EMBER: a global perspective on extreme malicious behavior
Proceedings of the Seventh International Symposium on Visualization for Cyber Security
Modeling and containment of search worms targeting web applications
DIMVA'10 Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment
An automated worm containment scheme
WISM'10 Proceedings of the 2010 international conference on Web information systems and mining
Toward early warning against Internet worms based on critical-sized networks
Security and Communication Networks
An agent-based model to simulate coordinated response to malware outbreak within an organisation
International Journal of Information and Computer Security
Hi-index | 0.00 |
Self-propagating codes, called worms, such as Code Red, Nimda, and Slammer, have drawn significant attention due to their enormously adverse impact on the Internet. Thus, there is great interest in the research community in modeling the spread of worms and in providing adequate defense mechanisms against them. In this paper, we present a (stochastic) branching process model for characterizing the propagation of Internet worms. The model is developed for uniform scanning worms and then extended to preference scanning worms. This model leads to the development of an automatic worm containment strategy that prevents the spread of a worm beyond its early stage. Specifically, for uniform scanning worms, we are able to (1) provide a precise condition that determines whether the worm spread will eventually stop and (2) obtain the distribution of the total number of hosts that the worm infects. We then extend our results to contain preference scanning worms. Our strategy is based on limiting the number of scans to dark-address space. The limiting value is determined by our analysis. Our automatic worm containment scheme effectively contains both uniform scanning worms and local preference scanning worms, and it is validated through simulations and real trace data to be non-intrusive. We also show how to incrementally deploy our worm containment strategy.