Active worms spread in an automated fashion and can flood the Internet in a very short time. Modeling the spread of active worms can help us understand how active worms spread, and how we can monitor and defend against the propagation of worms effectively. In this paper, we present a mathematical model, referred to as the Analytical Active Worm Propagation (AAWP) model, which characterizes the propagation of worms that employ random scanning. We compare our model with the Epidemiological model and Weaver's simulator. Our results show that our model can characterize the spread of worms effectively. Taking the Code Red v2 worm as an example, we give a quantitative analysis for monitoring, detecting and defending against worms. Furthermore, we extend our AAWP model to understand the spread of worms that employ local subnet scanning. To the best of our knowledge, there is no model for the spread of a worm that employs the localized scanning strategy and we believe that this is the first attempt on understanding local subnet scanning quantitatively.
[1]
Steve R. White,et al.
Open Problems in Computer Virus Research
,
1998
.
[2]
Jeffrey O. Kephart,et al.
Measuring and modeling computer virus prevalence
,
1993,
Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.
[3]
Donald F. Towsley,et al.
Code red worm propagation modeling and analysis
,
2002,
CCS '02.
[4]
Jeffrey O. Kephart,et al.
Directed-graph epidemiological models of computer viruses
,
1991,
Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.
[5]
Vern Paxson,et al.
How to Own the Internet in Your Spare Time
,
2002,
USENIX Security Symposium.
[6]
Robert Stone,et al.
A Snapshot of Global Internet Worm Activity
,
2001
.