Threat Analysis of Incubation Period in Malware Epidemics

Epidemic malicious codes including Internet worms and botnets have continuously evolved to be more intelligent and complicated. In particular, the recent distributed denial-of-service (DDoS) attack that occurred in United States and South Korea in July, 2009 gives an opportunity to reconsider the epidemic malicious code. Since automatic patching systems and intelligent intrusion detection and prevention systems mitigate rapid infection, fast infections such as Slammer-like worms cannot successfully spread. As of the 2009 July DDoS attack, malicious codes prefer hiding their malicious activities and trying to infect others silently until D-day. Since slow infection is difficult to detect by the current IDS or IPS, this infection strategy is likely to become prevalent. In a slow infection, the incubation period is a key factor in determining the extent to which an epidemic malicious code spreads. This study provides an analysis framework to understand the impact of incubation period in the spread of epidemic malicious code. Intuitively, a longer latent period increases the number of infected hosts, but the detection probability also increases. This trade-off suggests an optimal incubation period determination problem to maximize the number of infected hosts. Solving this problem is essential to predicting the explicit or implicit intention of attackers and to counteract against the attack in a strategic manner. Through analysis and simulations, we provide data and insight regarding epidemic malicious code that exploits incubation period.