Propagation of active worms: A survey

This paper serves worm defenders’ objective to improve their immunity to future active worms by giving them a deep insight into propagation characteristics of active worms from a worm authors’ perspective. Active worms self-propagate across networks by employing scanning, pre-generated target list, or internally generated target lists as their target discovery technique. We find target acquisition and network reconnaissance actions during the network propagation phase in a worm’s life cycle basically embody its target discovery technique. We derive the significance of target discovery techniques in shaping a worm’s propagation characteristics from the life cycles of worms. A variety of target discovery techniques employed by active worms are discussed and compared. We find hitting probability (the probability of hitting a vulnerable or infected host) is the most frequently improved factor by attackers to increase a worm’s propagation speed. We anticipate future active worms would employ a combination of target discovery techniques to greatly accelerate their propagation. Various deterministic and stochastic models of active worms are presented and compared. Their accuracy of and applicability to modelling the propagation of active worms under different conditions are discussed. A discussion of opportunities, challenges and solutions from a worm defenders’ perspective is presented in this survey paper. We also propose a new defence system called Distributed Active Defence System (DADS) to effectively defend against worms. This new system follows an active surveillance-trace-control cycle, which could be the emerging solution to the active worm problem.