Worm virulence estimation for the containment of local worm outbreak

A worm-infected host scanning globally may not cause any new infection in its underlying local network before it is detected and quarantined by a worm detector. To defend this type of scanning hosts, a number of worm scanner detection methods such as failed scan detection, honeypot, and dark port detection are proposed. However, for a stealthier worm limiting its scan inside an enterprise network, the chance of a successful local outbreak increases substantively due to the more limited scan space. To protect a local or enterprise network against a local outbreak, we need a coordinated and cost-conscious defense that entails an accurate estimate of worm virulence level. Unfortunately, many existing defense methods suffer from estimating the worm virulence level in a local or enterprise network. In this regard, we propose a maximum likelihood estimator to progressively estimate the size of susceptible host population in the local or enterprise network. From analysis and experimental evaluation, it is shown that the proposed estimator can report a reliable estimate of the size of susceptible population only after a few infections, sometimes only four, much faster than a similar method based on a Kalman filter. Also, based on maximum likelihood estimate, an appropriate containment threshold can be set to effectively stop the worm propagation while causing minimum service disruption to normal network users.