Abstract
Self-replicating code is a huge problem worldwide, with worms like SQL/Slammer becoming pandemic within minutes of their initial release. Because of this, there has been significant interest in worm spread and how this spread is affected by various countermeasures. However, to date, comparative analysis of spread has been carried out “by eye”—there exist no meaningful metrics by which one can quantitatively compare the effectiveness of different protection paradigms. In this paper, we discuss several possible metrics for measuring worm spread and countermeasure effectiveness. We note that the “correct” metric for comparative purposes will vary depending on the goal of the defender, and provide several different measures which can be used to compare countermeasures. Finally, we discuss the idea of significance—that is, what changes induced by worm design or countermeasures are actually meaningful in the real world?
Similar content being viewed by others
References
Filiol E. (2005). Computer viruses: from theory to applications. Springer, France, ISBN 10: 2-287-23939-1
Gordon, S.: The generic virus writer. In: Ford, R. (ed.), 4th International Virus Bulletin Conference. Jersey, UK (1994)
Gordon, S.: The generic virus writer II. In: Proceedings of 6th International Virus Bulletin Conference. Brighton, UK (1996)
Kim, H-A., Karp, B.: Autograph: toward automated, distributed worm signature detection. In: Proceedings of the 13th USENIX Security Symposium. San Diego, CA (1996)
Newsome, J., Karp, B., Song, D.: Polygraph: automatically generating signatures for polymorphic worms. In: Proceedings of the IEEE Symposium on Security and Privacy. Oakland, CA (2005)
Schneidewind N.F. (1992). Methodology for validating software metrics. IEEE Trans. Softw. Eng. 18(5): 410–422
Staniford, S., Moore, D., Paxson, V.: How to own the Internet in your spare time. In: Proceedings of the 11th Usenix Security Symposium. San Francisco, CA (2002)
Wagner, A., Dübendorfer, T., Plattner, B., Hiestand, R.: Experiences with worm propagation simulations. In: Proceedings of the 2003 ACM workshop on Rapid Malcode (WORM). Washington, DC (2003)
Wang, Y., Wang, C.: Modeling the effects of timing parameters on virus propagation. In: Proceedings of the 2003 ACM workshop on Rapid Malcode (WORM). Washington, DC (2003)
Weaver, N., Staniford, S., Paxson, V.: Very fast containment of scanning worms. In: Proceedings of the 13th USENIX Security Symposium. San Diego, CA (2004)
Williamson, M.M.: Throttling viruses: restricting propagation to defeat malicious mobile code. In: Proceedings of the 18th Annual Computer Security Applications Conference. Las Vegas, Nevada (2002)
Williamson, M.M., Lévillé, J.: An epidemiological model of virus spread and cleanup. In: Proceedings of the International Virus Bulletin Conference. Toronto, Canada (2003)
Zou, C.C., Gong, W., Towsley, D.: Worm propagation modeling and analysis under dynamic quarantine defense. In: Proceedings of the 2003 ACM workshop on Rapid malcode (WORM). Washington, DC (2003)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Ondi, A., Ford, R. How good is good enough? Metrics for worm/anti-worm evaluation. J Comput Virol 3, 93–101 (2007). https://doi.org/10.1007/s11416-007-0051-3
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-007-0051-3