Attack Containment Using Feedback Control

In a computer network, network security is accomplished using elements like firewalls, hosts, servers, routers, intrusion detection systems, and honey pots. These network elements need to know the nature or anomaly of the worm in priori to detect the attack. Modern day viruses like Code red, Sapphire and Nimda spread very fast. Therefore it is impractical if not impossible for human mediated responses to these modern day fast spreading viruses. Several epidemic studies show that automatic tracking of resource usage and control is an effective method in containing the damage. We propose novel security architecture based on control system theory. In particular we described a state space feedback control model to detect and control the spread of these viruses or worms by measuring the velocity of the number of new connections an infected host makes. The objective of the mechanism is to slow down the spreading velocity of a worm by controlling (delaying) the total number of new connections made by an infected host. A proportional and integral controller is used for a continuous control of the feedback loop. An S-shaped spreading function is applied as a disturbance to the controller and we were able to contain the spreading within few time units. Also, we observed that the velocity profile can differentiate between legitimate traffic and flash worm. We have setup a worm propagation environment on which we are doing our experiments using our model. The results from the simulation and experimental setup combined with the sensitivity analysis are a good indication of the applicability and accuracy of the approach.

Working on implementation of a model to generate and test worm propagation by applying feedback control.

UNT Center:

UNT Department:

UNT Lab: