科研之友
微信
新浪微博
Facebook
分享链接
摘要
Computer worms have infected millions of computers since the 1980s. For an incident handler or a forensic investigator, it is important to know whether the worm attack to the network has been initiated from multiple different sources or just from one node. In this paper, we study the problem of predicting the number of infectious origin nodes, when the spread of a homogeneous random scanning worm happens. Knowledge of the number of infectious nodes might be a help in reconstructing the worm attack scene and in identifying the origins of worm propagation. In our approach, we assume Susceptible-Infectious-Removed (SIR) model for worm propagation and propose three complementary models, that is, deterministic Back-to-Origin model, stochastic Back-to-Origin model, and stochastic Back-to-Origin Markov model, to investigate the aforementioned problem. In our Back-to-Origin models, we run the time backwards. We assume that we have prior knowledge of worm infection propagation parameters of SIR model. We also assume to have a snapshot in which the number of susceptible, infectious, and removed nodes is known. Our deterministic Back-to-Origin model, is a new SIR model, where we define a susceptibility rate parameter. In our stochastic Back-to-Origin model, we introduce allegation pressure parameter and probabilistically estimate the number of alleged nodes that are initially infectious nodes. The stochastic Back-to-Origin Markov model is constructed based on the Continuous-Time-Markov-Chain. The number of infectious nodes at each time of worm propagation is predicted with our stochastic Markov model. We applied simulations to study the accuracy of our models. The results of our simulations indicate that our stochastic Back-to-Origin model conforms to the epidemic with high accuracy. Moreover, in numerical experiments of our stochastic Back-to-Origin Markov model, we investigate the probabilistic number of infectious nodes. Comparing with other approaches, the method of this paper requires a little information and a little assumption, while it gives useful results.
- 出版日期2016-7-10
