Document Type


Publication Date



A worm is a malicious agent that propagates across networks of devices creating negative impacts on the devices it is able to reach and infect. Currently, there is very limited information in cybersecurity research regarding worm behavior across real networks of devices, particularly in large scale networks (e.g. campus networks, office networks, IoT etc.). This paper positions an experimental testbed that can be used for studying worm behaviors in large scale networks. In particular, this research aims to setup an infrastructure to empirically study worm generation, propagation, attacks, policies and antidote (intervention) mechanisms through a unified experimental testbed. As a preliminary step towards this goal, this paper presents a case study of an empirical study of the behavior of a worm that attacks through IP address routing in a campus network. Through a 10 node set up where Raspberry Pis are used to emulate a user device in the campus network, we show how a simple worm that uses an exhaustive sequential and/or random selection of IP can lead to infecting devices in ways which can be challenging to track in reality. We also infer that through extensive experimentation it could be possible to develop prediction models for the attack patterns, based on the behavior patterns observed in the experiments.