Reconstruction of Worm Propagation Path Using a Trace-back Approach

Worm origin identification and propagation path reconstruction are essential problems in digital forensics. However, a small number of studies have specifically investigated these problems so far. In this paper, we extend a distributed trace-back algorithm, called Origins, which is only able to identify the origins of fast-spreading worms. We make some modifications to this algorithm so that in addition to identifying the worm origins, it can also reconstruct the propagation path. We also evaluate our extended algorithm. The results show that our algorithm can reconstruct the propagation path of worms with high recall and precision, on average around 0.96. Also, the algorithm identifies the origins correctly in all of our experiments.