Modeling Bandwidth Saturating Internet Worms

George Kesidis

Internet worms such as Slammer and Witty propagated extremely rapidly by scanning activity that saturated access links throughout the Internet. We will discuss how the large-scale spread of such worms was characterized from observed data and how it can be approximated by a generalization of the classical SIR (Kermack-McKendrick) models. Such models can then be used along with packet "crafters" to simulate worm scanning activity in order to evaluate worm defenses. We will conclude the talk with an overview of the activities of the NSF/DHS DETER/EMIST project on the testing of cyber security defenses.