Computer worms have infected millions of computers since the 1980s. For an incident handler or a forensic investigator, it is important to know whether the worm attack to the network has been initiated from multiple different sources or just from one node. In this paper, we study the problem of predicting the number of infectious origin nodes, when the spread of a homogeneous random scanning worm happens. Knowledge of the number of infectious nodes might be a help in reconstructing the worm attack scene and in identifying the origins of worm propagation. In our approach, we assume Susceptible-Infectious-Removed (SIR) model for worm propagation and propose three complementary models, that is, deterministic Back-to-Origin model, stochastic Back-to-Origin model, and stochastic Back-to-Origin Markov model, to investigate the aforementioned problem. In our Back-to-Origin models, we run the time backwards. We assume that we have prior knowledge of worm infection propagation parameters of SIR model. We also assume to have a snapshot in which the number of susceptible, infectious, and removed nodes is known. Our deterministic Back-to-Origin model, is a new SIR model, where we define a susceptibility rate parameter. In our stochastic Back-to-Origin model, we introduce allegation pressure parameter and probabilistically estimate the number of alleged nodes that are initially infectious nodes. The stochastic Back-to-Origin Markov model is constructed based on the Continuous-Time-Markov-Chain. The number of infectious nodes at each time of worm propagation is predicted with our stochastic Markov model. We applied simulations to study the accuracy of our models. The results of our simulations indicate that our stochastic Back-to-Origin model conforms to the epidemic with high accuracy. Moreover, in numerical experiments of our stochastic Back-to-Origin Markov model, we investigate the probabilistic number of infectious nodes. Comparing with other approaches, the method of this paper requires a little information and a little assumption, while it gives useful results.
Computer worms have infected millions of computers since the 1980s. For an incident handler or a forensic investigator, it is important to know whether the worm attack to the network has been initiated from multiple different sources or just from one node. In this paper, we study the problem of predicting the number of infectious origin nodes, when the spread of a homogeneous random scanning worm happens. Knowledge of the number of infectious nodes might be a help in reconstructing the worm attack scene and in identifying the origins of worm propagation. In our approach, we assume Susceptible‐Infectious‐Removed (SIR) model for worm propagation and propose three complementary models, that is, deterministic Back‐to‐Origin model, stochastic Back‐to‐Origin model, and stochastic Back‐to‐Origin Markov model, to investigate the aforementioned problem. In our Back‐to‐Origin models, we run the time backwards. We assume that we have prior knowledge of worm infection propagation parameters of SIR model. We also assume to have a snapshot in which the number of susceptible, infectious, and removed nodes is known. Our deterministic Back‐to‐Origin model, is a new SIR model, where we define a susceptibility rate parameter. In our stochastic Back‐to‐Origin model, we introduce allegation pressure parameter and probabilistically estimate the number of alleged nodes that are initially infectious nodes. The stochastic Back‐to‐Origin Markov model is constructed based on the Continuous‐Time‐Markov‐Chain. The number of infectious nodes at each time of worm propagation is predicted with our stochastic Markov model. We applied simulations to study the accuracy of our models. The results of our simulations indicate that our stochastic Back‐to‐Origin model conforms to the epidemic with high accuracy. Moreover, in numerical experiments of our stochastic Back‐to‐Origin Markov model, we investigate the probabilistic number of infectious nodes. Comparing with other approaches, the method of this paper requires a little information and a little assumption, while it gives useful results. Copyright © 2015 John Wiley & Sons, Ltd.
Cybercrime is increasing at a faster pace and sometimes causes billions of dollars of business-losses KEYWORDSNetwork forensics, forensic system architecture, forensic analysis system, database management.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.