Title page for ETD etd-05152006-121930

Type of Document Dissertation
Author Hall, Kristopher Joseph
Author's Email Address kjh@ieee.org
URN etd-05152006-121930
Title Thwarting Network Stealth Worms in Computer Networks through Biological Epidemiology
Degree PhD
Department Electrical and Computer Engineering
Advisory Committee
Advisor Name Title
Abbott, A. Lynn Committee Co-Chair
Davis, Nathaniel J. IV Committee Co-Chair
Arthur, James D. Committee Member
Bostian, Charles W. Committee Member
Hou, Yiwei Thomas Committee Member
Park, Jung-Min Jerry Committee Member
  • Network Stealth Worms
  • Demographic Analysis
  • Bio-mathematical Modeling
  • Epidemiology
  • Network Security
Date of Defense 2006-05-11
Availability unrestricted
This research developed a system, Rx, to provide early identification and effective control of network stealth worms in digital networks through techniques based on biological epidemiology. Network stealth worms comprise a class of surreptitious, self-propagating code that spread over network connections by exploiting security vulnerabilities in hosts. Past outbreaks due to traditional worms subverted hundreds of thousands of machines. Network stealth worms exacerbate that threat by using clandestine methods to maintain a persistent presence in the network.

Biological epidemiology was shown to support the real-time detection, characterization, forecasting, and containment of network stealth worms. Epidemiology describes a scientific methodology in biology that seeks to understand, explain, and control disease. Bio-mathematical modeling led to the development of a mechanism for digital networks to identify worm infection behavior buried in anomaly data, to characterize a worm, and to forecast the temporal spread of a worm. Demographic analysis of the infected hosts revealed the subset of vulnerable machines within the population. The automated response of advanced quarantine used this information to control the spread of an identified worm by isolating both infected and vulnerable machines.

The novel contributions of this research included the identification of a network stealth worm at the network-level based on end-host reports while simultaneously characterizing and forecasting the spread of the worm. Additionally, this task offered the technique of advanced quarantine through demographic analysis of the population. This work resulted in a scalable, fault-tolerant strategy that dramatically enhanced the survival rate of network hosts under attack by a stealth worm. Moreover, this approach did not require new hardware, changes to existing protocols, or participation outside the implementing organization.

This research showed application to a wider range of challenges. The bio-mathematical models are extensible, allowing Rx to respond to variations on the self-propagating code presented here. The approach is applicable to other forms of malware beyond self-propagating code by interchanging the epidemic model with one more appropriate. Lastly, the strategy allowed anomaly detectors to be sensitive to lower reporting thresholds and a variety of often benign yet potentially useful events.

  Filename       Size       Approximate Download Time (Hours:Minutes:Seconds) 
 28.8 Modem   56K Modem   ISDN (64 Kb)   ISDN (128 Kb)   Higher-speed Access 
  hall_dissertation.pdf 965.60 Kb 00:04:28 00:02:17 00:02:00 00:01:00 00:00:05

Browse All Available ETDs by ( Author | Department )

dla home
etds imagebase journals news ereserve special collections
virgnia tech home contact dla university libraries

If you have questions or technical problems, please Contact DLA.