Pulse quarantine strategy of internet worm propagation: Modeling and analysis q Yu Yao a,b,⇑ , Lei Guo a,b , Hao Guo a,b , Ge Yu a,b , Fu-xiang Gao a,b , Xiao-jun Tong c a Key Laboratory of Medical Image Computing, Northeastern University, Ministry of Education, Shenyang 110819, China b College of Information Science and Engineering, Northeastern University, Shenyang 110819, China c Department of Computer Science, Harbin Institute of Technology, Weihai, China article info Article history: Available online 6 September 2011 abstract Worms can spread throughout the Internet very quickly and are a great security threat. Constant quarantine strategy is a defensive measure against worms, but its reliability in current imperfect intrusion detection systems is poor. A pulse quarantine strategy is thus proposed in the current study. The pulse quarantine strategy adopts a hybrid intrusion detection system with both misuse and anomaly detection. Through analysis of corre- sponding worm propagation models, its stability condition is obtained: when the basic reproduction number is less than one, the model is stable at its infection-free periodic equi- librium point where worms get eliminated. Numerical and simulation experiments show that constant quarantine strategy is inefficient because of its high demand on the patching rate at ‘‘birth’’, whereas the pulse quarantine strategy can lead to worm elimination with a relatively low value. As patching almost all hosts in the actual network is difficult, the pulse quarantine strategy is more effective in worm elimination. Ó 2011 Elsevier Ltd. All rights reserved. 1. Introduction In recent years, Internet worms have brought severe threats to Internet security, and inhibition of the spread of worms is a hot subject in the field of research. Enlightened by the methods in disease control, quarantine is selected as an effective measure to contain worm propagation. Constant quarantine, one of the quarantine strategies, is often exploited and applied to construct various worm-propagation models [1–6]. However, it is difficult to satisfy the condition that the worm propa- gation system with constant quarantine strategy must stabilize at the infection-free equilibrium point. Simple quarantine actions cannot achieve satisfactory containment results in practical applications because of high demands on the rate at which new hosts entering the network are patched. The implementation of quarantine strategy relies on the intrusion detection system [7]. Intrusion detection systems can be classified into two categories: misuse and anomaly intrusion detection systems. On one hand, the misuse intrusion detec- tion system, which constructs a database with the feature of known attack behaviors, can recognize invaders once their behaviors agree with one of the databases. Although this system can accurately detect known worms, it fails to detect new ones, referred to them as missing alarms. On the other hand, an attack can be detected by the anomaly detection system as long as its behavior differs from any database consisting of normal behaviors, which is of help in detecting new worms. Unfortunately, this system is accompanied by high false-positive rates. Thus, normal hosts may sometimes be mistaken as infected hosts. In summary, both classes of intrusion detection systems have defects that affect their performances. A hybrid 0045-7906/$ - see front matter Ó 2011 Elsevier Ltd. All rights reserved. doi:10.1016/j.compeleceng.2011.07.009 q Reviews processed and approved for publication by Editor-in-Chief Dr. Manu Malek. ⇑ Corresponding author at: College of Information Science and Engineering, Northeastern University, Shenyang 110819, China. Tel.: +86 13130283275. E-mail addresses: yaoyu@mail.neu.edu.cn, haveball@163.com (Y. Yao). Computers and Electrical Engineering 38 (2012) 1047–1061 Contents lists available at SciVerse ScienceDirect Computers and Electrical Engineering journal homepage: www.elsevier.com/locate/compeleceng