A Stochastic Model for the Size of Worm Origin
A Stochastic Model for the Size of Worm Origin is a scholarly work, published in 2016 in ''Journal of Computers''. The main subjects of the publication include computer science, complex network, intrusion detection system, and information security. Computer worms have infected millions of computers since 1980s.For an incident handler or a forensic investigator, it is important to know whether the worm attack to the network has been initiated from multiple different sources or just from one node.In this paper, authors study the problem of predicting the number of infectious nodes at each step of worm propagation, when the spread of a homogeneous random scanning worm happens.Knowledge of the number of infectious nodes might be a help in reconstructing the worm attack scene and in identifying the origins of worm propagation.In the approach, authors assume Susceptible-Infectious-Removed (SIR) model for worm propagation, and propose two complementary models, i.e. deterministic Back-to-Origin model and stochastic Back-to-Origin Markov model, to investigate the above problem.In the authors' Back-to-Origin models, authors run the time backwards.We assume that authors have prior knowledge of worm infection propagation parameters of SIR model.We also assume to have a snapshot in which the number of susceptible, infectious and removed nodes is known.the authors' deterministic Back-to-Origin model, is a new SIR model, where authors define a susceptibility rate parameter.The stochastic Back-to-Origin Markov model is constructed based on the Continuous-Time-Markov-Chain.The number of infectious nodes at each time of worm propagation is predicted with the authors' stochastic Markov model.We applied simulations to study the accuracy of the authors' models.In numerical experiments of the authors' stochastic Back-to-Origin Markov model, authors investigate the probabilistic number of infectious nodes.Comparing to other approaches, the method of this paper requires a little information and a little assumptions, while it gives useful results.