Simulation of zero-day worm epidemiology in the dynamic, heterogeneous Internet

Abstract

The cost of a single zero-day network worm outbreak on the global Internet has been estimated at US$2.6 billion. In addition, zero-day network worm outbreaks have been observed that spread at a significant pace across the Internet, with an observed infection proportion of more than 90% of vulnerable hosts within 10 minutes. The threat posed by such fast-spreading malware to defence systems and national security is therefore significant, particularly given the fact that network operator/administrator intervention is not likely to take effect within the typical epidemiological timescale of such infections. An accepted technology that is used to research the security threat presented by zero-day worms is that of simulation systems; however, only a subset of these focus on the Internet and issues persist regarding how representative these are of the Internet. The design of a novel simulator developed to address these issues, the Internet Worm Simulator (IWS), is presented along with experimental results for a selection of previous worm outbreaks compared against observed, empirical data and hypothetical outbreak scenarios. Based on a finite state machine for each network host, the IWS incorporates the dynamic, heterogeneous characteristics of the Internet and, on a single workstation, is able to simulate an IPv4-sized network. Based on the analysis presented, the authors conclude that the IWS has the capability to simulate zero-day worm epidemiology on the dynamic, heterogeneous Internet for a variety of scenarios. These include simulating previous worm outbreaks that demonstrate random-scanning and hit list behaviour, as well as hypothetical scenarios that include a large susceptible populous and stealth-like behaviour.