Probability, random processes, and estimation theory for engineers
Probability, random processes, and estimation theory for engineers
Detection of abrupt changes: theory and application
Detection of abrupt changes: theory and application
An introduction to signal detection and estimation (2nd ed.)
An introduction to signal detection and estimation (2nd ed.)
Code-Red: a case study on the spread and victims of an internet worm
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
How to Own the Internet in Your Spare Time
Proceedings of the 11th USENIX Security Symposium
IEEE Security and Privacy
Monitoring and early warning for internet worms
Proceedings of the 10th ACM conference on Computer and communications security
Worm propagation modeling and analysis under dynamic quarantine defense
Proceedings of the 2003 ACM workshop on Rapid malcode
Dynamic Quarantine of Internet Worms
DSN '04 Proceedings of the 2004 International Conference on Dependable Systems and Networks
Characteristics of internet background radiation
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
The detection of RCS worm epidemics
Proceedings of the 2005 ACM workshop on Rapid malcode
The impact of stochastic variance on worm propagation and detection
Proceedings of the 4th ACM workshop on Recurring malcode
Very fast containment of scanning worms
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Toward early warning against Internet worms based on critical-sized networks
Security and Communication Networks
| Hi-index | 0.00 |
This article discusses modeling and detection properties associated with the stochastic behavior of Random Constant Scanning (RCS) worms. Although these worms propagate by randomly scanning network addresses to find hosts that are susceptible to infection, traditional RCS worm models are fundamentally deterministic. A density-dependent Markov jump process model for RCS worms is presented and analyzed herein. Conditions are shown for when some stochastic properties of RCS worm propagation can be ignored and when deterministic RCS worm models can be used. A computationally simple hybrid deterministic/stochastic point-process model for locally observed scanning behavior due to the global propagation of an RCS scanning worm epidemic is presented. An optimal hypothesis-testing approach is presented to detect epidemics of these under idealized conditions based on the cumulative sums of log-likelihood ratios using the hybrid RCS worm model. This article presents in a mathematically rigorous fashion why detection techniques that are only based on passively monitoring local IP addresses cannot quickly detect the global propagation of an RCS worm epidemic with a low false alarm rate, even under idealized conditions.