Deterministic and Stochastic Models for the Detection of Random Constant Scanning Worms

摘要

This article discusses modeling and detection properties associated with the stochastic behavior of Random Constant Scanning (RCS) worms. Although these worms propagate by randomly scanning network addresses to find hosts that are susceptible to infection, traditional RCS worm models are fundamentally deterministic. A density-dependent Markov jump process model for RCS worms is presented and analyzed herein. Conditions are shown for when some stochastic properties of RCS worm propagation can be ignored and when deterministic RCS worm models can be used. A computationally simple hybrid deterministic/stochastic point-process model for locally observed scanning behavior due to the global propagation of an RCS scanning worm epidemic is presented. An optimal hypothesis-testing approach is presented to detect epidemics of these under idealized conditions based on the cumulative sums of log-likelihood ratios using the hybrid RCS worm model. This article presents in a mathematically rigorous fashion why detection techniques that are only based on passively monitoring local IP addresses cannot quickly detect the global propagation of an RCS worm epidemic with a low false alarm rate, even under idealized conditions.