The impact of stochastic variance on worm propagation and detection

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

The most commonly published analytic models of Internet worm behavior use differential equations that express mean field behavior; these equations have deterministic solution. Such models necessarily suppress the expression of stochastic variance in worm behavior. Variance in real worms' behavior have a variety of sources,most particularly that due to random scanning for susceptible hosts. Variance can be explained by a model that focuses on the times of next infection (TNI), which tells us that variance in infection times is due primarily to variance in inter-infection times early in the worm's life. This regime of worm behavior is particularly relevant to simulation-based studies of worm detection mechanisms. The main contributions of this paper are to validate the infection times of the TNI model with respect to a complex scan-oriented model based on Code Red structure, and to empirically evaluate the variance in intuitive and commonly used metrics for worm detection. Our experiments show that the variance is very very high, a result which strongly suggests that evaluation of worm defense mechanisms not overlook this variance as will occur when deterministic models of worm propagation are used.

Original languageEnglish (US)
Title of host publicationProceedings of the 4th ACM Workshop on Recurring Malcode, WORM'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06
Pages57-64
Number of pages8
DOIs
StatePublished - Dec 1 2006
Event4th ACM Workshop on Recurring Malcode, WORM'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06 - Alexandria, VA, United States
Duration: Nov 3 2006Nov 3 2006

Publication series

NameProceedings of the 4th ACM Workshop on Recurring Malcode, WORM'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06

Other

Other4th ACM Workshop on Recurring Malcode, WORM'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06
Country/TerritoryUnited States
CityAlexandria, VA
Period11/3/0611/3/06

Keywords

  • Detection
  • Modeling
  • Variance
  • Worms

ASJC Scopus subject areas

  • Software

Fingerprint

Dive into the research topics of 'The impact of stochastic variance on worm propagation and detection'. Together they form a unique fingerprint.

Cite this