The Impact of Stochastic Variance on Worm Propagation and Detection
The most commonly published analytic models of Internet worm behavior use differential equations that express mean field behavior; these equations have deterministic solution. Such models necessarily suppress the expression of stochastic variance in worm behavior. Variance in real worms' behavior have a variety of sources,most particularly that due to random scanning for susceptible hosts. Variance can be explained by a model that focuses on the times of next infection (TNI), which tells us that variance in infection times is due primarily to variance in inter-infection times early in the worm's life. This regime of worm behavior is particularly relevant to simulation-based studies of worm detection mechanisms. The main contributions of this paper are to validate the infection times of the TNI model with respect to a complex scan-oriented model based on Code Red structure, and to empirically evaluate the variance in intuitive and commonly used metrics for worm detection. Our experiments show that the variance is very very high, a result which strongly suggests that evaluation of worm defense mechanisms not overlook this variance as will occur when deterministic models of worm propagation are used.
This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted without the explicit permission of the copyright holder.
- The following copyright notice applies to all of the above items that appear in IEEE publications: "Personal use of this material is permitted. However, permission to reprint/publish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from IEEE."
- The following copyright notice applies to all of the above items that appear in ACM publications: "© ACM, effective the year of publication shown in the bibliographic information. This file is the author’s version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in the journal or proceedings indicated in the bibliographic data for each item."
- The following copyright notice applies to all of the above items that appear in IFAC publications: "Document is being reproduced under permission of the Copyright Holder. Use or reproduction of the Document is for informational or personal use only."