Modeling and analysis of a self-learning worm based on good point set scanning

Internet worms can self-propagate over the Internet, and have caused significant damages to the Internet infrastructure. To speed up the propagating process, the worms need to scan many Internet Protocol (IP) addresses to target vulnerable hosts. However, the distribution of IP addresses is highly non-Uniform, which results in many scans wasted on invulnerable addresses. Inspired by the theory of good point set, this paper proposes a new scanning strategy, referred to as good point set scanning (GPSS), for worms. Experimental results show that GPSS can generate more distinct IP addresses and less unused IP addresses than the permutation scanning. Combined with group distribution, a static optimal GPSS is derived. Since the information cannot be easily collected before a worm is released, a self-learning worm with GPSS is designed. Such worm can accurately estimate the underlying vulnerable-host distribution when a sufficient number of IP addresses of infected hosts are collected. We use a modified Analytical Active Worm Propagation (AAWP) to simulate data of Code Red and the performance of different scanning strategies. Experimental results show that once the distribution of vulnerable hosts is accurately estimated, a self-learning worm can propagate much faster than other worms. Finally, some possible countermeasures are given. Copyright (C) 2008 John Wiley & Sons, Ltd.