Deterministic and stochastic models for the detection of random constant scanning worms

Kurt R. Rohloff, Tamer Baçar

Research output: Contribution to journalArticlepeer-review

19 Scopus citations

Abstract

This article discusses modeling and detection properties associated with the stochastic behavior of Random Constant Scanning (RCS) worms. Although these worms propagate by randomly scanning network addresses to find hosts that are susceptible to infection, traditional RCS worm models are fundamentally deterministic. A density-dependent Markov jump process model for RCS worms is presented and analyzed herein. Conditions are shown for when some stochastic properties of RCS worm propagation can be ignored and when deterministic RCS worm models can be used. A computationally simple hybrid deterministic/ stochastic point-process model for locally observed scanning behavior due to the global propagation of an RCS scanning worm epidemic is presented. An optimal hypothesis-testing approach is presented to detect epidemics of these under idealized conditions based on the cumulative sums of log-likelihood ratios using the hybrid RCS worm model. This article presents in a mathematically rigorous fashion why detection techniques that are only based on passively monitoring local IP addresses cannot quickly detect the global propagation of an RCS worm epidemic with a low false alarm rate, even under idealized conditions.

Original languageEnglish (US)
Article number8
JournalACM Transactions on Modeling and Computer Simulation
Volume18
Issue number2
DOIs
StatePublished - Apr 1 2008
Externally publishedYes

All Science Journal Classification (ASJC) codes

  • Modeling and Simulation
  • Computer Science Applications

Keywords

  • Epidemic modeling
  • Hypothesis testing
  • Stochastic analysis
  • Worms

Fingerprint

Dive into the research topics of 'Deterministic and stochastic models for the detection of random constant scanning worms'. Together they form a unique fingerprint.

Cite this