TY - JOUR
T1 - Worm virulence estimation for the containment of local worm outbreak
AU - Choi, Y. H.
AU - Li, L.
AU - Liu, P.
AU - Kesidis, G.
N1 - Funding Information:
This work was supported by NSF CNS-0716479, AFOSR MURI: Autonomic Recovery of Enterprise-wide Systems after attack or failure with forward correction, AFRL award FA8750-08-C-0137, ARO MURI: Computer-aided Human Centric Cyber Situation Awareness, and NSF CNS-0905131.
PY - 2010/2
Y1 - 2010/2
N2 - A worm-infected host scanning globally may not cause any new infection in its underlying local network before it is detected and quarantined by a worm detector. To defend this type of scanning hosts, a number of worm scanner detection methods such as failed scan detection, honeypot, and dark port detection are proposed. However, for a stealthier worm limiting its scan inside an enterprise network, the chance of a successful local outbreak increases substantively due to the more limited scan space. To protect a local or enterprise network against a local outbreak, we need a coordinated and cost-conscious defense that entails an accurate estimate of worm virulence level. Unfortunately, many existing defense methods suffer from estimating the worm virulence level in a local or enterprise network. In this regard, we propose a maximum likelihood estimator to progressively estimate the size of susceptible host population in the local or enterprise network. From analysis and experimental evaluation, it is shown that the proposed estimator can report a reliable estimate of the size of susceptible population only after a few infections, sometimes only four, much faster than a similar method based on a Kalman filter. Also, based on maximum likelihood estimate, an appropriate containment threshold can be set to effectively stop the worm propagation while causing minimum service disruption to normal network users.
AB - A worm-infected host scanning globally may not cause any new infection in its underlying local network before it is detected and quarantined by a worm detector. To defend this type of scanning hosts, a number of worm scanner detection methods such as failed scan detection, honeypot, and dark port detection are proposed. However, for a stealthier worm limiting its scan inside an enterprise network, the chance of a successful local outbreak increases substantively due to the more limited scan space. To protect a local or enterprise network against a local outbreak, we need a coordinated and cost-conscious defense that entails an accurate estimate of worm virulence level. Unfortunately, many existing defense methods suffer from estimating the worm virulence level in a local or enterprise network. In this regard, we propose a maximum likelihood estimator to progressively estimate the size of susceptible host population in the local or enterprise network. From analysis and experimental evaluation, it is shown that the proposed estimator can report a reliable estimate of the size of susceptible population only after a few infections, sometimes only four, much faster than a similar method based on a Kalman filter. Also, based on maximum likelihood estimate, an appropriate containment threshold can be set to effectively stop the worm propagation while causing minimum service disruption to normal network users.
UR - http://www.scopus.com/inward/record.url?scp=71649112409&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=71649112409&partnerID=8YFLogxK
U2 - 10.1016/j.cose.2009.07.002
DO - 10.1016/j.cose.2009.07.002
M3 - Article
AN - SCOPUS:71649112409
SN - 0167-4048
VL - 29
SP - 104
EP - 123
JO - Computers and Security
JF - Computers and Security
IS - 1
ER -