Abstract
Self-propagating codes, called worms, such as Code Red, Nimda, and Slammer, have drawn significant attention due
to their enormous adverse impact on the Internet. There is a great interest in the research community in modeling the
spread of worms and in providing adequate defense mechanisms against them.
In this paper, we present a (stochastic) branching process model for characterizing the propagation of Internet
worms. This model leads to the development of an automatic worm containment strategy that prevents the spread of
worms beyond its early stages. Specifically, using the branching process model, we are able to (1) provide a precise
condition that determines whether the worm will eventually die out and (2) provdide the probability that the total
number of hosts that the worm infects will be below a certain level. We use these insights to develop a simple automatic
worm containment scheme, which is demonstrated, through simulations and real trace data, to be both effective and
non-intrusive.
Keywords
Internet scanning worms, stochastic worm modeling, branching process model, early phase propagation, automatic worm containmentt.