查看文章

A worm-infected host scanning globally may not cause any new infection in its underlying local network before it is detected and quarantined by a worm detector. To defend this type of scanning hosts, a number of worm scanner detection methods such as failed scan detection, honeypot, and dark port detection are proposed. However, for a stealthier worm limiting its scan inside an enterprise network, the chance of a successful local outbreak increases substantively due to the more limited scan space. To protect a local or enterprise network against a local outbreak, we need a coordinated and cost-conscious defense that entails an accurate estimate of worm virulence level. Unfortunately, many existing defense methods suffer from estimating the worm virulence level in a local or enterprise network. In this regard, we propose a maximum likelihood estimator to progressively estimate the size of susceptible host …