A probability distribution function for investigating node infection and removal times

Abstract

AbstractConsidering the important issue of computer infections by worms spread via networks, the theme of source identification has been a prominent research field that aims at investigating infection propagation including acquiring knowledge about the infection and the node removal times when a worm infection happens. This information helps in identifying the patient zero in the worm attack and may be used by computer forensic investigators and network administrators to spot the culprits and to identify related network vulnerabilities. In this paper, we tackle this problem by developing new probabilistic models based on Bayesian networks. We learn a probability distribution to calculate, at every time step, the probability that each node is infected by a scanning worm, using historical data and features extracted from the network and application layers. With the mentioned probability distribution, the node infection status can be inferred using feature values at each time step. We propose a four‐step method to investigate the time of infection and removal of each node probabilistically. First, features are extracted and derived from network traffic data. There are no suitable training and test datasets publicly available for our tests; therefore, we developed the training and test datasets using simulations of the Code Red II worm. Second, a prior model is built using training data. Third, the probabilistic model is built by the estimation of distribution algorithm. Fourth, the infection probability of nodes is inferred given the probability distribution and feature values at each time step. It has already been shown that the number of infectious nodes can be probabilistically approximated backward in time through the stochastic Back‐to‐Origin Markov model. We combine our first model with the prior stochastic Back‐to‐Origin Markov model to develop our second model. To evaluate our first and second models, we conducted experiments that show that these models can pinpoint the source node and the infection time of nodes with acceptable accuracy. It should be noted that our method could be employed with other propagating worm types including ransomware worms.