Worm origin identification and propagation path reconstruction are important topics in information security and digital forensics. This information helps forensic investigators to guess initial suspects and do further investigations on the suspicious computers. Network and system administrators also use the information to identify security weaknesses of their systems and networks. The goal of this paper is to identify the origins and to reconstruct the propagation path of preferential scanning worm back-in-time. The main idea of this paper is to use back-to-origin modeling and a step-by-step improvement, to identify the origins and to reconstruct the propagation path after the worm outbreak using information gathered over the network. We construct a probabilistic model to receive features over the network and estimate infection status of nodes. We also developed an algorithm that identifies the origins and reconstructs the propagation path, back-in-time using the learned model. In order to achieve this, we used a 4-step method. The proposed method has acceptable accuracy.
展开▼