Computer ecology: Responding to mobile worms with location-based quarantine boundaries

Baik Hoh, Marco Gruteser

Research output: Chapter in Book/Report/Conference proceedingChapter

5 Scopus citations


A current trend in pervasive devices is towards multi-radio support, allowing direct local interaction between devices in addition to maintaining long-haul links to infrastructure networks. Many current cell phones already contain Bluetooth radios that enable peer-to-peer exchange of files and usage of services from nearby devices. Bluetooth is also available in some automobiles and the US Federal Communications Commission has reserved spectrum for Dedicated Short Range Communications (DSRC), a wireless communications standard for inter-vehicle networks based on the IEEE 802.11 medium access protocol [1]. Example applications are collaborative crash warning and avoidance, dynamic traffic light control, or ad hoc forwarding of traffic probe information [2, 3]. Unfortunately, peer-to-peer interaction between devices provides an alternative propagation path for worms and virus [4, 5]. The Internet experience illustrates that worm attacks are a significant concern and a proof-of-concept Bluetooth worm, Cabir, has already been implemented.3 More aggressive worms that exploit bugs (e.g., buffer overflow in bluetooth software/protocol stack [7,8]) and make unwanted phone calls are not hard to imagine [9,10], and likely as financial incentives increase. More recently, several research articles [4,11-13] warn that worms and viruses could cause denial-of-service or energy-depletion attacks. Regardless of the sophistication of the prevention strategies, in an environment with high reliability requirements it is only prudent to also plan for outbreaks with appropriate containment strategies. Peer-to-peer replication over short-range wireless networks creates a challenge for intrusion detection and response, because the worm cannot be observed and blocked by intrusion detection and response systems in the cellular service provider's core network. Instead intrusion detection must be deployed on resource-constrainedmobile devices or on specialized honeypot devices distributed in high-traffic zones [14,15]. Regardless of the employed intrusion detection method, these constraints will lead to a delay between the time of outbreak and alarm because of distributed processing delays and human analysis. Thus, the intrusion response system only has at best an outdated few of the current worm propagation. In this work, we consider an intrusion response architecture where a service provider remotely administers mobile nodes over the wide-area infrastructure wireless network. Using ecologically inspired location-based quarantine boundary estimation techniques, the service provider can estimate a set of likely infected nodes. This allows the service provider to concentrate efforts on infected nodes and minimize inconvenience and danger to non-affected parties. The remainder of this paper is structured as follows. Section 7.2 clarifies threat model and system assumptions. It also defines the estimation problem that this paper addresses. Section 7.3 develops a quarantine boundary estimation algorithm from ecological diffusion-reaction and advection models. We evaluate our proposed algorithm by applying it to two ad hoc network scenarios: a pedestrian random-walk and an a vehicular network on a highway. These results are reported in section 7.4. In section 7.5, we analyze the simulation results and discuss the effectiveness of the approach. In addition, we discuss how to locate Patient 0 based on a set of intrusion reports. Section 7.6 compares our work with directly related prior works before we conclude.

Original languageEnglish (US)
Title of host publicationMobile and Wireless Network Security and Privacy
PublisherSpringer US
Number of pages24
ISBN (Print)9780387710570
StatePublished - 2007

All Science Journal Classification (ASJC) codes

  • Engineering(all)

Fingerprint Dive into the research topics of 'Computer ecology: Responding to mobile worms with location-based quarantine boundaries'. Together they form a unique fingerprint.

Cite this