Toward early warning against Internet worms based on critical-sized networks

ABSTRACT In this paper, we build on a recent worm propagation stochastic model, in which random effects during worm spreading were modeled by means of a stochastic differential equation. On the basis of this model, we introduce the notion of the critical size of a network, which is the least size of a network that needs to be monitored, in order to correctly project the behavior of a worm in substantially larger networks. We provide a method for the theoretical estimation of the critical size of a network in respect to a worm with specific characteristics. Our motivation is the requirement in real systems to balance the needs for accuracy (i.e., monitoring a network of a sufficient size in order to reduce false alarms) and performance (i.e., monitoring a small‐scale network to reduce complexity). In addition, we run simulation experiments in order to experimentally validate our arguments. Finally, based on notion of critical‐sized networks, we propose a logical framework for a distributed early warning system against unknown and fast‐spreading worms. In the proposed framework, propagation parameters of an early detected worm are estimated in real time by studying a critical‐sized network. In this way, security is enhanced as estimations generated by a critical‐sized network may help large‐scale networks to respond faster to new worm threats. Copyright © 2012 John Wiley & Sons, Ltd. In this paper, we introduce the notion of the critical size of a network, which is the minimum network size that needs to be monitored in order to correctly project the behavior of a fast‐spreading worm in substantially larger networks. We provide a method for the theoretical estimation of a critical‐sized network and validate it with simulation results. On the basis of the notion of critical‐sized networks, we propose a logical framework for a distributed early warning system against unknown and fast‐spreading worms.