Key Factors Influencing Worm Infection in Enterprise Networks

  • Urupoj Kanlayasiri
  • Surasak Sanguanpong
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3786)


Worms are a key vector of computer attacks that produce great damage of enterprise networks. Little is known about either the effect of host and network configuration factors influencing worm infection or the approach to predict the number of infected hosts. In this paper we present the results of real worm attacks to determine the factors influencing worm infection, and to propose the prediction model of worm damage. Significant factors are extracted from host and network configuration: openness, homogeneity, and trust. Based on these different factors, fuzzy decision is used to produce the accurate prediction of worm damage. The contribution of this work is to understand the effect of factors and the risk level of infection for preparing the protection, responsiveness, and containment to lessen the damage that may occur. Experimental results show that the selected parameters are strongly correlated with actual infection, and the proposed model produces accurate estimates.


Root Mean Square Error Membership Function Infected Host Damage Threshold Fuzzy Decision 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Staniford, S., Paxon, V., Weaver, N.: How to 0wn the Internet in Your Spare Time. In: Proceedings of the 11th USENIX Security Symposium, pp. 149–167 (2002)Google Scholar
  2. 2.
    Moore, D., Shannon, C.: Code-Red: a Case Study on the Spread and Victims of an Internet Worm. In: Proceedings of the ACM SICGOMM Internet Measurement Workshop, pp. 273–284 (2002)Google Scholar
  3. 3.
    Moore, D., Shannon, C., Voelker, G., Savage, S.: Internet Quarantine: Requirements for Containing Self-Propagating Code. In: Proceedings of the IEEE INFOCOM Conference, pp. 1901–1910 (2003)Google Scholar
  4. 4.
    Moore, D., Paxon, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: The Spread of the Sapphire/Slammer Worm. In: CAIDA (2003)Google Scholar
  5. 5.
    CERT/CC Advisory: Nimda worm. CA-2001-26, CERT (2001)Google Scholar
  6. 6.
    CERT/CC Advisory: W32/Blaster worm. CA-2003-20, CERT (2003)Google Scholar
  7. 7.
    Jang, J.R.: Neuro-Fuzzy and Soft Computing. Prentice-Hall, Englewood Cliffs (1997)Google Scholar
  8. 8.
    Timothy, J.R.: Fuzzy Logic With Engineering Applications. McGRAW-HILL, Singapore (1997)Google Scholar
  9. 9.
    Kim, C.J.: An Algorithmic Approach for Fuzzy Inference. IEEE Transaction on Fuzzy Systems 5(4), 585–598 (1997)CrossRefGoogle Scholar
  10. 10.
    Toth, T., Kruegel, C.: Connection-history Based Anomaly Detection. In: Proceedings of the IEEE Workshop on Information Assurance and Security, pp. 30–35 (2002)Google Scholar
  11. 11.
    Williamson, M.: Throttling Viruses: Restricting Propagation to Defeat Malicious Mobile Code. HP Laboratories Bristol, Report No. HPL-2002-172 (2002)Google Scholar
  12. 12.
    Cheung, S., Crawford, R., Dilger, M., Frank, J., Hoagland, J., Levitt, K., Rowe, J., Staniford Chen, S., Yip, R., Zerkle, D.: The Design of GrIDS: A Graph-Based Intrusion Detection System. Computer Science Dept., UC Davis, Report No. CSE-99-2 (1999)Google Scholar
  13. 13.
    Kephart, J.O., White, R.S.: Measuring and Modeling Computer Virus Prevalence. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 2–14 (1993)Google Scholar
  14. 14.
    Eustice, K., Kleinrock, L., Markstrum, S., Popek, G., Ramakrishna, V., Reiher, P.: Securing Nomads: The Case for Quarantine, Examination and Decontamination. In: Proceedings of the ACM New Security Paradigms Workshop, pp. 123–128 (2004)Google Scholar
  15. 15.
    Kephart, J.O., White, R.S.: Directed-graph Epidemiological Models of Computer Virus Prevalence. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 343–359 (1993)Google Scholar
  16. 16.
    Zou, C.C., Gong, W., Towsley, D.: Code Red Worm Propagation Modeling and Analysis. In: Proceedings of the ACM CCS 2002, pp. 138–147 (2002)Google Scholar
  17. 17.
    Chen, Z., Gao, L., Kwiat, K.: Modeling the Spread of Active Worms. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 1890–1900 (2003)Google Scholar
  18. 18.
    Ellis, D.: Worm Anatomy and Model. In: Proceedings of the ACM Worm 2003, pp. 42–50 (2003)Google Scholar
  19. 19.
    Kenzle, D.M., Elder, M.C.: Recent Worms: A Survey and Trends. In: Proceedings of the ACM Worm 2003, pp. 1–10 (2003)Google Scholar
  20. 20.
    Wegner, A., Dubendorfer, T., Plattner, B., Hiestand, R.: Experiences with Worm Propagation Simulations. In: Proceedings of the ACM Worm 2003, pp. 34–41 (2003)Google Scholar
  21. 21.
    Weaver, N., Paxson, V., Staniford, S., Cunningham, R.: A Taxonomy of Computer Worms. In: Proceedings of the ACM Worm 2003, pp. 11–18 (2003)Google Scholar
  22. 22.
    Wang, C., Knight, J., Elder, M.: On computer viral infection and the effect of immunization. In: Proceedings of the 16th Annual Computer Security Applications Conference, pp. 246–256 (2000)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Urupoj Kanlayasiri
    • 1
  • Surasak Sanguanpong
    • 2
  1. 1.Office of Computer ServicesKasetsart UniversityChatuchak, BangkokThailand
  2. 2.Department of Computer EngineeringKasetsart UniversityChatuchak, BangkokThailand

Personalised recommendations