Towards Early Warning Against Internet Worms Based on Critical-Sized Networks

Towards Early Warning Against Internet Worms Based on Critical-Sized Networks

Abstract.

In this paper we build on a recent worm propagation stochastic model [1], in which random effects during worm spreading were modeled by means of a stochastic differential equation. Based on this model, we introduce the notion of the critical size of a network, which is the least size of a network that needs to be monitored, in order to correctly project the behavior of a worm in substantially larger networks. We provide a method for the theoretical estimation of the critical size of a network in respect to a worm with speciﬁc characteristics. Our motivation is the requirement in real systems to balance the needs for accuracy (i.e. monitoring a network of a sufﬁcient size in order to reduce false alarms) and performance (i.e. monitoring a small-scale network to reduce complexity). In addition, we run simulation experiments in order to experimentally validate our arguments. Finally, based on the notion of critical-sized networks, we propose a logical framework for a distributed early warning system against unknown and fast-spreading worms. In the proposed framework, propagation parameters of an early- detected worm are estimated in real time, by studying a critical-sized network. In this way, security is enhanced as estimations generated by a critical-sized network may help large-scale networks to respond faster to new worm threats.

Keywords: Monitoring worm propagation; stochastic models; critical-size networks; early warning

Download: (PDF file)