Importance-scanning worm using vulnerable-host distribution

Most Internet worms use random scanning. The distribution of vulnerable hosts on the Internet, however, is highly non-uniform over the IP-address space. This implies that random scanning wastes many scans on invulnerable addresses, and more virulent scanning schemes may take advantage of the non-uniformity of a vulnerable-host distribution. Questions then arise how attackers may make use of such information, and how virulent the resulting worm may be. These issues provide "worst-case scenarios" for defenders and "best-case scenarios" for attackers if the vulnerable-host distribution is available. This work develops such a scenario as the so-called importance scanning. Importance scanning results from importance sampling in statistics that scans IP-address space according to an empirical distribution of vulnerable hosts. An analytical model is developed to relate the infection rate of worms with the importance-scanning strategies. Experimental results based on parameters chosen from code red and slammer worms show that an importance-scanning worm can spread much faster than both a random-scanning worm and a routing worm. Furthermore, a game-theory approach suggests that the best strategy for defenders is to scatter applications uniformly in the entire IP-address space.