Characterizing Internet Worm Infection Structure

Internet worm infection continues to be one of top security threats. Moreover, worm infection has been widely used by botnets to recruit new bots and construct P2P-based botnets. In this work, we attempt to characterize the network structure of Internet worm infection and shed light on the micro-level information of "who infects whom." Our work quantifies the infection ability of individual hosts and reveals the key characteristics of the underlying topologies formed by worm infection, i.e., the number of children and the generation of the Internet worm infection family tree. Specifically, we first analyze the infection tree of a wide class of worms, for which a new victim is compromised by each existing infected host with equal probability. We find that the number of children has asymptotically a geometric distribution with parameter 0.5. We also discover that the generation follows closely a Poisson distribution and the average path length of the worm infection family tree increases approximately logarithmically with the total number of infected hosts. Using the Code Red v2 worm as an example, we then apply simulations to verify the analytical results. Next, we empirically study the infection structure of localized-scanning worms and surprisingly find that most previous observations also apply to localized-scanning worms. Finally, we apply our findings to develop bot detection methods and study potential countermeasures by future botnets.