Worm virulence estimation for the containment of local worm outbreak

Y. H. Choi, L. Li, P. Liu, G. Kesidis

Research output: Contribution to journalArticlepeer-review

7 Scopus citations


A worm-infected host scanning globally may not cause any new infection in its underlying local network before it is detected and quarantined by a worm detector. To defend this type of scanning hosts, a number of worm scanner detection methods such as failed scan detection, honeypot, and dark port detection are proposed. However, for a stealthier worm limiting its scan inside an enterprise network, the chance of a successful local outbreak increases substantively due to the more limited scan space. To protect a local or enterprise network against a local outbreak, we need a coordinated and cost-conscious defense that entails an accurate estimate of worm virulence level. Unfortunately, many existing defense methods suffer from estimating the worm virulence level in a local or enterprise network. In this regard, we propose a maximum likelihood estimator to progressively estimate the size of susceptible host population in the local or enterprise network. From analysis and experimental evaluation, it is shown that the proposed estimator can report a reliable estimate of the size of susceptible population only after a few infections, sometimes only four, much faster than a similar method based on a Kalman filter. Also, based on maximum likelihood estimate, an appropriate containment threshold can be set to effectively stop the worm propagation while causing minimum service disruption to normal network users.

Original languageEnglish (US)
Pages (from-to)104-123
Number of pages20
JournalComputers and Security
Issue number1
StatePublished - Feb 2010

All Science Journal Classification (ASJC) codes

  • General Computer Science
  • Law


Dive into the research topics of 'Worm virulence estimation for the containment of local worm outbreak'. Together they form a unique fingerprint.

Cite this