The Design and Evaluation of a Defense System
for Internet Worms
Many areas of society have become heavily dependent on services such as transportation facilities, utilities and so on that are implemented in part by large numbers of computers and communications links. Both past incidents and research studies show that a well-engineered Internet worm can disable such systems in a fairly simple way and, most notably, in a matter of a few minutes. This indicates the need for defenses against worms but their speed rules out the possibility of manually countering worm outbreaks. We present a platform that emulates the epidemic behavior of Internet active worms. For purposes of experimentation, the platform has been deployed on a cluster of computers to emulate worm outbreaks in very large networks. A wide variety of worm properties can be studied and network topologies of interest constructed. A reactive
control system, based on the Willow architecture and the OOPS policy framework, operates on top of the platform and provides a monitor/analyze/respond approach to deal with infections automatically. The logic driving the control system is synthesized from a formal specification, which is based on control rules correlating sensor events.
