Malware, Fighting Malicious Code. Saddle River, NJ,Pearson, 2004.
[11]D. J. Daley and J. Gani, Epidemic Modeling: An Introduction, Cambridge, Studies in Mathematical Biology, 2001.
[12]J. Kim, S. Radhakrishnan, and S.K. Dhall, “Measurement and Analysis of Worm Propagation on Internet Network Topology,” Proc. Int’l Conf. on Computer Communications and Networks (ICCCN’04), pp. 495-500, Chicago, Oct. 2004.
[13]J. Li and P. Knickerbocker, “Functional Similarities between Computer Worms and Biological Pathogens,” Computers & Security, 26 (2007), pp. 338-347.
[14] Y. Yang, S. Zhu, and G. Cao, “Improving Sensor Network Immunity under Worm Attacks: a Software Diversity Approach,” ACM Int’l Symp. on Mobile Ad Hoc Networking and Computing (MobiHoc’08), Hong Kong, pp. 149-158, May 2008.
[15] U.S. Department of Health and Human Services National Institutes of Health “Understanding the Immune System How It Works,” NIH Publication No. 07-5423 Sep. 2007.
[16] S. Peng, Y. Li, and B. Zheng, “States and Critical Behavior of Epidemic Spreading on Complex Networks,” 7th World Congress on Intelligent Control and Automation, Chongqing, China, pp. 3481-3486, June 2008.
[17] J. Kim, S. Radhakrishana, and J. Jang, “Cost Optimization in SIS Model of Worm Infection,” ETRI Journal, vol. 28, no. 5, pp. 692-695, Oct. 2006.
[18] X. Yan, and Y. Zou, “Optimal Internet Worm Treatment Strategy Based on the Two-Factor Model,” ETRI Journal, vol. 30, no. 1, pp. 81-88, Feb. 2008.
[19] Z. Jin and M. Haque, “The SIS Epidemic Model with Impulsive Effects,” 8th ACIS Int’l Conf. on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing (SNPD 2007), Qingdao, China, vol. 3, pp. 505-507, July 2007.
[20] H. Zhou, Y. Wen, and H. Zhao, “Passive Worm Propagation Modeling and Analysis,” Proc. IEEE Int’l Conf. on Computing in the Global Information Technology, Guadelope, French Caribbean, pp. 32, Mar. 2007.
[21] H. Zhou, Y. Wen, and H. Zhao, “Modeling and Analysis of Active Benign Worms and Hybrid Benign Worms Containing the Spread of Worms,” Proc. IEEE Int’l Conf. on Networking (ICN'07), 2007.
[22] O. Toutonji and S. M. Yoo, “Passive Benign Worm Propagation Modeling with Dynamic Quarantine Defense,” KSII Transactions on Internet and information System vol. 3, no. 1, pp. 96-107, Feb. 2009.
