skip to main content
10.1145/1179542.1179555acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
Article

The impact of stochastic variance on worm propagation and detection

Published: 03 November 2006 Publication History

Abstract

The most commonly published analytic models of Internet worm behavior use differential equations that express mean field behavior; these equations have deterministic solution. Such models necessarily suppress the expression of stochastic variance in worm behavior. Variance in real worms' behavior have a variety of sources,most particularly that due to random scanning for susceptible hosts. Variance can be explained by a model that focuses on the times of next infection (TNI), which tells us that variance in infection times is due primarily to variance in inter-infection times early in the worm's life. This regime of worm behavior is particularly relevant to simulation-based studies of worm detection mechanisms. The main contributions of this paper are to validate the infection times of the TNI model with respect to a complex scan-oriented model based on Code Red structure, and to empirically evaluate the variance in intuitive and commonly used metrics for worm detection. Our experiments show that the variance is very very high, a result which strongly suggests that evaluation of worm defense mechanisms not overlook this variance as will occur when deterministic models of worm propagation are used.

References

[1]
X. Chen and J. Heidemann. Detecting early worm propagation through packet matching, February 2004. ISI Tech. Report 2004--585.
[2]
Z. Chen, L. Gao, and K. Kwiat. Modeling the spread of active worms. In Proceedings of IEEE INFOCOM 2003, 2003.
[3]
Z. Chen and C. Ji. Spatial-temporal modeling of malware propagation in networks. IEEE Transactions on Neural Networks: Special Issue on Adaptive Learning Systems in Communication Networks 16(5), September 2005.
[4]
G. Ciardo, D. Nicol, and L. Leemis. On the minimum of a set of independent geometrically distributed random variables. Statistics and Probability Letters 23:313--326, 1995.
[5]
M. DeGroot and M. Schervish. Probability and Statistics, Third Edition Addison-Wesley, 2001.
[6]
D. M. et al. Internet quarantine: Requirements for containing self-propagating code. In Proceedings of Infocomm 2003 2003.
[7]
M. Liljenstam, D. Nicol, V. Berk, and R. Gray. Simulating realistic network worm traffic for worm warning system design and testing. In Proceedings of the 2003 ACM Workshop on Rapid Malcode (WORM) Washington, D.C., October 2003. ACM Press.
[8]
J. Ma, G. Voelker, and S. Savage. Self-stopping worms. In Proceedings of the 2005 ACM Workshop on Rapid Malware Washington, D.C., November 2005.
[9]
W. MathWorld. Logistic equation. http://mathworld.wolfram.com/LogisticEquation.html.
[10]
M. Matsumoto and T. Nishimura. Mersenne twister: A 623-dimensionality equi-distributed uniform pseudo-random number generator. ACM Trans. on Modeling and Computer Simulation 8(1):3--30, January 1998.
[11]
D. W. Richardson, S. D. Gribble, and E. D. Lazowska. The limits of global scanning worm detectors in the presence of background noise. In WORM '05: Proceedings of the 2005 ACM workshop on Rapid malcode pages 60--70,New York, NY, USA, 2005. ACM Press.
[12]
K. Rohloff and T. Basar. Detection of rcs worm epidemics. In Proceedings of the 2005 ACM Workshop on Rapid Malware Washington, D.C., November 2005.
[13]
K. Rohloff and T. Basar. Stochastic behavior of random constant scanning worms. In Proceedings of the 14th ICCCN 2005.
[14]
H. Ross. Stochastic Processes, Second Edition Wiley, New York, 1996.
[15]
S. Staniford. Code-red: An analytic model of its spread. http://seclists.org/lists/incidents/2001/Jul/0155.html.

Cited By

View all
  • (2023)Quantitative Analysis of Worm Transmission and Insider Risks in Air-Gapped Networking Using a Novel Machine Learning ApproachIEEE Access10.1109/ACCESS.2023.332292411(111034-111052)Online publication date: 2023
  • (2019)Modeling Worm Propagation and Insider Threat in Air-Gapped Network using Modified SEIQV Model2019 13th International Conference on Signal Processing and Communication Systems (ICSPCS)10.1109/ICSPCS47537.2019.9008687(1-6)Online publication date: Dec-2019
  • (2019)Securing a communication channel for the trusted execution environmentComputers and Security10.1016/j.cose.2019.01.01283:C(79-92)Online publication date: 1-Jun-2019
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
WORM '06: Proceedings of the 4th ACM workshop on Recurring malcode
November 2006
88 pages
ISBN:1595935517
DOI:10.1145/1179542
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 November 2006

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. detection
  2. modeling
  3. variance
  4. worms

Qualifiers

  • Article

Conference

CCS06
Sponsor:

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)3
  • Downloads (Last 6 weeks)0
Reflects downloads up to 07 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2023)Quantitative Analysis of Worm Transmission and Insider Risks in Air-Gapped Networking Using a Novel Machine Learning ApproachIEEE Access10.1109/ACCESS.2023.332292411(111034-111052)Online publication date: 2023
  • (2019)Modeling Worm Propagation and Insider Threat in Air-Gapped Network using Modified SEIQV Model2019 13th International Conference on Signal Processing and Communication Systems (ICSPCS)10.1109/ICSPCS47537.2019.9008687(1-6)Online publication date: Dec-2019
  • (2019)Securing a communication channel for the trusted execution environmentComputers and Security10.1016/j.cose.2019.01.01283:C(79-92)Online publication date: 1-Jun-2019
  • (2018)Explaining the privacy paradoxComputers and Security10.1016/j.cose.2018.04.00277:C(226-261)Online publication date: 1-Aug-2018
  • (2013)Toward early warning against Internet worms based on critical-sized networksSecurity and Communication Networks10.1002/sec.5346:1(78-88)Online publication date: 1-Jan-2013
  • (2012)Heterogeneity in vulnerable hosts slows down worm propagation2012 IEEE Global Communications Conference (GLOBECOM)10.1109/GLOCOM.2012.6503231(923-928)Online publication date: Dec-2012
  • (2012)Strategy of fast and light-load cloud-based proactive benign worm countermeasure technology to contain worm propagationThe Journal of Supercomputing10.1007/s11227-012-0812-862:3(1451-1479)Online publication date: 16-Aug-2012
  • (2011)Simulating network cyber attacks using splitting techniquesProceedings of the Winter Simulation Conference10.5555/2431518.2431899(3217-3228)Online publication date: 11-Dec-2011
  • (2011)A Revised Benign Worm-Anti-Worm Propagation ModelApplied Mechanics and Materials10.4028/www.scientific.net/AMM.121-126.4340121-126(4340-4344)Online publication date: Oct-2011
  • (2011)A Large-Scale Network Worm Emulation Experimental EnvironmentProceedings of the 2011 First International Conference on Instrumentation, Measurement, Computer, Communication and Control10.1109/IMCCC.2011.212(837-842)Online publication date: 21-Oct-2011
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media