47

International Journal of Communication Networks and Information Security (IJCNIS) Vol. 1, No. 2, August 2009

An Approach against a Computer Worm Attack

Ossama Toutonji and Seong-Moo Yoo

University of Alabama in Huntsville, Department of Electrical and Computer Engineering,

Huntsville, Alabama 35899, USA
{toutono; yoos}@eng.uah.edu

Abstract: Building a realistic model for a network defense recognizing the payload of the malicious worm. The results
system against a worm attack is vital to better understand the showed the effects of implementing anti-worms with
effects of a worm attack on network assets and functionality. respective propagation schemes and the limitation of anti-
Traditional epidemic worm modeling does not take into worms in practical implementations [6]. These worm models
consideration the real network topology or network actual defense
assume that all hosts in the network have the same
measures.
In this paper, we reviewed the network defense systems from probability to become infected by worms, and; therefore, the
different perspectives for defining the level of immunity of same level of vulnerability when it comes to worm attack.
different parts of the network and ascertaining the real impact of a Consequently, the results will lead to an unrealistic
worm attack on the network. The idea of immunity came from prediction of the infection wave.
examining and comparing the immune system in the human body to This paper represents new approaches to modeling a
the defense and security measures of computer networks. Then, we worm attack on a computer network; the study took into
developed a novel, realistic model by splitting the network into the consideration the pre-existing conditions in different parts of
highly immune part of the network (HIN) and the partially immune network topology. We reviewed the network from a network
part of the network (PIN) in order to measure the real impact of
security prospective where different parts of the network
worm attack on computer network. Next, we evaluated the
effectiveness of this model by implementing network defense have different levels of defense and immunity measures. The
measurements adopted from the human immune system. Computer idea of immunity came from examining and comparing the
simulations show that the infection waves of worms in HIN have immune system in the human body to the defense and
minimal impacts compared to those in the PIN. security measures of computer networks [13], [14], [15],
[16]. Then, we developed a novel realistic model by splitting
Keywords: epidemic worm modeling, highly immune part of the the network into the highly immune part of the network
network (HIN), human immune system, partially immune part of (HIN) and the partially immune part of the network (PIN) in
network (PIN), worm attack. order to measure the real impact of a worm attack on a
computer network. Next, we evaluated the effectiveness of
this model by implementing network defense measurements
1. Introduction adopted from the human immune system. Computer
simulations show that the infection waves of worms in HIN
Worm attack [1, 2, 7, 9, 17, 18, 20, 21, 22] still poses an
have minimal impacts compared to PIN.
enormous threat to network security. A destructive,
This paper is organized as follows: section 2 contains a
automated, and self replicated behavior of a worm causes
detailed description of the similarity between the human
bandwidth consumption and corrupt network performance.
immune system and a computer network defense system. In
The design of worm code could go beyond the intention to
this section, we defined the human immune system and we
propagate through the network. A malicious code could be
adopt the same concept to invent a new definition for
built to delete executable files on the attacked machine,
computer network immunity. Section 3 summarizes existing
create a backdoor listener, and cause a denial-of-service
epidemic modeling used as tools for modeling worm attacks
attack. Generally, a worm is categorized according to the
on computer networks. In section 4, we present the
way it propagates, installs or lunches. A worm could spread
theoretical and the mathematical approaches for our new
through e-mails, instant messages, internet relay chat, and
realistic epidemic worm modeling epidemic model. The last
file sharing.
section includes the conclusion and possibilities for future
Burckhardt [4] proposed a virtual reality modeling of
research.
infectious diseases in the human population. The model took
into consideration several important factors including; the
level of contact between individuals and the duration of 2. Similarity between the Human Immune
immunity in the graveyard stage, which considers the fact System and Network Defense System
that individuals who lack immunity in the recovery state will In the human body, the immune system is a constellation
move back to a stage of susceptibility. Burckhardt’s research
of responses to outside attacks on the human body [6]. The
suggested new ways to reduce widespread infection by using
general population represents a network of individuals that
quarantine and treatment in the human population as a future
interact with each other. The medical measures taken by a
study [3], [4]. Kim and Bentley explored the similarity
between the human immune system, network intrusion community in general and locally by individuals represent
detection systems and the possibilities of emulating the the defense system of human beings against the spread of
human immune system, to design a novel network-based disease. There are three types of immunity in the human
intrusion detection system [5]. Castaneda et al. proposed a body: active immunity, passive immunity, and hybrid
new method that generates an anti-worm after detecting and immunity.
 48
International Journal of Communication Networks and Information Security (IJCNIS) Vol. 1, No. 2, August 2009
1) – Active Human Immunity is acquired from previous active immune system that generates safe ethical worms
viral infections. When an antigen infects the body, it triggers against newly invented worms is still in ongoing research.
the immune system to develop antibodies from plasma cells 2)-Passive Network Immunity is established by installing
found in the bone marrow. Plasma cells will generate B-cells antivirus software, downloading the required update patches,
that synthesize antibody molecules. These antibody configuring a firewall system, and blocking arbitrary
molecules bind to the antigens and destroy them. The body outbound connections [10]. In both passive human immunity
will keep a copy of all generated antibodies in the and passive network immunity, the required immunity must
immunologic memory to defend against future identical viral be transferred to the target system.
infections. 3)-Hybrid Network Immunity is established by combining
2) – Passive Human Immunity is acquired from both passive and active immunity. Both hybrid human
vaccination. The antibody will be transferred from an immunity and hybrid network immunity are capable of
actively immunized individual to a susceptible individual dealing with more complex and serious invaders. Like the
and will work only for a specific type of virus. hybrid human immunity, the combined immunity in a hybrid
3) – Hybrid Human Immunity is acquired from using network is capable of defending against a wider range of
Monoclonal antibody cells (Hybridmas) produced in a network attacks.
medical laboratory used to treat more complex and serious By analyzing network infrastructure from a security
illnesses. Hybridmas are hybrid cells produced by fusing defense perspective, network immunity levels vary
myeloma cells with the spleen cells from animals such as depending on the network security steps that have been taken
mice or rabbits that have been immunized from the desired in different sections of the network. The steps needed to
antigen. The main purpose is to stimulate the patient's achieve and maintain a secure network can be summarized as
immune system to fight tumor cells and to prevent tumor follows:
growth by blocking specific cell receptors. By comparison, 1) Assessment: a technical evaluation of network
active immunity is longer-lasting and more effective than security and defense systems; includes an organization’s
passive immunity due to the immunologic memory produced policies, procedures, laws, regulations, budgeting, and
by the patient’s own immune system. Passive immunity is other managerial duties [3].
produced outside the body and then implanted inside the 2) Protection: previously established defense counter-
patient. Hybrid immunity is a combination of both active and measures to prevent network attacks.
passive immunity. It is both a vaccine and a stimulus which 3) Detection: process for identifying intrusion.
combine the characteristics of both active and passive 4) Response: measures that will be taken to overcome
immune systems. new attacks.
Network immunity consists of network security processes From the above-mentioned steps; we may split a network
and defense measures that have been implemented to defend into two parts:
the network against inside or outside attacks. It is the a) Highly immune part of the network (HIN): here all
software and the hardware security steps taken to secure network security defense measures have been
network infrastructure [3]. Some key characters of human implemented.
immunity are similar to network immunity. A computer b) Partially immune part of the network (PIN): here,
network has similar active, passive, and hybrid defense the network is either missing at least one security
systems. We will illustrate the three different types of
measure or at least one of the measures has not been
immunity in computer networks and show the similarity and
fully implemented.
differences between network immunity and the human
immune system.
1)-Active Network Immunity is established by using an To determine the true impact of a worm attack on network
effective intrusion detection system (IDS) and safe ethical functionality, we took into consideration our network
worms. The (IDS) monitors network traffic and blocks categories and used different values for our model
suspicious activities by detecting known malicious codes. In parameters. Our aim is to develop a new realistic approach to
2004, F. Castaneda et. al proposed an automated method to worm modeling. The results gave us a close look at the
detect worm attack, analyze the worm’s malicious code, and widespread behavior of worms in different parts of the
then generate an anti-worm. The generated anti-worm, or network and the future strategic measures that need to be
ethical worm, has the same self-replication behavior as the taken to fight the impact of destructive worm attacks against
bad worm. The ethical worm will spread through the networks.
network and overcome the bad worm. Most network security Our model was based on the epidemic model in which a
experts still oppose the idea of using ethical worms due to host that lacks immunity may return to the susceptible stage,
the fact that they could unintentionally cause a denial-of- therefore remaining vulnerable to worm attack and possibly
service attack by breaking applications or consuming becoming re-infected. We built our assumptions on a factual
network bandwidth, or they could be used by hackers as a network and defense measurements that are usually
tool for a new vulnerability. Both active human immunity performed by information assurance engineers. In a real
and active network immunity have a memory of invaders’ functional network, the model’s parameters vary depending
identities that will help identify an attacker, but the main on the level of immunity. In PIN, the probability of worm
difference is that active human immunity is dynamically infection is higher than in HIN, which will lead to higher
capable of developing immunity for new antigens where infection rate. The removal rate is smaller due to a higher
(IDS), or safe ethical worms, are only capable of identifying number of recovered hosts in HIN compared to PIN. We also
previously known malicious codes. Building a complete experienced that the number of hosts moved back to the
 49
International Journal of Communication Networks and Information Security (IJCNIS) Vol. 1, No. 2, August 2009
susceptible stage in PIN is higher when compared to HIN. Notation Explanation
Based on these observations, we claim that in more realistic I(t) Number of infectious hosts at time t
worm attack modeling, various model parameters must be S(t) Number of susceptible hosts at time t
used for different parts of the network that have disparate R(T) Number of removed hosts at time t
levels of defense, immunity, and monitoring. N Size of total vulnerable population
β Infection rate
µ Re-susceptible rate on a removed host
3. Existing Epidemic Models ρ Epidemic threshold
In this section, we will summarize the basic epidemic models γ Removal rate
φ Reproduction number of infection
[4], [8], [11], [12], [19] that have been used to model a worm
attack on computer networks. Table 1 shows a list of Table 1. Notations and initial values of the model used in
notation and symbols that have been used to develop the set Section 3
of differential equations in this section for the basic epidemic
models. 3.2 SIRS model
In the SIRS model [4], there is a state in which the removed
3.1 Kermack-McKendrick (KM) model host could lose immunity and move back to the susceptible
stage. The model is governed by the following set of
The KM model [8] is an epidemiological model with three nonlinear differential equations:
main elements:
a) Susceptible hosts: hosts which are vulnerable to dS (t )
worm attack. dt = − β (t ) I (t ) S (t ) + µ R (t ) (6)
b) Infectious hosts: hosts infected by worms. dI (t )
c) Removed hosts: hosts which have recovered from an dt = β (t ) I (t ) S (t ) − γ I (t ) (7)
attack and are immune to future infection. dR (t )
This model is considered an SIR (Susceptible, Infectious, dt = γ I (t ) − µ R (t ) (8)
and Removed) model. The hosts in this type of modeling
could be in any one of the three states: Susceptible (S), The SIRS model has the same initial conditions as the SIR
Infectious (I), or Removal (R). The model builds on the model regarding a fixed number of hosts and the threshold
assumption that the population size is fixed (no births or value criteria. Figure 2 shows a block diagram of SIRS
deaths) and the population is homogenously mixed. A set of model.
nonlinear differential equations describes the change in the
population for the different types of hosts. Equations (1-4) Susceptible Infectious Removal
describe the KM epidemic model:

dS (t )
dt = − β (t ) I (t ) S (t ) (1) Figure 2. SIRS epidemic model
dI (t )
dt = β (t ) I (t ) S (t ) − γ I (t ) (2) 4. Proposed Computer Network Realistic
dR (t ) Model
dt = γ I (t ) (3)
S (t ) + I (t ) + R (t ) = N (4) The similarity in the behavior between the spread of
infection in a human population and the self-replication of a
By rearranging equation (2): worm in a network environment makes modeling worm
attacks on computer networks similar to modeling the spread
of viral infection in a human population. The level of
dI (t )
dt = I (t )( β (t ) S (t ) − γ ) (5) immunity in a computer network determines the impact of a
worm attack on the computer network. In realistic worm
From (5), we conclude that S0 > γ / β should be satisfied to modeling, a network has various levels of immunity. The
cause epidemic growth. Where S0 is the initial number of susceptible population is divided into two groups: the highly
susceptible hosts, ρ = γ / β represents the epidemic threshold immune population and partially immune population.
and φ = γS0 / β represents the basic reproduction number of Disparate types of susceptible hosts will behave differently
the infection, and φ > 1 will cause the infectious population when confronted with a worm attack.
to grow. Figure 1 shows a state transition of the KM model.

The level of immunity in the susceptible hosts will determine

the infection rate, the recovery rate and the re-susceptibility
Susceptible Infectious Removal rate of the epidemic model. We examined the value of these
rates depending on the network immunity level by looking at
the main factors that cause changes in these rates. In doing
Figure 1. Kermack-McKendrick epidemic so, we made a detailed comparison between a human
 50
International Journal of Communication Networks and Information Security (IJCNIS) Vol. 1, No. 2, August 2009
population and a computer network. Table 2 shows a list of the same concept could be applied; Figure 3 shows a realistic
notations and symbols that we used in this section. SIRS modeling of a worm attack on computer network. The
1) Infection rate: In a human population, the infection rate changes in the number of susceptible, infectious, and
involves major parameters which include the contact rate removed hosts for the (PIN) and (HIN) could be described
between humans (θ, human/time), the proportion of by the following set of differential equations:
infection
in the population (I / N), and the transmission infection µPRP(t)+µHRH(t)
probability (η). Since we are interested in the interaction

Notation Explanation Initial value

Susceptible S
Susceptible
(PIN) (HIN)
Ip(t) Number of infectious hosts in PIN at time Ip(0)=1
t
IH(t) Number of infectious hosts in HIN at time IH(0)=1
FPSP(t) FHSH(t)
t
Sp(t) Number of susceptible hosts in PIN at time Sp(0)=350,000
t
SH(t) Number of susceptible hosts in HIN at SH(0)=650,000 Infectious Infectious
I
time t (PIN) (HIN)
Rp(t) Number of removed hosts from PIN at Rp(t)=0
time t
RH(t) Number of removed hosts from HIN at RH(0)=0 λPIP(t) λHIH(t)
time t
θP Contact rate of PIN 2

θH Contact rate of HIN 2 Recovery R

Recovery
(PIN) (HIN)
η P
Transmission infection probability for PIN 1

η H Transmission infection probability for 0.25

HIN
λP Recovery rate of infectious PIN 0.1
Figure 3. Proposed worm attack model.
λH Recovery rate of infectious HIN 0.25

µP Re-susceptible rate of PIN 0.01 1) The set of differential equations for PIN:
µH Re-susceptible rate of HIN 5 * 10-6
I(t) Total number of infectious hosts at time t I(0)=2 dSp (t ) I (t )
N Total number of hosts 1,000,000 dt = −θ p × η p × N S (t ) + µ pRp (t ) (10)
Table 2. Notations and initial values of the proposed model dIp (t ) I (t )
dt = θ p × η p × N Sp (t ) + λ pIp (t ) (11)
between susceptible hosts and the infectious hosts, we dRp (t )
defined the force of infection as (θ × η × I / N). The change dt = λ pIp (t ) − µ pRp (t ) (12)
in the number of susceptible hosts is represented by the I (t )
Fp = θ p × η p × N (13)
equation:
θ p×η p
R = λ p + µ p (14)
dS (t ) I
dt = θ × η × N × S (9)
Here, Fp represents the force of infection in the PIN
By adopting the infection parameters in a human population population, R0P represents the basic reproductive rate for the
to a network environment, we assumed that hosts in both PIN population, and it satisfies the condition R0P > 1 for the
(PIN) and (HIN) have the same contact rate, and any host in epidemic to grow.
the network will contact the same number of infectious
hosts. In (PIN), more hosts will move from the susceptible 2) The set of differential equations for HIN:
stage to the infectious stage due to a lack of immunity,
leading to a higher rate of infection. dS (t ) I (t )
dt = −θ × η × N S (t ) + µ R (t ) (15)
H
2) Recovery rate: the recovery rate in a human population H H H H

depends on the period of infection. The recovery rate for k

dIH (t ) I (t )
days’ infection is proportional to 1/k. In a network dt = θ H × η H × N SH (t ) + λ HIH (t ) (16)
environment, the recovery rate varies depending on the level
dRH (t )
dt = λ HIH (t ) − µ HRH (t ) (17)
of immunity.
3) Re-susceptibility rate: in a human population, the
I (t )
number of people who move from the recovery stage back to FH = θ H × η H × N (18)
the susceptible stage varies depending on the level of
θ ×η
R = λ H +µ H
H H
immunity in the community. Having more people immunized (19)
against widespread viral infection forecasts a small re-
susceptibility rate and vice-versa. In a network environment,
Here, FH represents the force of infection in HIN
 51
International Journal of Communication Networks and Information Security (IJCNIS) Vol. 1, No. 2, August 2009
population, R0H represents the basic reproductive Tp-SIRS represents a traditional SIRS model in PIN
rate for the HIN population, and it satisfies the parameters. Th-SIRS represents the traditional SIRS model
condition R0H > 1 for the epidemic to grow. Now, in HIN parameters. Figure 5 shows a comparison of R-SIRS,
Tp-SIRS, and Th-SIRS models.
N = Sp (t ) + IP (t ) + Rp (t ) + SH (t ) + IH (t ) + RH (t ) (20)

5. Simulation
To identify the realistic effects of a worm attack on a
computer network, we simulated our model by using realistic
sets of parameters that emphasize the different level of
immunity in the network. Then, we used fixed sets of
parameters for the entire network. We also examined the
relationship between mitigation technique factors, modeling
parameters and the effects of changing these parameters on
worm propagation.
A – Effects of a worm attack on PIN and HIN populations:
Figure 4 shows a SIRS model simulation for both PIN and
HIN.

Figure 5. Comparison between R-SIRS, Tr-SIRS, Th-SIRS

models

The results show that using unrealistic traditional worm

modeling will yield an incorrect estimate of worm infection.
From the figure, Tp-SIRS and Th-SIRS infectious
populations are different from the R-SIRS model. The
number of infectious hosts in the R-SIRS model stands
between Tp-SIRS and Th-SIRS infectious populations. The
R-SIRS model gives us the real impact of a worm attack on a
computer network.
C- The effect of changing the contact rate in the R-SIRS
model:
Quarantine of infected patients is one measure of preventing
widespread disease in a human population by decreasing the
Figure 4. SIRS model for PIN and HIN level of contact between infected and healthy individuals,
and thereby reducing the number of infectious individuals in
In the model, 35% of the susceptible population is partially the human population.
immune and 65% is highly immune. The probability of We apply the same concept to a network environment by
infection and the recovery rate for both the PIN and HIN using quarantine as a defense technique to reduce the level
have been set as follows: a) For PIN, the infection of worm infection. We simulated the R-SIRS model for four
probability is 1, all hosts will get infected, and the recovery different values of contact rate (2, 3, 4, and 5).
rate is 0.1; b) For HIN, the probability of infection is 0.25,
and the recovery rate is 0.25.
Both PIN and HIN hosts will experience the same interaction
with infectious hosts throughout the simulation so they have
the same contact rate.
The results shows, as expected, that the number of infectious
hosts in PIN is higher than HIN even though the number of
HIN’s population is bigger than the PIN’s population due to
better defense and security measurements in HIN.
B - Comparison between Traditional and Realistic Worm
Modeling:
To identify the realistic effects of a worm attack on a
computer network, we ran our model in three different
scenarios. First, we simulated our proposed model, R-SIRS,
by considering both PIN and HIN parameters. Then we Figure 6. Effect of contact rate
simulated the SIRS model separately in PIN then in HIN
parameters. The solid line represents the R-SIRS model.
 52
International Journal of Communication Networks and Information Security (IJCNIS) Vol. 1, No. 2, August 2009
The result in Figure 6 shows that the infectious population attacks and test the impact of worm attack on computer
decreases by decreasing the contact rate. networks.

D- The effect of changing the probability of infection in the References

R-SIRS model:
In a human population, vaccination is used to decrease the [1] Li, M. Salour, and X. Su, “A Survey of Internet Worm
rate of infection due to the reduction in the probability of Detection and Containment,” IEEE Communications
infection. Similarly, adding security measures to network Surveys & Tutorials, vol. 10, no. 1, pp. 20-35, 1st
assets will enhance the defensive measures of the network quarter, 2008.
against worm attack and decrease the probability of worm [2] D. Moore, C. Shannon, and J. Brown, “Code Red: a
infection in a computer network. To examine the realistic Case Study on the Spread and Victims of an Internet
impact of adding new mitigation to a network environment, Worm,” Proc. 2nd ACM SIGCOMM Workshop on
we simulated the R-SIRS model using four different values Internet Measurement, Marseille, France, Nov. 2002.
of infection probability (0.25, 0.35, 0.5, and 1). Figure 7 [3] Protecting the Military Cyber Space: DARPA Gears to
shows the effect of reducing the probability of infection of Counter Network Worms: website: http://www.defense-
worm attack by adding more security measures to the update.com/features/du-3-05/feature-worms.htm
network. The result shows that the number of infectious [4] F. Burckhardt, “Modeling Infections Deceases in Virtual
populations declines when the probability of infection Realties”.
decreases. [5] J. Kim, S. Radhakrishnan, S. K. Dhall “Measurement
and Analysis of Worm Propagation on Internet Network
Topology,” Proc. IEEE 13th Intl’l Conf. on Computer
Communications and Networks (ICCCN ’04), Chicago,
2004, pp. 495-500.
[6] J. Kim, P. Bentley “The Human Immune System and
Network Intrusion Detection,” Proc. 7th European Conf.
on Intelligent Techniques and Soft Computing (EUFIT
’99).
[7] F. Castaneda, E.C. Sezer, and J. Xu, “Worm vs. Worm:
Preliminary Study of an Active Counter-Attack
Mechanism,” Proc. 2003 ACM Workshop on Rapid
Malcode (WORM’04), pp. 83-93, Washington, DC,
Oct. 2004.
[8] C.C. Zou, W. Gong, and D. Towsley, “Code Red Worm
Propagation Modeling and Analysis,” 9th ACM Symp.
on Computer and Communication Security, pp. 138-
147, Washington DC, 2002
[9] D. Moore, V. Paxson, S. Savage, C. Shannon, S.
Figure 7. Effect of probability of infection Staniford,, and N. Weaver, “Inside the Slammer Worm,”
IEEE Magazine of Security and Privacy, vol. 1, no. 4,
pp. 33-39, 2003.
6. Conclusion [10] Ed. Skoudis, Malware, Fighting Malicious Code.
This paper presents a new approach to modeling a worm Saddle River, NJ,Pearson, 2004.
attack on a computer network by using the R-SIRS model. [11] D. J. Daley and J. Gani, Epidemic Modeling: An
We built our R-SIRS model by emulating the human Introduction, Cambridge, Studies in Mathematical
immune system in a network environment. Building worm Biology, 2001.
attack models by using the same capability of the human [12] J. Kim, S. Radhakrishnan, and S.K. Dhall,
body to overcome virus infection is a major step in “Measurement and Analysis of Worm Propagation on
constructing the necessary network defense system against Internet Network Topology,” Proc. Int’l Conf. on
Computer Communications and Networks (ICCCN’04),
current and future worm attacks. Our simulation results show
pp. 495-500, Chicago, Oct. 2004.
that worm infection has disparate impacts on different parts
[13] J. Li and P. Knickerbocker, “Functional Similarities
of the network based on different levels of immunity.
between Computer Worms and Biological Pathogens,”
By adding new mitigation techniques to enhance network Computers & Security, 26 (2007), pp. 338-347.
security we are changing the model parameters to discover [14] Y. Yang, S. Zhu, and G. Cao, “Improving Sensor
the real impact of a worm attack on network infrastructure. Network Immunity under Worm Attacks: a Software
Using traditional modeling of a worm attack on a computer Diversity Approach,” ACM Int’l Symp. on Mobile Ad
network without studying network immunization topology Hoc Networking and Computing (MobiHoc’08), Hong
may lead to underestimation of the security measures needed Kong, pp. 149-158, May 2008.
to defend network security assets. In future research, we [15] U.S. Department of Health and Human Services
would benefit from the similarity between the human National Institutes of Health “Understanding the
immune system and computer network defense measures. Immune System How It Works,” NIH Publication No.
We are going to lunch more detailed comparisons toward 07-5423 Sep. 2007.
building ultimate ways to defend the network against worm
 53
International Journal of Communication Networks and Information Security (IJCNIS) Vol. 1, No. 2, August 2009
[16] S. Peng, Y. Li, and B. Zheng, “States and Critical
Behavior of Epidemic Spreading on Complex
Networks,” 7th World Congress on Intelligent Control
and Automation, Chongqing, China, pp. 3481-3486,
June 2008.
[17] J. Kim, S. Radhakrishana, and J. Jang, “Cost
Optimization in SIS Model of Worm Infection,” ETRI
Journal, vol. 28, no. 5, pp. 692-695, Oct. 2006.
[18] X. Yan, and Y. Zou, “Optimal Internet Worm
Treatment Strategy Based on the Two-Factor Model,”
ETRI Journal, vol. 30, no. 1, pp. 81-88, Feb. 2008.
[19] Z. Jin and M. Haque, “The SIS Epidemic Model with
Impulsive Effects,” 8th ACIS Int’l Conf. on Software
Engineering, Artificial Intelligence, Networking, and
Parallel/Distributed Computing (SNPD 2007), Qingdao,
China, vol. 3, pp. 505-507, July 2007.
[20] H. Zhou, Y. Wen, and H. Zhao, “Passive Worm
Propagation Modeling and Analysis,” Proc. IEEE Int’l
Conf. on Computing in the Global Information
Technology, Guadelope, French Caribbean, pp. 32, Mar.
2007.
[21] H. Zhou, Y. Wen, and H. Zhao, “Modeling and
Analysis of Active Benign Worms and Hybrid Benign
Worms Containing the Spread of Worms,” Proc. IEEE
Int’l Conf. on Networking (ICN'07), 2007.
[22] O. Toutonji and S. M. Yoo, “Passive Benign Worm
Propagation Modeling with Dynamic Quarantine
Defense,” KSII Transactions on Internet and
information System vol. 3, no. 1, pp. 96-107, Feb. 2009.