The Effects of Threading, Infection Time, and Multiple-Attacker Collaboration on Malware Propagation

Self-propagating malware spreads over the network quickly and automatically. Malware propagation should be modeled accurately for fast detection and defense. State-of-the-art malware propagation models fail to consider a number of issues. First, the malware can scan a host for multiple vulnerabilities on multiple ports. Second, the vulnerability scanning can be done by multiple threads concurrently. Third, the exploitation of vulnerabilities and the infection of vulnerable hosts cannot be done instantly. Fourth, the malware propagation can start from multiple places in the network rather than a single release point. Finally, the malware copies can collaborate with each other to cause much more damage. Little was done to understand the effects of multi-port scanning, multi-threading, infection time, multiple starting points, and collaboration (MMIMC) on malware propagation. This research quantitatively measures the effects of MMIMC on infected hosts. We employ the Fibonacci number sequence (FNS)to model the effects of infection time. We derive the shift property, which illustrates that different malware initialization scan be represented by shifting their propagations on the time axis. We prove the linear property, which shows that the effects of multiple-attacker collaboration can be represented by linear combinations of individual attacks. Experimental results show that the above issues significantly affect malware propagation and verify our analysis.