Home > Articles > Security > Network Security

  • Print
  • + Share This
From the author of

Designing a Virus Vaccine

This article demonstrates methods to design and test a live, attenuated computer virus vaccine using real-world simulation. The following list summarizes the design goals of our vaccine:

  • Confers immunity. Like the biological smallpox vaccine, the computer vaccine should confer lasting immunity against infection. An example of conferring immunity would be a virus that automatically repairs vulnerable systems with a software security patch.

  • Conserves resources. A vaccine should consume fewer network resources than the virus against which it provides immunity. One method to achieve this goal is to "attenuate" the vaccine, similar to the attenuation of biological vaccines. For example, a computer vaccine could be written to spread more slowly (that is, with less "virulence") than its pathogenic counterpart (such as Code Red). As I'll demonstrate, this scheme can effectively prevent future infections with related strains, while minimizing the strain on network communication.

  • Easily distributed. The vaccine should be easily distributable to more than 90% of the target population. This arbitrary target percentage approximates ideal goals for biological vaccine counterparts such as the influenza vaccine.

  • Low morbidity. The vaccine should have a low incidence of side effects. In other words, it should not routinely damage systems. Quality-control mechanisms can help here. Examples of quality control include maintaining a transparent, open source development of the vaccine. In addition, the vaccine should be developed under the supervision of an international monitoring body, similar to the World Health Organization for biological vaccines. It was only though international coordination by a world health body that the scourge of smallpox was eradicated.

  • Cost efficient. The cost of the vaccine should be low, and it should reduce the overall cost of damage that would otherwise be caused by the virus against which it protects. For an expensive virus such as Code Red, even a modest overall reduction of 10% in damage from the virus would provide a net savings of $250 million worldwide.

The major objection to releasing a live, replicating vaccine on the Internet—even under the aegis of a world governance body—is that the vaccine alters target host machines without permission of the owner. Thus, the vaccine can (and will) cause damage to a certain number of critical systems. However, this objection is overcome by comparison to biological vaccines. For example, with the measles vaccine, a small percentage of children who receive it are injured or die due to side effects. Despite these risks, however, parents line up each year to have their children receive this attenuated form of the deadly virus. In fact, the United States government mandates that all children must receive the measles vaccine. Thus, although mandatory biological vaccination results in a small percentage of death and disease, it has resulted in an overall net benefit of saving millions of lives.

Given the billions of dollars of damage caused by computer viruses each year, a computer virus vaccine could be designed with the same benefit-to-risk ratio as that of biological vaccines. As stated above, the Code Red virus caused approximately $2.5 billion in damage. However, Code Red actually came in three discrete variants, which were released over time. All three versions exploited the same vulnerability discovered in Microsoft's IIS web server software on June 18, 2001. [28] However, the first version of Code Red was not seen in the wild until more than three weeks later, on July 12, 2001. This version infected at least 359,104 machines within 14 hours. Following the first outbreak, the second, more virulent version of Code Red didn't appear for another week. Finally, it took another two weeks for the third and final form to appear in the wild. [29]

Thus, there was a considerable amount of time for a vaccine to be developed and deployed between these individual versions of Code Red. For example, suppose a vaccine was developed and released in the interim between the first and second versions of Code Red; at that stage, a vaccine might have improved global immunity and reduced the remainder of the $2.5 billion in damage.

This article examines the theory that a live, attenuated vaccine released in the interim between the variants of Code Red would improve outcomes. It also tests the case of releasing the vaccine in the three-week interim after the first vulnerability was first discovered, but before the first virus was released in the wild.

Several models have been used to simulate the spread of viruses. [30, 31] However, optimal testing of a live vaccine requires a simulator that most closely models the real-world behavior of viruses. NWS, a "network worm simulation system" [32] is a framework of objects and methods written in the PERL programming language that allows programmers to design and test live, self-replicating pathogens. NWS provides the advantage of modeling viral behavior by executing actual virus code. Thus, the simulation allows viruses to perform arbitrary actions, which may model real-world behavior more accurately than rigid mathematical simulation. NWS is open source and is available under the GNU General Public License (GPL).

In the following simulations, NWS is initialized with a sample address space arbitrarily chosen at 65535, which represents the entire network. This simulated network is then populated with 10,000 vulnerable hosts. These hosts represent the number of vulnerable systems that are initially present in the address space. This simulation is analogous to an Internet populated with Microsoft IIS web servers that are vulnerable to the Code Red virus.

NWS measures the passage of time in the simulated network based on discrete time steps. At each time step, an object may perform an action such as a virus probing or infecting a host. In the current simulations, the address space is populated with an initial number of seven (7) Code Red and seven (7) vaccine instances, respectively. In each run, the results are recorded for a total of 150 discrete time steps. Each simulation is run through 20 iterations on a Pentium IV machine running Linux, and the results of the 20 iterations are averaged and plotted.

One of the most devastating impacts of modern viruses is their negative effect on overall network performance. For example, the rapid spread of the Slammer infection in 2003 knocked most of South Korea's Internet offline for several hours. [33] Thus, an important goal is to design the vaccine to have minimal impact on network bandwidth. In NWS, network messages are counted at each time step. For the purpose of this simulation, each instance of Code Red sends out two message probes to a random address during each time step. Vaccines are attenuated to send out fewer probes per time step than Code Red. The number of messages passed per time in the network is recorded as a measure of bandwidth consumption.

In biology, many vaccines use live, attenuated strains of the virus to fight the virus itself. Thus, the current vaccine is based on Code Red itself. However, it has been modified in two ways. After attaching to a vulnerable host, the vaccine "patches" the vulnerability, thus marking the host as resistant to further infection. In addition, in this study the vaccine is attenuated. Thus, the vaccine is not as virulent as Code Red—it doesn't send as many probes per time step. For example, if a variant of Code Red sends out two random probes per time step, a vaccine can be attenuated to send only one probe per time step (a 50% attenuation in virulence). As in biology, the advantage of weakening the virus vaccine is that it should then spread with less damage (for example, with less consumption of network resources) than the more virulent strains of the real virus.

  • + Share This
  • 🔖 Save To Your Account