Abstract
Many web applications leak sensitive pages (we name them eigenpages) that can disclose their vulnerabilities. As a result, some worms like Santy locate their targets by searching specific eigenpages in search engines with well-crafted keywords. Such worms are so called search worms. In this paper, we focus on the modeling and containment of these search worms. We first study the influence of the eigenpage distribution on their spreading by introducing two propagation models: U-Model assuming eigenpages uniformly distributed on servers and PL-Model assuming the distribution follows a power law. We show that the uniform distribution maximizes the spreading speed of the search worm. Then we study the influence of the page ranking and introduce another propagation model: PR-Model. In this model, search results are ranked based on their PageRank values and the relative importance of their resident servers. Finally, we propose a containment system for search worms based on honey-page insertion: a small number of fake pages which will induce visitors to pre-established honeypots are randomly inserted into search results, and then infectious can be detected and reported to search engines when their malicious scans hit honeypots. We study the relationship between the containment effectiveness and the honey-page insert rate with our propagation models and find that the Santy worm can be almost completely stopped at its early age by inserting no more than 2 honey pages in every 100 search results, which is extremely effective.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Zou, C.C., Gong, W., Towsley, D.: Code Red Worm Propagation Modeling and Analysis. In: 9th ACM Symposium on Computer and Communication Security (CCS 2002), pp. 138–147. ACM Press, Washington (2002)
Hyppone, M., et al.: F-Secure Virus Descriptions: Santy (2004), http://www.f-secure.com/v-descs/santy_a.shtml
Sophos.: Sophos Virus Analysis: W32/MyDoom-O (2004), http://www.sophos.com/security/analyses/w32mydoomo.html
Kotadia, M.: Google squashes Santy worm (2004), http://news.cnet.com/Google-squashes-Santy-worm/2100-7349_3-5500265.html
Daley, D.J., Gani, J.: Epidemic Modeling: An Introduction. Cambridge University Press, Cambridge (1999)
Staniford, S., Paxson, V., Weaver, N.: How to Own the Internet in Your Spare Time. In: The 11th USENIX Security Symposium, pp. 149–167. USENIX Association, California (2002)
Chen, Z., Gao, L., Kwiat, K.: Modeling the Spread of Active Worms. In: 2003 IEEE INFOCOMM, pp. 1890–1900. IEEE Press, San Francisco (2003)
Zou, C.C., Gong, W., Towsley, D.: Worm propagation modeling and analysis under dynamic quarantine defense. In: 2003 ACM workshop on Rapid malcode, pp. 51–60. Acm Press, Washington (2003)
Zou, C.C., Gong, W., Towsley, D., Lixin, G.: The monitoring and early detection of internet worms. IEEE Transaction on Networking (TON) 13(5), 961–974 (2005)
Sellke, S.H., Shroff, N.B., Bagchi, S.: Modeling and Automated Containment of Worms. IEEE Transactions on Dependable and Secure Computing (TDSC) 5(2), 71–86 (2008)
Provos, N., McClain, J., Wang, K.: Search Worms. In: WORM 2006, pp. 1–8. ACM Press, Virginia (2006)
Johhny.: Google Hacking Database (2009), http://www.hackersforcharity.org/ghdb/
Riden, J., McGeehan, R., Engert, B., Mueter, M.: Know your Enemy: Web Application Threats (2008), http://www.honeynet.org/papers/webapp/
Huberman, B.A., Adamic, L.A.: Growth dynamics of the world wide web. Nature 401(6749), 131 (1999)
Pandurangan, G., Raghavan, P., Upfal, E.: Using PageRank to characterize Web structure. Internet Math. 3(1), 1–20 (2006)
Litvak, N., Scheinhardt, W.R.W., Volkovich, Y.: In-degree and PageRank: Why do they follow similar power laws? Internet Math. 4(2-3), 175–198 (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Hua, J., Sakurai, K. (2010). Modeling and Containment of Search Worms Targeting Web Applications. In: Kreibich, C., Jahnke, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2010. Lecture Notes in Computer Science, vol 6201. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-14215-4_11
Download citation
DOI: https://doi.org/10.1007/978-3-642-14215-4_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-14214-7
Online ISBN: 978-3-642-14215-4
eBook Packages: Computer ScienceComputer Science (R0)