Monitoring and Early Warning for Internet Worms

Worms on the Internet are a serious concern today. The SQL Slammer worm caused
a large scale DOS on the Internet infrastructure itself. The damage caused by worms
has been estimated in billions of dollars. Worms have the potential to shutdown
critical infrastructure like power, water, food distribution and so on. Thus, it is
important to construct a framework to detect the spread of a worm early and deploy
appropriate countermeasures quickly.

The authors use a simple epidemic model to characterize worm propagation. Propagation
starts with a low rate of infection, increases to a fast spread phase and then slows down
when most hosts have been infected. The authors try to detect the spread of the worm in
the slow start phase. Worm activity is defined as port scan attempts.

The monitoring infrastructure proposed is several ingress and egress scan monitors spread
all over the world which collect data that is sent to a Malware Warning Center through
some aggregators to reduce bandwidth requirements. The data is collected for fixed intervals
of time and is reported as the number of scans seen and the number of infected hosts.

The monitoring infrastructure can only know about a subset of the actual number of infected
hosts. The authors propose a correction mechanism that estimates the actual number from
the observed number. A Kalman filter is used to estimate the parameters of the worm
propagation model. The average scan rate can be used to arrive at a good estimate of the
size of the vulnerable population.

Their simulations show that their algorithm works pretty well and that an infection
can be detected when about 1-2% of the total vulnerable population is infected. No comparision
with other mechanisms however.

Pros:
1) Propose complete detection framework - infrastructure and algorithms
2) Apply correction factor to get the accurate number of infected hosts from the observed
   number of infected hosts
3) If the average scan rate is known, a good estimate of the size of the vulnerable
   population can be arrived at.
4) The evaluation was neat. They had access to real worm propagation data as well as
   background noise at a site on the Internet during the same period.

Cons:	
1) A non-uniform scanning worm affects the working of the algorithm
2) Bandwidth and latency issues arise if the monitoring interval is small
See more in discussions below...

Discussions:
* Ok.. so we detect the spread of a worm.. what then? :-)
* Can this be adapted to detect viral infections?
* Is the simple epidemic model good enough to detect all worms? What better models can be
  used?
* Coming up with a good monitoring interval is difficult. Network bandwidth/latency
  is an issue for small intervals.
* Distributed algorithms can be a solution to the small monitoring interval issue.
* Once the proposed infrastructure is set up, how easy is it to write a worm that will
  escape detection?

Vote:
Strong Accept: 4
     Accept  : 6
     Reject  : 2
Strong Reject: 0