Characterizing internet worm infection structure

Authors:
Qian Wang;Zesheng Chen;Chao Chen
Affiliations:
Florida International University, Miami, Florida;Indiana University-Purdue University Fort Wayne, Fort Wayne, Indiana;Indiana University-Purdue University Fort Wayne, Fort Wayne, Indiana
Venue:
LEET'11 Proceedings of the 4th USENIX conference on Large-scale exploits and emergent threats
Year:
2011

Citing 11
Cited 2

Introduction to Algorithms

Introduction to Algorithms
How to Own the Internet in Your Spare Time

Proceedings of the 11th USENIX Security Symposium
Worm Origin Identification Using Random Moonwalks

SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
The monitoring and early detection of internet worms

IEEE/ACM Transactions on Networking (TON)
On the performance of internet worm scanning strategies

Performance Evaluation
Effective worm detection for various scan techniques

Journal of Computer Security
Optimal worm-scanning method using vulnerable-host distributions

International Journal of Security and Networks
On the race of worms, alerts, and patches

IEEE/ACM Transactions on Networking (TON)
Automating analysis of large-scale botnet probing events

Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
An Advanced Hybrid Peer-to-Peer Botnet

IEEE Transactions on Dependable and Secure Computing
Sampling strategies for epidemic-style information dissemination

IEEE/ACM Transactions on Networking (TON)

The SIC botnet lifecycle model: A step beyond traditional epidemiological models

Computer Networks: The International Journal of Computer and Telecommunications Networking
A scalable network forensics mechanism for stealthy self-propagating attacks

Computer Communications

Quantified Score

Hi-index	0.00

Visualization

Abstract

Internet worm infection continues to be one of top security threats and has been widely used by botnets to recruit new bots. In this work, we attempt to quantify the infection ability of individual hosts and reveal the key characteristics of the underlying topology formed by worm infection, i.e., the number of children and the generation of the worm infection family tree. Specifically, we apply probabilistic modeling methods and a sequential growth model to analyze the infection tree of a wide class of worms. Through both mathematical analysis and simulation, we find that the number of children has asymptotically a geometric distribution with parameter 0.5. As a result, on average half of infected hosts never compromise any vulnerable host, over 98% of infected hosts have no more than five children, and a small portion of infected hosts have a large number of children. We also discover that the generation follows closely a Poisson distribution and the average path length of the worm infection family tree increases approximately logarithmically with the total number of infected hosts.