Internet Worm Attacks and Stochastic Agent Models

Jeremy Bradley

Imperial College London, 180 Queens Gate, London SW7 2BZ, UK

Recent malicious Internet worms such as Code Red (July 2001), Nimbda (September 2001) and most recently MS Blaster (August 2003) have been very successful in shutting down large sections of the Internet. Nicol et al [4] have shown that most of a worm's worst effects are experienced by the Internet routers that link the major backbone networks together, which are completely overwhelmed by the explosion in particular types of Internet traffic. Nicol et al have taken the approach of modelling such a worm attack using simple epidemiological models: i.e. looking at the current number of computers that are infected, the number of computers susceptible to infection, and those that are removed from the system due to worm infection. These epidemiological models, once parameterised, are very good at producing average predictions of infection growth but quite poor when it comes to describing early-onset behaviour (especially possible early-extinction events). This project seeks to transfer and automate a technique, originally used to model ant and bee colony behaviour by Sumpter, to generate ad verify macroscopic models of Internet worm infection. By building a stochastic agent model of the worm, we will be able either to justify and explain the use of global epidemiological models, or alternatively to suggest modifications to the model which would better describe the worm's infection behaviour. We also hope to shed light on crucial early-onset behaviour which would aid enormously in being able to spot the early stages of worm infection, even if an infection attempt has failed (i.e. become extinct).