JCP 2016 Vol.11(6): 479-487 ISSN: 1796-203X
doi: 10.17706/jcp.11.6.479-487
doi: 10.17706/jcp.11.6.479-487
A Stochastic Model for the Size of Worm Origin
Tala Tafazzoli, Babak Sadeghiyan
Computer IT Department, Amirkabir University of Technology, Tehran, 15875-4413, Iran.
Abstract—Computer worms have infected millions of computers since 1980s. For an incident handler or a forensic investigator, it is important to know whether the worm attack to the network has been initiated from multiple different sources or just from one node. In this paper, we study the problem of predicting the number of infectious nodes at each step of worm propagation, when the spread of a homogeneous random scanning worm happens. Knowledge of the number of infectious nodes might be a help in reconstructing the worm attack scene and in identifying the origins of worm propagation.
In our approach, we assume Susceptible-Infectious-Removed (SIR) model for worm propagation, and propose two complementary models, i.e. deterministic Back-to-Origin model and stochastic Back-to-Origin Markov model, to investigate the above problem.
In our Back-to-Origin models, we run the time backwards. We assume that we have prior knowledge of worm infection propagation parameters of SIR model. We also assume to have a snapshot in which the number of susceptible, infectious and removed nodes is known.
Our deterministic Back-to-Origin model, is a new SIR model, where we define a susceptibility rate parameter. The stochastic Back-to-Origin Markov model is constructed based on the Continuous-Time-Markov-Chain. The number of infectious nodes at each time of worm propagation is predicted with our stochastic Markov model.
We applied simulations to study the accuracy of our models. In numerical experiments of our stochastic Back-to-Origin Markov model, we investigate the probabilistic number of infectious nodes. Comparing to other approaches, the method of this paper requires a little information and a little assumptions, while it gives useful results.
Index Terms—Worm modeling, Back-to-Origin model, infection rate, susceptibility rate, Continuous-Time-Markov-Chain.
Abstract—Computer worms have infected millions of computers since 1980s. For an incident handler or a forensic investigator, it is important to know whether the worm attack to the network has been initiated from multiple different sources or just from one node. In this paper, we study the problem of predicting the number of infectious nodes at each step of worm propagation, when the spread of a homogeneous random scanning worm happens. Knowledge of the number of infectious nodes might be a help in reconstructing the worm attack scene and in identifying the origins of worm propagation.
In our approach, we assume Susceptible-Infectious-Removed (SIR) model for worm propagation, and propose two complementary models, i.e. deterministic Back-to-Origin model and stochastic Back-to-Origin Markov model, to investigate the above problem.
In our Back-to-Origin models, we run the time backwards. We assume that we have prior knowledge of worm infection propagation parameters of SIR model. We also assume to have a snapshot in which the number of susceptible, infectious and removed nodes is known.
Our deterministic Back-to-Origin model, is a new SIR model, where we define a susceptibility rate parameter. The stochastic Back-to-Origin Markov model is constructed based on the Continuous-Time-Markov-Chain. The number of infectious nodes at each time of worm propagation is predicted with our stochastic Markov model.
We applied simulations to study the accuracy of our models. In numerical experiments of our stochastic Back-to-Origin Markov model, we investigate the probabilistic number of infectious nodes. Comparing to other approaches, the method of this paper requires a little information and a little assumptions, while it gives useful results.
Index Terms—Worm modeling, Back-to-Origin model, infection rate, susceptibility rate, Continuous-Time-Markov-Chain.
Cite: Tala Tafazzoli, Babak Sadeghiyan, "A Stochastic Model for the Size of Worm Origin," Journal of Computers vol. 11, no. 6, pp. 479-487, 2016.
General Information
ISSN: 1796-203X
Abbreviated Title: J.Comput.
Frequency: Bimonthly
Abbreviated Title: J.Comput.
Frequency: Bimonthly
Editor-in-Chief: Prof. Liansheng Tan
Executive Editor: Ms. Nina Lee
Abstracting/ Indexing: DBLP, EBSCO, ProQuest, INSPEC, ULRICH's Periodicals Directory, WorldCat,etc
E-mail: jcp@iap.org
-
Nov 14, 2019 News!
Vol 14, No 11 has been published with online version [Click]
-
Mar 20, 2020 News!
Vol 15, No 2 has been published with online version [Click]
-
Dec 16, 2019 News!
Vol 14, No 12 has been published with online version [Click]
-
Sep 16, 2019 News!
Vol 14, No 9 has been published with online version [Click]
-
Aug 16, 2019 News!
Vol 14, No 8 has been published with online version [Click]
- Read more>>