Threshold Smart Walk for the Containment of Local Worm Outbreak

A worm-infected host scanning globally may not cause any new infection in its underlying local network before it is detected and quarantined by a worm detector using methods such as failed scan detection. But for a stealthier worm limiting its scan inside an enterprise network, the chance of a successful local outbreak increases substantively due to the more limited scan space. Though a number of worm scanner detection methods exist including failed scan detection, honeypot, and dark port detection, a coordinated and cost-conscious defense against a local outbreak entails an accurate estimate of worm virulence level. In this regard, we develop a maximum likelihood estimation algorithm to progressively estimate the size of susceptible host population in the network so an appropriate containment threshold can be set to effectively stop the worm propagation while causing minimum service disruption to normal network users.