worm blog: Traffic Characterization of the Web Server Attacks of Worm Viruses

« New computer viruses seeking financial data | Main | Superworms and Cryptovirology: a Deadly Combination »

Traffic Characterization of the Web Server Attacks of Worm Viruses

I like this paper because it looks at the worm problem from another approach, namely making software more fault tolerant in the face of a massive attack. Recall the number of non-infected web servers that fell off the network during Code Red and Nimda. This paper seems like a natural follow on to that observation. I'd be curious to see someone code a plugin for a web server that attempted to implement some of the findings from this paper.

With the explosive popularity of the Internet, the number of accessible web servers has proliferated as well. Subsequently, malicious attacks on these servers via viruses have become more prevalent. Due to the self-propagation and self-duplication nature of these viruses, such attacks can congest the network quickly, aggravating the already limited bandwidth available and curtail service provided by the server, eventually leading to denial of all services. The IIS, in particular, has been gravely affected by such Denial of Service (DoS) attacks. Hence, various methods to prevent such attacks from affecting the network and server have been researched and proposed. In this paper, we analyze the characteristics of worm virus attack traffics, by extracting and analyzing virus attack logs. With the use of various statistical methods, we show that worm attack patterns show self-similarity with Hurst parameter H. Our purpose is to use this characteristic in annulling the negative effects of worm attacks.

Source: Traffic Characterization of the Web Server Attacks of Worm Viruses, Kihun Chong A, Ha Yoon Song A, Sam H. Noh A.

May 24, 2005 in papers | Permalink
Tell others: digg submit | del.icio.us this | Reddit