A Worm Propagation Model Based on People’s Email Acquaintance Profiles

  • T. Komninos
  • Y. C. Stamatiou
  • G. Vavitsas
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4286)


One frequently employed way of propagation exploited by worms is through the victim’s contact book. The contact book, which reflects the acquaintance profiles of people, is used as a “hit-list”, to which the worm can send itself in order to spread fast. In this paper we propose a discrete worm propagation model that relies upon a combined email and Instant Messaging (IM) communication behaviour of users. We also model user reaction against infected email as well as the rate at which antivirus software is installed. User acquaintance is perceived as a “network” connecting users based on their contact book links. We then propose a worm propagation formulation based on a token propagation algorithm, further analyzed with a use of a system of continuous differential equations, as dictated by Wormald’s theorem on approximating “well-behaving” random processes with deterministic functions.


Constraint Satisfaction Problem Instant Messenger Malicious Code Infected Node White Node 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    CERT advisory CA-2004-02Google Scholar
  2. 2.
    CERT advisory CA-2001-26 Nimda WormGoogle Scholar
  3. 3.
    CERT incident note IN-2003-03Google Scholar
  4. 4.
    Gostev, A.: Malware Evolution: Kaspersky Lab Report 4 (January - March 2005)Google Scholar
  5. 5.
    IMlogic Threat Center, Symantec Corporation,
  6. 6.
    Kephart, J.O., White, S.R.: Measuring and Modeling Computer Virus Prevalence. In: Proc. 1993 IEEE Computer Society Symposium on Research in Security and Privacy, Oakland, California (1993)Google Scholar
  7. 7.
    Mannan, M., Oorschot, P.: On Instant Messaging Worms, Analysis and Countermeasures. In: Proc. of the 2005 ACM workshop on Rapid malcode (WORM 2005) (2005)Google Scholar
  8. 8.
    Microsoft, How to update your computer with the JPEG processing (GDI+) security update,
  9. 9.
    Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the slammer worm. IEEE security and privacy 1(4), 33–39 (2003)CrossRefGoogle Scholar
  10. 10.
    Murphy, G.M.: Ordinary Differential Equations and their Solutions. D. Van Nostrand Company Inc. (1960)Google Scholar
  11. 11.
    Symantec Internet Security Threat Report Trends for January 05-December 05, vol. VIII and IX (2005)Google Scholar
  12. 12.
    Wang, C., Knight, J., Elder, M.: On computer viral infection and the effect of immunization. In: Proc. of the 16th annual computer security applications conference (ACSAC 2000), New Orleans, LA (December 2000)Google Scholar
  13. 13.
    Wormald, N.C.: The differential equation method for random graph processes and greedy algorithms. Ann. Appl. Probab. 5, 1217–1235 (1995)zbMATHCrossRefMathSciNetGoogle Scholar
  14. 14.
    Zou, C.C., Gong, W., Towsley, D.: Code-red worm propagation modeling and analysis. In: Proc. of the 9th ACM conference on Computer and Communications Security, pp. 138–147. ACM Press, New York (2002)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • T. Komninos
    • 3
  • Y. C. Stamatiou
    • 2
    • 3
  • G. Vavitsas
    • 1
    • 3
  1. 1.Department of Computer EngineeringUniversity of PatrasRio, PatrasGreece
  2. 2.Mathematics DepartmentIoanninaGreece
  3. 3.Research and Academic Computer Technology InstituteUniversity of PatrasRio, PatrasGreece

Personalised recommendations