Using predators to combat worms and viruses: a simulation-based study

Large-scale attacks generated by fast-spreading or stealthy malicious mobile code, such as flash worms and e-mail viruses, demand new approaches to patch management and disinfection. Currently popular centralized approaches suffer from distribution bottlenecks which cannot be solved by merely increasing the number of servers, as the number of servers required to eliminate all bottlenecks is impractically large. Recently, predators were proposed as a technique for eliminating automated mobile malware from computer networks. Predators are benevolent, self-propagating mobile programs which have the ability to clean up systems infected by malignant worms/viruses. We propose a number of extensions to the original predator model, including immunizing predators, persistent predators, and seeking predators. We report on a set of simulations which explore the effects of predators on small-scale (800 to 1600 node) networks. Our results indicate that predators hold significant promise as an alternative to the centralized patch distribution mechanism. The results show that predators can be used to disinfect systems and distribute patches rapidly across the network, without suffering from bottlenecks or causing network congestion. The results also show that the new predator models provide significant benefits over the original predator model. The simulation tool is also useful for tuning predator behavior, so that an optimal tradeoff between the peak virus/worm infection rate and the overhead generated by the predator can be chosen before a predator is released.