J Comput Virol (2009) 5:357–364 DOI 10.1007/s11416-008-0099-8 EICAR 2008 EXTENDED VERSION Treating scalability and modelling human countermeasures against local preference worms via gradient models Markos Avlonitis · Emmanouil Magkos · Michalis Stefanidakis · Vassilis Chrissikopoulos Received: 20 January 2008 / Revised: 1 July 2008 / Accepted: 8 July 2008 / Published online: 23 July 2008 © Springer-Verlag France 2008 Abstract A network worm is a specific type of malicious software that self propagates by exploiting application vul- nerabilities in network-connected systems. Worm propaga- tion models are mathematical models that attempt to capture the propagation dynamics of scanning worms as a means to understand their behaviour. It turns out that the emerged scalability in worm propagation plays an important role in order to describe the propagation in a realistic way. On the other hand human-based countermeasures also drastically af- fect the propagation in time and space. This work elaborates on a recent propagation model (Avlonitis et al. in J Com- put Virol 3, 87–92, 2007) that makes use of Partial Diffe- rential Equations in order to treat correctly scalability and non-uniform behaviour (e.g., local preference worms). The aforementioned gradient model is extended in order to take into account human-based countermeasures that influence the propagation of local-preference worms in the Internet. Certain aspects of scalability emerged in random and local preference strategies are also discussed by means of random field considerations. As a result the size of a critical network that needs to be studied in order to describe the global propa- gation of a scanning worm is estimated. Finally, we present simulation results that validate the proposed analytical results and demonstrate the higher propagation rate of local prefe- rence worms compared with random scanning worms. M. Avlonitis · E. Magkos (B ) · M. Stefanidakis · V. Chrissikopoulos Department of Informatics, Ionian University, Plateia Tsirigoti 7, 49100 Kerkyra, Greece e-mail: emagos@ionio.gr M. Avlonitis e-mail: avlon@ionio.gr M. Stefanidakis e-mail: mistral@ionio.gr V. Chrissikopoulos e-mail: vchris@ionio.gr 1 Introduction A network worm is a specific type of malicious software that self propagates by exploiting application vulnerabilities in network-connected systems. During recent years, seve- ral worms have caused significant damage in corporate and Internet core networks [2–6]. While early worms followed rather random spread patterns and aimed mostly at Denial of Service attacks, future worms are expected to adopt advan- ced scanning strategies and even bear a catastrophic payload [7–10]. A fast spreading worm armed with a priori informa- tion about the distribution of vulnerable nodes in the under- lying infrastructure [10] may also perform targeted attacks and bring down the majority of the target networks within a short time interval. Securing networks against worm attacks is particularly important for critical infrastructure applica- tions, such as banking and financial applications, emergency deployment services and military applications. Among the various strategies that worms can follow for scanning vulnerable hosts [7, 11] two strategies have been primarily considered: a) random scanning worms (e.g., Code Red I [3], Slammer [4]) uniformly scan the 32-bit IP address space to find and infect vulnerable targets; b) local preference worms (e.g., Blaster [5], Coder Red II [3], Nimda [2]) prefera- bly infect “neighbouring” hosts (e.g., within a specific /8, /16 or /24 address block) within a network. It has been shown that local preference worms spread faster, compared to random scanning worms, when the vulnerable hosts in the Internet are unevenly distributed, which is a realistic assumption [10]. Such network-aware worms tend to infect clusters of nodes, often with similar application vulnerabilities, before moving to other networks. It is also expected that in the future, when the IPv6 will be a reality, local preference may be an opti- mal scanning strategy for worms, given the infeasibility of randomly scanning the entire 128-bit address space [12]. 123