Abstract
Internet worm infection continues to be one of top security threats and has been widely used by botnets to recruit newbots. In order to defend against future worms, it is important to understand how worms propagate and how different scanning strategies affect worm propagation dynamics. In our study, we present a (stochastic) continuous-time Markov chain model for characterizing the propagation of Internet worms. The model is developed for uniform scanning worms, and further for local preference scanning worms and flash worms. Specifically, for uniform and local preference scanning worms, we are able to (1) provide a precise condition that determines whether the worm spread would eventually stop and (2) obtain the distribution of the total number of infected hosts. By using the same modeling approach, we reveal the underlying similarity and relationship between uniform scanning and local preference scanning worms. Finally, we validate the model by simulating the propagation of worms.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Moore, D., Shannon, C., & Brown, J. (2002). Code-red: A case study on the spread and victims of an internet worm. In Proceedings of the 2nd Internet Measurement Workshop (IMW), Marseille, France.
Moore, D., Paxson, V., & Savage, S. (2003). Inside the slammer worm. IEEE Magazine of Security and Privacy, 4(1), 33–39.
Casado, M., Garfinkel, T., Cui, W., Paxson, V., & Savage, S. (2005). Opportunistic measurement: Extracting insight from spurious traffic. In Proceedings of the 4th ACM SIGCOMM HotNets Workshop (HotNets), College Park, MD.
Zargar, S. T., Joshi, J., & Tipper, D. (2013). A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Communications Surveys & Tutorials, 15(4), 2046–2069.
Khonji, M., Iraqi, Y., & Jones, A. (2013). Phishing detection: A literature survey. IEEE Communications Surveys & Tutorials, 15(4), 2091–2121.
Wu, M. W., Wang, Y. M., Kuo, S.-Y., & Huang, Y. (2007). Self healing spyware: Detection, and remediation. IEEE Transactions on Reliability, 56(4), 588–596.
Staniford, S., Paxson, V., & Weaver, N. (2002). How to own the Internet in your spare time. In Bonehed. Proceedings of the 11th Usenix Security Symposium, San Francisco.
Zou, C. C., Gong, W., & Towsley, D. (2002). Code red worm propagation modeling and analysis. In Proceedings of the 9th ACM conference on computer and communication security (CCS’02), Washington, DC (pp. 138–147).
Kesidis, G., Hamadeh, I., & Jiwasurat, S. (2005). Coupled kermack-mckendrick models for randomly scanning and bandwidth-saturating internet worms. In Proceedings of 3rd international workshop on QoS in multiservice IP networks QoS-IP (pp. 101–109).
Chen, Z., Gao, L., & Kwiat, K. (2003). Modeling the spread of active worms. In Proceedings of the IEEE INFOCOM 2003.
Kephart, J. O., Chess, D. M., & White, S. R. (1993). Computers and epidemiology. IEEE Spectrum, 30(5), 20–26.
Kephart, J. O. & White, S. R. (1991). Directed-graph epidemiological models of computer viruses. In Proceedings of IEEE symposium on security and privacy (pp. 343–359).
Kephart, J. O., White, S. R. (1993). Measuring and modeling computer virus prevalence. In Proceedings of IEEE symposium on security and privacy.
Daley, D. J., & Gani, J. (1999). Epidemic modeling: An introduction. Cambridge: Cambridge University Press.
Andersson, H., & Britton, T. (2000). Stochastic epidemic models and their statistical analysis. New York: Springer.
Frauenthal, J. C. (1980). Mathematical modeling in epidemiology. New York: Springer.
Tang, Y., Xiao, B., & Lu, X. (2011). Signature Tree generation for polymorphic worms. IEEE Transactions on Computers, 60(4), 565–579.
Wang, L., Li, Z., Chen, Y., Fu, Z. J., & Li, X. (2009). Thwarting zero-day polymorphic worms with network-level length-based signature generation. IEEE/ACM Transactions on Networking, 17(5), 1–14.
Singh, S., Estan, C., Varghese, G., & Savage, S. (2004). Automated worm fingerprinting. In 6th symposium on operating system design and implementation (OSDI), San Diego, CA (pp. 45–60).
Kim, H.-A. & Karp, B. (2004). Autograph: Toward automated, distributed worm signature detection. In Proceedings of the 13th Usenix Security Symposium (Security 2004), San Diego, CA (pp.271–286).
Newsome, J., Karp, B., & Song, D. (2005). Polygraph: Automatically generating signatures for polymorphic worms. In Proceedings of the IEEE symposium on security and privacy, Oakland, California, USA (pp. 226–241).
Yu, W., Wang, X., Calyam, P., Xuan, D., & Zhao, W. (2011). Modeling and detection of camouflaging worm. IEEE Transactions on Dependable and Secure Computing, 8(4), 377–390.
Chen, T., Zhang, X.-S., & Wu, Y. (2014). FPM: Four-factors propagation model for passive P2P worms. Future Generation Computer Systems, 36, 133–141.
Manna, P. K., Chen, S., & Ranka, S. (2010). Inside the permutation-scanning worms: Propagation modeling and analysis. IEEE/ACM Transactions on Networking, 18(3), 858–870.
Yu, W., Zhang, N., Fu, X., & Zhao, W. (2010). Self-disciplinary worms and countermeasures: Modeling and analysis. IEEE Transactions on Parallel and Distributed Systems, 21(10), 1501–1514.
Jackson, J. T., & Creese, S. (2012). Virus propagation in heterogeneous bluetooth networks with human behaviors. IEEE Transactions on Dependable and Secure Computing, 9(6), 930–943.
Sellke, S. H., Shroff, N. B., & Bagchi, S. (2008). Modeling and automated containment of worms. IEEE Transactions on Dependable and Secure Computing, 5(2), 71–86.
Ross, S. (1996). Stochastic processes (2nd ed.). New York: Wiley.
Zou, C. C., Towsley, D., Gong, W., & Cai, S. (2005). Routing worm: A fast, selective attack worm based on IP address information. In Proceedings of 19th ACM/IEEE/SCS workshop on principles of advanced and distributed simulation (PADS).
Staniford, S., Moore, D., Paxson, V., & Weaver, N. (2004). The top speed of flash worms. In Proceedings of the 2004 ACM workshop on rapid malcode, New York (pp. 33–42).
Liljenstam, M., Nicol, D. M., Berk, V. H. & Gray, R. S. (2003). Simulating realistic network worm traffic for worm warning system design and testing. In Proceedings of the ACM Workshop Rapid Malcode (pp. 24–33).
Chen, C.-M., Wang, K.-H., Wu, T.-Y., Pan, J.-S., & Sun, H.-M. (2013). A scalable transitive human-verifiable authentication protocal for mobile devices. IEEE Transactions on Information Forensics and Security, 8(8), 1318–1330.
Pan, J.-S., Wu, T.-Y., Chen, C.-M., & Wang, E.K. (2015). Security analysis of a time-bound hierarchical key assignment scheme. IIH-MSP (pp. 203–206).
Wang, E. K., Cao, Z., Wu, T.-Y., & Chen, C.-M. (2015). MAPMP: A mutual authentication protocol for mobile payment. Journal of Information Hiding and Multimedia Signal Processing, 6(4), 697–707.
Acknowledgments
This work is supported by the national natural science foundation of China under Grant Nos. 61300233, 61402298 and 61472169, the Foundation of Science Public Welfare of Liaoning Province in China (No. 2015003003), the Ph.D. startup Fund of SAU (No. 13YB16).
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Zhou, H., Guo, W. A stochastic worm model. Telecommun Syst 64, 135–145 (2017). https://doi.org/10.1007/s11235-016-0164-4
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11235-016-0164-4