Reconstruction of Worm Propagation Path Using a Trace-back Approach

TL;DR

This paper enhances a distributed trace-back algorithm to not only identify worm origins but also accurately reconstruct their propagation paths, achieving high precision and recall in digital forensics.

Contribution

The paper introduces modifications to the Origins algorithm to enable propagation path reconstruction, extending its capabilities beyond origin identification.

Findings

High recall and precision (~0.96) in path reconstruction

Accurate identification of worm origins in all experiments

Effective extension of existing trace-back methods

Abstract

Worm origin identification and propagation path reconstruction are essential problems in digital forensics. However, a small number of studies have specifically investigated these problems so far. In this paper, we extend a distributed trace-back algorithm, called Origins, which is only able to identify the origins of fast-spreading worms. We make some modifications to this algorithm so that in addition to identifying the worm origins, it can also reconstruct the propagation path. We also evaluate our extended algorithm. The results show that our algorithm can reconstruct the propagation path of worms with high recall and precision, on average around 0.96. Also, the algorithm identifies the origins correctly in all of our experiments.