Predicting the Propagation Path of Random Worm by Subnet Infection Situation Using Fuzzy Reasoning

Abstract

Predicting the propagation path of a network worm is highly beneficial for taking appropriate countermeasures in advance. Traditional worm propagation models mainly deal with the total number of infected hosts during a period of time, which cannot indicate a worm's track. We choose the worm using random scanning to study, as it was the basic type and all the others were derived from it. A novel model proposed in this paper locates the subnets going to be infected at a given time based on the infection measurement of the subnet. The time and frequency for victims in the subnet to increase were calculated according to common characteristics of worm diffusion and the relationship between malicious traffic and bandwidth usage. Taking the two factors above as input, fuzzy reasoning was adopted to deduce the real-time infection situation for each subnet. The bigger the value of infection situation, the more likely the corresponding subnet would be attacked in a short time. Simulation experimental results show that the model estimates the worm's track dynamically with acceptable accuracy. Furthermore, the increase interval of victims in subnet is much longer for worm with slower spread speed, which provides sufficient time to carry out pertinent response.