Darknet-Based Inference of Internet Worm Temporal Characteristics

摘要

Internet worm attacks pose a significant threat to network security and management. In this work, we coin the term Internet worm tomography as inferring the characteristics of Internet worms from the observations of Darknet or network telescopes that monitor a routable but unused IP address space. Under the framework of Internet worm tomography, we attempt to infer Internet worm temporal behaviors, i.e., the host infection time and the worm infection sequence, and thus pinpoint patient zero or initially infected hosts. Specifically, we apply statistical estimation techniques and propose method of moments, maximum likelihood, and linear regression estimators. We show analytically and empirically that our proposed estimators can better infer worm temporal characteristics than a naive estimator that has been used in the previous work. We also demonstrate that our estimators can be applied to worms using different scanning strategies such as random scanning and localized scanning.