Monitoring and Early Warning
for Internet Worms
Cliff C. Zou
, Lixin Gao
, Weibo Gong
, Don Towsley
Department of Computer Science
Univ. Massachusetts, Amherst
Technical Report: TR-CSE-03-01
After the Code Red incident in 2001 and the recent SQL worm in January 2003, it is clear that a
simple self-propagating worm can quickly spread across the Internet and infect most vulnerable computers
before people can take effective countermeasures. The fast spreading nature of these worms calls for
a worm monitoring and warning system. In this paper we propose an effective early warning system.
Based on epidemic models and observation data of a fast-spreading worm, we deploy a Kalman filter
to predict worm propagation in real-time. Furthermore, we can effectively correct the bias introduced
by the observed number of infected hosts. Our simulation results for the Code Red and SQL worm
show that with observation data from a small fraction of IP addresses, we can accurately predict the
worm infection rate when the worm infect about 5% of all vulnerable computers. The total number of
vulnerable computers can also be estimated quickly.
Since the Morris worm in 1988 , the security threat posed by worms has steadily increased,
especially in the last several years. In 2001, the Code Red and Nimda worms infected hundreds of
thousands of computers , causing millions of dollars loss to our society . These two worms
demonstrated how vulnerable our computer networks are when facing an actively propagating worm.
Furthermore, Staniford et. al presented some worm design techniques such that the new worm could
spread even faster . After a relatively quiet time, the SQL worm recently appeared on January 25th
2003 and quickly spread throughout the Internet. Because its vulnerable population was much smaller
than what Code Red and Nimda had, and also because it was much easier to block the SQL worm traffic
than to block Code Red and Nimda, the SQL worm was quickly constrained after one day .
However, the SQL worm used UDP to send scans. Thus, while it was active, it sent out huge amount
of scan packets and formed a denial of service attack. Many networks across Asia, Europe and America
were shut down for several hours .
Currently, some organizations and security companies, such as the CERT, CAIDA, and SANS Institute
, are monitoring the Internet and paying close attention to any abnormal traffic. Nevertheless,
there is no nation-scale malware monitoring and defense center. Given the fast spreading nature of the
Internet worms, it seems appropriate to setup a worm monitoring and early warning system. In addition,
by collecting more complete data on the worm propagation via the monitoring system, we could estimate
and predict a worm propagation trend and its behavior at its early stage for automatic mitigation.