A Worm Propagation Model Based on People’s Email Acquaintance Profiles
One frequently employed way of propagation exploited by worms is through the victim’s contact book. The contact book, which reflects the acquaintance profiles of people, is used as a “hit-list”, to which the worm can send itself in order to spread fast. In this paper we propose a discrete worm propagation model that relies upon a combined email and Instant Messaging (IM) communication behaviour of users. We also model user reaction against infected email as well as the rate at which antivirus software is installed. User acquaintance is perceived as a “network” connecting users based on their contact book links. We then propose a worm propagation formulation based on a token propagation algorithm, further analyzed with a use of a system of continuous differential equations, as dictated by Wormald’s theorem on approximating “well-behaving” random processes with deterministic functions.
KeywordsConstraint Satisfaction Problem Instant Messenger Malicious Code Infected Node White Node
Unable to display preview. Download preview PDF.
- 1.CERT advisory CA-2004-02Google Scholar
- 2.CERT advisory CA-2001-26 Nimda WormGoogle Scholar
- 3.CERT incident note IN-2003-03Google Scholar
- 4.Gostev, A.: Malware Evolution: Kaspersky Lab Report 4 (January - March 2005)Google Scholar
- 5.IMlogic Threat Center, Symantec Corporation, http://www.imlogic.com/im_threat_center/index.asp
- 6.Kephart, J.O., White, S.R.: Measuring and Modeling Computer Virus Prevalence. In: Proc. 1993 IEEE Computer Society Symposium on Research in Security and Privacy, Oakland, California (1993)Google Scholar
- 7.Mannan, M., Oorschot, P.: On Instant Messaging Worms, Analysis and Countermeasures. In: Proc. of the 2005 ACM workshop on Rapid malcode (WORM 2005) (2005)Google Scholar
- 8.Microsoft, How to update your computer with the JPEG processing (GDI+) security update, http://www.microsoft.com/athome/security/update/bulletins/200409_jpeg_tool.mspx
- 10.Murphy, G.M.: Ordinary Differential Equations and their Solutions. D. Van Nostrand Company Inc. (1960)Google Scholar
- 11.Symantec Internet Security Threat Report Trends for January 05-December 05, vol. VIII and IX (2005)Google Scholar
- 12.Wang, C., Knight, J., Elder, M.: On computer viral infection and the effect of immunization. In: Proc. of the 16th annual computer security applications conference (ACSAC 2000), New Orleans, LA (December 2000)Google Scholar