A closed-form expression for static worm-scanning strategies

This work presents a closed-form expression for characterizing the spread of static worm-scanning strategies through a mean-field approximation. Our model can both accurately capture the worm propagation speed before the number of infections becomes large and explicitly demonstrate the effects of important parameters such as the vulnerable-host distribution and the worm-scanning strategy. Our approach is based on the mean-field theory that investigates the average number of infected hosts over time. Experiments are carried out based on the parameters chosen from the Witty worm. Experimental results verify that the closed-form expression can accurately reflect the mean value of infections over time before the infected hosts become saturated for a wide range of scanning methods. Therefore, our model can help defenders design better detection and defense systems and provide a stepping stone towards obtaining closed-form expressions for the propagation of dynamic worm-scanning strategies.