The Probability Model of Peer-to-Peer Botnet
Propagation
Yini Wang, Sheng Wen, Wei Zhou, Wanlei Zhou, and Yang Xiang
Deakin University, Victoria 3125, Australia
{yiniwang,wsheng,weiz,wanlei.zhou,yang}@deakin.edu.au
Abstract. Active Peer-to-Peer worms are great threat to the network security
since they can propagate in automated ways and flood the Internet within a very
short duration. Modeling a propagation process can help us to devise effective
strategies against a worm’s spread. This paper presents a study on modeling a
worm’s propagation probability in a P2P overlay network and proposes an
optimized patch strategy for defenders. Firstly, we present a probability matrix
model to construct the propagation of P2P worms. Our model involves three
indispensible aspects for propagation: infected state, vulnerability distribution
and patch strategy. Based on a fully connected graph, our comprehensive model
is highly suited for real world cases like Code Red II. Finally, by inspecting the
propagation procedure, we propose four basic tactics for defense of P2P
botnets. The rationale is exposed by our simulated experiments and the results
show these tactics are of effective and have considerable worth in being applied
in real-world networks
Keywords: Botnet, Worms, Peer-to-Peer, Propagation probability.
1 Introduction
Nowadays, P2P botnets are widely believed to be one of the most serious dangers in
the Internet since it is not easy for them to be detected and taken down. Botnets have
evolved from the Slapper Worm in 2003 which was the first P2P worm, to the Storm
Worm [2] which is the most wide-spread P2P bot currently. Today, P2P worms are
becoming more complicated and sophisticated.
In order to take an effective countermeasure to prevent the propagation of P2P
worms to the greatest extent, we must understand the propagation mechanism. In
recent years, some papers [3-5] have discussed the spreading model and approaches
used by P2P worms. Fan and Xiang [3] used a logic matrix approach to model the
spreading of P2P worms. It presented two different topologies: a simple random graph
topology and a pseudo power law topology. The research studied their impacts on a
P2P worm’s attack performance and analyzed related quarantine strategies for these
two topologies. This paper adopts two constants of logic type (True or 1, False or 0)
as the value of matrix variables. This 0-1 matrix stands for the propagation ability of
nodes, that is whether they can allow the virus to spread or not. In the real word,
Y. Xiang et al. (Eds.): ICA3PP 2011, Part I, LNCS 7016, pp. 470–480, 2011.
© Springer-Verlag Berlin Heidelberg 2011
The Probability Model of Peer-to-Peer Botnet Propagation
471
however, according to the definition of Peer-to-Peer networks, two nodes in a P2P
network are absolutely connected even if the probability of the connection’s existence
is very small. Hence, a node always can propagate the virus to other node with a
certain probability in a P2P fashion. Taking Code Red II [6] as an example, the
probability of the virus propagating to the same class A IP address is 3/8; to the same
class A and B IP address is 1/2; and to the random IP address is 1/8. Therefore, the
model in [3] has great limitations and is not in accordance with real virus instances.
Furthermore, in the classical simple epidemic model [7-10], the authors considered
only two statuses of all hosts: susceptible and infectious. However, in the propagation
of P2P worms, the paramount objective is to find an optimized patch strategy to
minimize the scale of a P2P botnet.
Thus, we are motivated to model a probability prototype for P2P worm
propagation. It concerns three key factors: infected state, vulnerability distribution
and patch tactic. To the best of our knowledge, there are few papers refer to the
propagation probabilities of each node in the network. The goal of this research is to
find the most effective defense against P2P botnet. The major contributions of this
paper are as follows. 1) A probability matrix model is proposed to construct a
propagation model of P2P worms; 2) Three key factors common to all worms are
introduced to describe their propagation in this comprehensive model; 3) Based on the
concept of a fully connected graph, our model adopts real propagation probabilities
from Code Red II, which suits real world cases better; 4) The most significant
contribution is that we successfully summarize four basic tactics in response to a
worm outbreak, which are each very promising for the future defense of P2P botnets.
The rest of the paper is organized as follows. In Section 2, we survey related work.
In Section 3, we describe the proposed probability propagation model. Next, we
conduct an analysis and deduce the result for obtaining an optimized patch strategy in
Section 4. Section 5 performs an evaluation. Finally, the conclusion and future work
are present in Section 6.
2 Related Work
In the area of epidemiology, models [5-15] like deterministic epidemic models and
stochastic propagation models have been used to study the propagation process of
worms.
A. Deterministic Epidemic Model
The traditional deterministic epidemic models [7, 8] are Susceptible-Infectious (SI)
models, in the sense that all hosts can have only one of two states: susceptible or
infectious. These classical simple models are based on an assumption: an infected
host can infect any other susceptible nodes with an equal possibility. However, it is no
longer suitable for worm modeling since most worms propagate through the internet
and have different propagating probabilities.
Staniford et al. [9] presented a random constant spread model (RCS) for the CodeRed I v2 worm. It is essentially the above classical simple epidemic model allowing
for the infection rate to be constant, and without considering the patching cases. On
the basis of the simple epidemic model, Zou et al. [5] proposed a two-factor model
472
Y. Wang et al.
which improves the classical simple models. It introduced human countermeasures in
patching, the removal of hosts from both infectious and susceptible population, and
considered the infectious rate as a variable but not a constant. Additionally, models
from Z. Chen et al. [11] and Y. Wang et al. [12] took into account the time taken to
cause an infection from spreading the virus from one infected host to other hosts.
B. Stochastic Epidemic Model
The stochastic epidemic model is based on the theory of stochastic processes. K.R.
Rohloff et al. [13] presented a stochastic density-dependent Markov jump process
propagation model for RCS (Random constant Scanning) worms, drawn from the
field of epidemiology [14, 15]. Sellke et al. [16] built up a stochastic branching
process model to characterize the propagation of worms using a random scanning
approach. It developed an automatic worm containment tactic for preventing the
worm propagation beyond its early states.
Nevertheless, all existing models are based on a linear structure or a one-to-many
hierarchy. Thus, these modes are not applicable to topology-aware worms and cannot
describe the spreading of P2P worms.
3 Theoretical Propagation Model
In this section we present a probability propagation model used to estimate the
optimized patch strategy.
A. Topology Propagation Matrix (TPM)
The traditional representation of a P2P network employs a directed graph to model the
topology. We propose an alternate representation using an n by n square matrix P
with elements tij to indicate a P2P overlay network consisting of n peers. We consider
that two peers in a P2P network are connected even if the probability of the
connection’s existence is very small, thereby making node i and j immediate
neighbors. In this matrix, each element tij represents a propagation probability of
spreading worms from node i to node j under the condition of node i being infected.
We term such kind of matrix the topology propagation probability matrix (TPM) of
the P2P overlay network, as shown in (1).
⎡ t11
P = ⎢ ...
⎢
⎢⎣ ...
...
tij
...
... ⎤
... ⎥
⎥
t nn ⎥⎦ n × n
tij = p ( N j N i )
t ij = 0 ( i = j ),
n
∑t
j =1
ij
∈ [ 0 ,1]
(1)
Each row of the TPM represents a propagation probability from one infected peer to
other peers. Each column of the TPM represents a propagation probability from
infected peers to a target peer. We assume one peer cannot propagate the worm to
itself, so the probability of self-propagation is zero.
B. Propagation Probability
Considering the propagation process between two peers under the real condition,
worms could be spread from node i to node j via one or more intermediate nodes. We
assume that worm’s propagation from node i (Ni) to node j (Nj) via and only via k
The Probability Model of Peer-to-Peer Botnet Propagation
473
intermediate nodes in a network consisting of n peers, which is denoted by tij (k). It is
defined in (2). Ni bar represents the nodes excluding node Ni. It means we will not
consider the propagation cycles in the spreading path.
t ij( k ) = p ( N
(k )
j
Ni ∪ Ni
( k −1)
=
)
m = n ,m ≠ i
( k −1)
im
mj
m =1
∑t
t
k ∈ [1, n − 2 ] ,
i = 1,..., n ,
j = 1,..., n
(2)
Since Ni self-propagation via k nodes is meaningless in the real world, we let the
value of propagation probability be zero; namely tij(k) =0 when i=j. We introduce a
function γ to conduct the iterated procedure. It is defined in (3):
γ k ( P ) = P • P • ⋅ ⋅ ⋅ • Pγ 0 ( P ) = P,
γ 1(P) = γ (P) = P • P
(3)
k +1
Operation ● is the traditional matrix multiplication. Subsequently, the TPM can be
represented by the following equation when worm’s propagation is via and only via k
intermediate nodes, as in (4).
P
⎡t11 ( k )
⎢
= ⎢ ...
⎢ ...
⎣
(k )
...
(k )
t ij
...
... ⎤
⎥
... ⎥
= γ k (P)
(k ) ⎥
t nn ⎦
n× n
(4)
It is possible that there may be more than one path for worms to spread from one peer
to another peer. So we assume that worm’s propagation from node i (Ni) to node j (Nj)
is at most via k intermediate nodes and is denoted by tij (k)’. It is defined in (5):
t ij
( k )'
= t ij
( k −1 )'
+ t ij
(k )
= t ij(1) +
k
∑t
(m)
ij
k ∈ [1, n − 2 ] ,
i = 1,..., n ,
m=2
j = 1,..., n
(5)
C. Three Key Factors
In a P2P overlay network, there are three significant factors for a worm’s propagation:
infected state, vulnerability distribution and patch strategy. For the infected state, this
represents if the peer has been infected or not. Vulnerability distribution reflects the
situation of vulnerable peers in the topology. Patch strategy provides a cure approach
for infected peers. After being patched, infected peers cannot be infected again.
C.1 Infected State Probability Vector (S)
An initial infected state probability vector (S) can be defined as in (6). Here, one
represents an infectious peer that can propagate worms with a probability of one. Zero
means a peer is healthy without the ability to propagate the worms.
S = [s1, s 2 ,... s i ,... s n ] , s i = 0 or 1 ,
T
i = 1 .... n
(6)
We firstly assume every peer in the TPM is vulnerable. Therefore, in the propagation
process, each intermediate node can be infected and become infectious so that the
infected state in the TPM is variable. After the worm propagates via k nodes, an
update S can be defined as shown in (7):
[[
S ( k ) = S ( k −1)
]
T
]
T
• γ ( S ( k −1) & L P ( k −1) ) , s i ≥ 0 ( i = 1,..., n )
(7)
474
Y. Wang et al.
&L indicates a new logic AND operation of a column vector A and a matrix B, called
Left Logic AND. The result of A &L B is a new logic matrix of the same dimension as
B. Each element in the new matrix is the result of the product of the corresponding
elements ai and bij from each column of matrix B. It is defined in (8):
⎡ a1 ⎤ ⎡ b11
A & L B = ⎢⎢... ⎥⎥ ⎢ ...
⎢
⎢⎣ a n ⎥⎦ ⎣⎢ ...
...
bij
...
⎡ a1 ⋅ b11
= ⎢ ...
⎢
⎣⎢ a n ⋅ bn1
... ⎤
... ⎥
⎥
bnn ⎦⎥ n × n
a1 ⋅ b1n ⎤
... ⎥
⎥
a n ⋅ bnn ⎦⎥ n × n
...
ai ⋅ bij
...
(8)
In real-world worms it is observed that an infected peer can propagate worms and a
vulnerable peer can also be infected to become a new infectious node for future
propagation with a certain probability. Therefore, except for the initial state of S, each
element of any updated S is the probability denoted by a real value, which is not
simply zero or one. Consequently, the TPM can be represented by the following
equation when worm’s propagation is via and only via k intermediate nodes, as in (9).
Ps(k) represents the infected scale of the network under the infected state (S) after the
worm spread via k intermediate nodes.
Ps
(k )
= γ ( S ( k −1) & L Ps
( k −1)
)
(9)
C.2 Vulnerable Distribution Vector (V)
In real-world conditions, the vulnerability of a peer is an objective fact. Therefore, a
healthy peer without any vulnerability cannot become infectious in the worm’s
propagation process. On the basis of this fact, we need to consider the vulnerability
distribution in the TPM. A vulnerable distribution vector (V) is defined in (10). For an
element in V, the value of one represents that a peer is vulnerable. Zero means that the
peer is healthy without any vulnerability.
V = [v1, v 2 ,... v i ,... v n ] , v i = 0 or 1 ,
T
i = 1 .... n
(10)
After considering the vulnerability distribution vector, the TPM can be represented by
the following equation when the worm propagates via and only via k intermediate
nodes, as in (11). Psv(k) represents the infected scale of the network under the
vulnerable distribution (V) after the worm spread via k intermediate nodes.
Psv
(k )
= γ ( Ps
( k −1)
&R V T )
(11)
We define &R to indicate a new logic AND operation of a column vector A and a
matrix B, called Right Logic AND, which is different from Left Logic AND. The result
of A &R B is a new logic matrix of the same dimension as B. Each element in the new
matrix is the result of the product of the corresponding elements aj and bij from each
row of matrix B. It is defined in (12):
⎡ b11
B & R A = ⎢⎢ ...
⎣⎢ ...
...
bij
...
... ⎤
... ⎥⎥ [a1
bnn ⎦⎥ n × n
...
an ]
⎡
⎢ b11 ⋅ a1
= ⎢ ...
⎢
⎢ bn1 ⋅ a1
⎣
...
bij ⋅ a j
...
⎤
b1n ⋅ a n ⎥
... ⎥
⎥
bnn ⋅ a n ⎥
⎦ n×n
(12)
The Probability Model of Peer-to-Peer Botnet Propagation
475
C.3 Patch Strategy Vector (Q)
An infected peer can be cured to become a healthy node, which cannot spread worms
to other peers again. Therefore, we need to remove these nodes from the propagation
process in time. We define a patch vector Q in (13). For each element in Q, the value
of one represents that a peer has been patched and become to a healthy node. A value
of zero indicates that a peer is still vulnerable.
Q = [q1, q 2 ,... q i ,... q n ] , q i = 0 or 1 ,
T
i = 1 .... n
(13)
After considering the patch strategy vector, the TPM can be represented by the
following equation when the worm propagates via and only via k intermediate nodes,
as in (14). We define & to indicate a new logic AND operation between two elements.
The definition for & operation is shown in Table 1.
Psvq
(k )
= γ ( Psv
( k −1 )
& R (V T & Q T ))
(14)
Table 1. Truth table for new logic and operation
VT
1
0
1
0
QT
1
1
0
0
VT&QT
0
0
1
0
4 Propagation Ability and Quarantine Ability
In real world scenarios, attackers expect to control a significant proportion of the P2P
overlay network to enable the worm’s propagation. The topology’s propagation
ability (PA) is related to the number of peers that the worm can propagate to with high
probability. In consideration of more than one path for the propagating worm, we
adopt a modified P’svq to represent a sum of probabilities for the worm’s propagation
between two peers with at most k intermediate nodes. It is defined in (15):
P ' svq =
k −2
∑P
(i)
svq
i =1
(15)
In order to evaluate the PA of a topology, we assume an ability threshold δ to estimate
each peer’s PA. If an element t’ij of P’svq is greater than or equal to δ, then the value of
PA(t’ij) is equal to one, or else it is equal to zero. The number of times PA is equal to
one is defined as x in (16). Consequently, a large value of x indicates a strong PA of
the topology.
x=
n|
|n |
∑ ∑ t'
i =1 j =1
ij
(16)
476
Y. Wang et al.
Table 2. PA and QA in 90% vulnerability distribution (V=90%)
S1(10%)
S2(20%)
S3(10%)
S4(20%)
Q1(10%)
(12840,147160)
(25840,134160)
(12920,147080)
(26080,133920)
Q2(20%)
(11560,148440)
(22690,137040)
(11440,148560)
(23120,136880)
Q3(10%)
(12880,147120)
(25920,134080)
(12960,147040)
(26080,133920)
Q4(20%)
(11640,148360)
(22960,137040)
(11520,148480)
(22880,137120)
Table 3. PA and QA in 90% vulnerability distribution (V=70%)
S1(10%)
S2(20%)
S3(10%)
S4(20%)
Q1(10%)
(10080,149920)
(20080,139920)
(10120,149880)
(20140,139860)
Q2(20%)
(9010,150990)
(17520,142480)
(9170,150830)
(17680,142320)
Q3(10%)
(10160,149840)
(19680,140320)
(10160,149840)
(20240,139760)
Q4(20%)
(9040,150960)
(18640,141360)
(8800,151200)
(17760,142240)
On the contrary, defenders focus on the quarantine ability (QA) of a P2P overlay
network. The QA is related to the number of peers with low infected probability in the
topology. Likewise to the definition of the TPM, we define R to represent an infected
probability matrix, as in (17).
R(k )
⎡ r11( k )
⎢
= ⎢ ...
⎢ ...
⎣
n
...
rij
(k )
...
(k )
... ⎤
tik( k )
p ( N (j k ) N i( k ) ) p ( N i( k ) ) tij ∑
⎥
k =1
... ⎥ rij( k ) = p ( N i( k ) | N (j k ) ) =
=
n
p ( N (j k ) )
(k )
t kj( k )
rnn ⎥⎦
∑
k =1
k ∈ [1, n − 2] , i = 1,..., n,
(17)
j = 1,..., n
When considering more than one path for a single peer being infected, we adopt a
modified infected probability matrix R’ to represent the sum of infected probabilities.
It is defined in (18):
R' =
k −2
∑R
(i )
(18)
i =1
In order to evaluate the QA of a topology, we assume an ability threshold θ to
distinguish each peer’s QA. If an element rij of R’ is greater than or equal to θ, then the
value of QA(rij) is equal to one, or else it is equal to zero. The number of times QA is
equal to zero is defined as y in (19). Therefore, a large value of y indicates a strong
QA of a topology.
n
n
y = n 2 − ∑ ∑ r ij
(19)
i =1 j =1
For attackers, a reasonable distribution strategy for infectious peers results in a high
PA of a P2P network. Similarly, an effective patch strategy for defenders will lead to
a high QA of a P2P network. Therefore, the paramount objective of this paper is to
The Probability Model of Peer-to-Peer Botnet Propagation
477
discover patch strategies that can significantly suppress the propagation function of a
P2P botnet.
Table 4. PA and QA in different percentage of patching nodes (V=90%)
S1
(10%)
S2
(20%)
Q1(10%)
(12840,
147160)
(25840,
134160)
Q2(20%)
(11560,
148440)
(22690,
137040)
Q3(30%)
(7760,
152240)
(15680,
144320)
Q4(40%)
(6840,
153160)
(13680,
146320)
Q5(50%)
(5640,
154360)
(11520,
148480)
Q6(60%)
(4640,
155300)
(9040,
150960)
5 Simulation Experiments
Our implementation is in MATLAB. It assumes there are a total of 10,000 peers
(computers) belonging to a P2P overlay network under consideration. Therefore, the
TPM is represented by a 10,000 by 10,000 square matrix P and its initial state is
defined according to the propagation probability of Code Red II. We divide matrix P
into 10,000 partitioned matrixes AijBxy and each of them is a 100 by 100 square
matrix. Matrix P and AijBxy are shown as follows.
⎡
⎢ A11 B xy
P=⎢
...
⎢
⎢ A100 ,1 B xy
⎣
...
A ij B xy
...
⎤
A1,100 B xy ⎥
⎥
...
⎥
A100 ,100 B xy ⎥
⎦ 100 ×100
A ij B xy
⎡
⎢ A ij B 11
= ⎢ ...
⎢
⎢ A ij B 100 ,1
⎣
...
A ij
...
⎤
A ij B 1,100 ⎥
⎥
...
⎥
A ij B 100 ,100 ⎥
⎦ 100 ×100
We define p(AijBxy) to represent the propagation probability from one peer with A
class IP i and B class IP x to another peer with A class IP j and B class IP y. Thus, if
i=j and x=y, then p(AijBxy)=1/2; if i=j and x≠y, then p(AijBxy)=3/8; or else,
p(AijBxy)=1/8. We assume the P2P overlay network consists of n peers, and the
connection probability of two random nodes is 1/n. Therefore, according to the
Multiplication Rule, the TPM’s propagation probability is n-k·γk(P) when the worm’s
propagation is at most via k intermediate nodes.
In our simulation experiment, we analyze the impact of changing the matrix
dimensionality used in the experiments and find that a larger dimension will not
produce significantly different results. In order to show these results clearly, we
choose reasonable network sizes (5000 nodes) and examine them under different
scenarios. There are two scenarios for the vulnerability distribution: 90% and 70% of
the total peers respectively. We also arrange two scenarios for in infectious nodes
(10% and 20%), which follow a Uniform or Gaussian distribution. Additionally,
patched nodes are also grouped in 10% and 20%, which similarly follow a Uniform or
Gaussian distribution.
There are 5 iterations of the TPM. We show the results from these experiments in
Table 2, Table 3 and Table 4. Each item in the tables represents the pair of PA and QA
under a Sx and Qx (x [1, 4]).
∈
478
Y. Wang et al.
1) Infectious Node Rate VS. Patching Node Rate
Based on the results from Table 2 and Table 3, firstly we focus on S and Q under the
same distribution. The blocks include (S1, S2; Q1, Q2), (S1, S2; Q3, Q4), (S3, S4; Q1, Q2)
and (S3, S4; Q3, Q4). We find that the best strategy for both S and Q in each block are
in Sx 20% (x=2,4) and Qy 10% (y=1,3). Even though Q targets a large rate of patching,
this strategy is helpless to improve QA. This indicates that the attacking effect is more
sensitive to the percentage of infectious nodes than defending effect.
Differences of PA and QA
8000
Differences
Differences
Differences
Differences
6000
Differences
4000
of PA
of DA
of PA
of DA
(S=10%)
(S=10%)
(S=20%)
(S=20%)
2000
0
the most economic
patching rate
-2000
-4000
-6000
-8000
20%
30%
40%
50%
60%
Patching Rate
Fig. 1. Differences of PA and QA
2) Uniform Distribution VS. Gaussian Distribution
Based on the results from Table 2 and Table 3, secondly we focus on S and Q under
the same infectious nodes rate and patching nodes rate. The blocks include (S1, S3; Q1,
Q3), (S2, S4; Q2, Q4), (S1, S3; Q2, Q4) and (S2, S4; Q1, Q3). We find that all th strategies
are similar, which indicates that the distribution of nodes has less impact on PA and
QA.
3) Vulnerability Rate in the topology
Based on the results from Table 2 and Table 3, thirdly we focus on the impact on PA
and QA with an independent V. Each item in Table 2 outperforms the ones in Table 3,
which leads us to a conclusion that a greater number of vulnerable nodes in the
topology will benefit attackers (PAxy (V=90%) > PAxy (V=70%) & QAxy(V=90%) >
QAxy (V=70%), x,y [1, 4]).
∈
4) Patching Rate
Fourthly, based on the results from Table 4 we focus on the most economic patching
rate. As long as the patching rate increases, PA increases monotonously while QA
decreases gradually. However, the larger the patching rate, the greater the economic
impact will be in real world. We compare each pair of patching rates and identify
their differences in Fig.1. We clearly see that the most economic patching rate is 30%,
because any larger rate can only bring a limited increase to QA. We believe this
conclusion is valuable, particularly with respect to economical and industrial benefits.
The Probability Model of Peer-to-Peer Botnet Propagation
479
6 Conclusion and Future Work
This paper presents a probability model of Peer-to-Peer botnet propagation for finding
an optimized patch strategy so that defenders can prevent the bots spreading in a
reasonable and economic approach. Firstly, we present a probability matrix model to
construct the propagation model of P2P worms. This comprehensive model involves
three indispensible aspects for propagation. Based on a fully connected graph, our
model suits real world cases like Code Red II. The most significant contribution is
that we successfully summarize four basic strategies in response to a worm outbreak,
which are each very promising for the future defense of P2P botnet.
There are some limitations in our paper. Firstly, we did not use a real data set to
model the propagation procedure and provide a more accurate patching rate for
defense attackers effectively. Secondly, there are some other parameters that should
be involved such as the impact of the number of nodes in a topology. In the future, we
plan to model our propagation probability theory by using a real data set and provide
a more comprehensive proof for our patching strategy.
References
1. Arce, I., Levy, E.: An analysis of the slapper worm. IEEE Security & Privacy Magazine 1,
82–87 (2003)
2. Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.: Measurement and mitigation of
peer-to-peer-based botnets: a case study on storm worm. In: The 1st Usenix Workshop on
Large-Scale Exploits and Emergent Threats, San Francisco, USA, pp. 1–9 (April 2008)
3. Fan, X., Xiang, Y.: Modeling the propagation of Peer-to-Peer worms. Future Gener.
Comp. Sy. 26, 1433 (2010)
4. Yu, W.: Analyze the worm-based attack in large scale P2P networks. In: 8th IEEE
International Symposium on High Assurance Systems Engineering, pp. 308–309. IEEE
Press, Tampa (2004)
5. Zou, C.C., Gong, W., Towsley, D.: Code Red worm propagation modeling and analysis.
In: 9th ACM Conference on Computer and Communications Security, Washington, pp.
138–147 (2002)
6. CAIDA Analysis of Code-Red,
http://www.caida.org/research/security/code-red/
7. Bailey, N.T.: The Mathematical Theory of Infectious Diseases and its Applications. Hafner
Press, New York (1975)
8. Frauenthal, J.C.: Mathematical Modeling in Epidemiology. Springer, New York (1980)
9. Staniford, S., Paxson, V., Weaver, N.: How to own the internet in your spare time. In: The
11th USENIX Security Symposium, San Francisco, pp. 149–167. ACM, CA (2002)
10. Andersson, H., Britton, T.: Stochastic Epidemic Models and their Statistical Analysis.
Springer, New York (2000)
11. Chen, Z., Gao, L., Kwiat, K.: Modeling the spread of active worms. In: IEEE INFOCOM,
pp. 1890–1900 (2003)
12. Wang, Y., Wang, C.: Modeling the effects of timing parameters on virus propagation. In:
WORM 2003, Washington, DC, USA, pp. 61–66 (2003)
480
Y. Wang et al.
13. Rohloff, K., Basar, T.: Stochastic behavior of random constant scanning worms. In: The
14th ICCCN, San Diego, CA, USA, pp. 339–344 (2005)
14. Daley, D.J., Gani, J.: Epidemic Modelling: An Introduction. Cambridge University Press,
Cambridge (1999)
15. Andersson, H., Britton, T.: Stochastic Epidemic Models and their Statistical Analysis.
Springer, New York (2000)
16. Sellke, S., Shroff, N.B., Bagchi, S.: Modeling and automated containment of worms. In:
DSN 2005, pp. 528–537 (2005)