Modeling and containment of search worms targeting web applications

Jingyu Hua, Kouichi Sakurai

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Citation (Scopus)

Abstract

Many web applications leak sensitive pages (we name them eigenpages) that can disclose their vulnerabilities. As a result, some worms like Santy locate their targets by searching specific eigenpages in search engines with well-crafted keywords. Such worms are so called search worms. In this paper, we focus on the modeling and containment of these search worms. We first study the influence of the eigenpage distribution on their spreading by introducing two propagation models: U-Model assuming eigenpages uniformly distributed on servers and PL-Model assuming the distribution follows a power law. We show that the uniform distribution maximizes the spreading speed of the search worm. Then we study the influence of the page ranking and introduce another propagation model: PR-Model. In this model, search results are ranked based on their PageRank values and the relative importance of their resident servers. Finally, we propose a containment system for search worms based on honey-page insertion: a small number of fake pages which will induce visitors to pre-established honeypots are randomly inserted into search results, and then infectious can be detected and reported to search engines when their malicious scans hit honeypots. We study the relationship between the containment effectiveness and the honey-page insert rate with our propagation models and find that the Santy worm can be almost completely stopped at its early age by inserting no more than 2 honey pages in every 100 search results, which is extremely effective.

Original languageEnglish
Title of host publicationDetection of Intrusions and Malware, and Vulnerability Assessment - 7th International Conference, DIMVA 2010, Proceedings
Pages183-199
Number of pages17
DOIs
Publication statusPublished - Aug 3 2010
Event7th GI International Conference on Detection of Intrusions and Malware and Vulnerability Assessment, DIMVA 2010 - Bonn, Germany
Duration: Jul 8 2010Jul 9 2010

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume6201 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

Other7th GI International Conference on Detection of Intrusions and Malware and Vulnerability Assessment, DIMVA 2010
CountryGermany
CityBonn
Period7/8/107/9/10

Fingerprint

Worm
Web Application
Modeling
Honeypot
Propagation
Search engines
Search Engine
Model
Servers
Server
Spreading Speed
PageRank
Hits
Uniform distribution
Vulnerability
Insertion
Ranking
Power Law
Maximise
Target

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

Hua, J., & Sakurai, K. (2010). Modeling and containment of search worms targeting web applications. In Detection of Intrusions and Malware, and Vulnerability Assessment - 7th International Conference, DIMVA 2010, Proceedings (pp. 183-199). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 6201 LNCS). https://doi.org/10.1007/978-3-642-14215-4_11

Modeling and containment of search worms targeting web applications. / Hua, Jingyu; Sakurai, Kouichi.

Detection of Intrusions and Malware, and Vulnerability Assessment - 7th International Conference, DIMVA 2010, Proceedings. 2010. p. 183-199 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 6201 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Hua, J & Sakurai, K 2010, Modeling and containment of search worms targeting web applications. in Detection of Intrusions and Malware, and Vulnerability Assessment - 7th International Conference, DIMVA 2010, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 6201 LNCS, pp. 183-199, 7th GI International Conference on Detection of Intrusions and Malware and Vulnerability Assessment, DIMVA 2010, Bonn, Germany, 7/8/10. https://doi.org/10.1007/978-3-642-14215-4_11
Hua J, Sakurai K. Modeling and containment of search worms targeting web applications. In Detection of Intrusions and Malware, and Vulnerability Assessment - 7th International Conference, DIMVA 2010, Proceedings. 2010. p. 183-199. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-642-14215-4_11
Hua, Jingyu ; Sakurai, Kouichi. / Modeling and containment of search worms targeting web applications. Detection of Intrusions and Malware, and Vulnerability Assessment - 7th International Conference, DIMVA 2010, Proceedings. 2010. pp. 183-199 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{6e375bea6fd94a3f8cf55aa4a453f047,
title = "Modeling and containment of search worms targeting web applications",
abstract = "Many web applications leak sensitive pages (we name them eigenpages) that can disclose their vulnerabilities. As a result, some worms like Santy locate their targets by searching specific eigenpages in search engines with well-crafted keywords. Such worms are so called search worms. In this paper, we focus on the modeling and containment of these search worms. We first study the influence of the eigenpage distribution on their spreading by introducing two propagation models: U-Model assuming eigenpages uniformly distributed on servers and PL-Model assuming the distribution follows a power law. We show that the uniform distribution maximizes the spreading speed of the search worm. Then we study the influence of the page ranking and introduce another propagation model: PR-Model. In this model, search results are ranked based on their PageRank values and the relative importance of their resident servers. Finally, we propose a containment system for search worms based on honey-page insertion: a small number of fake pages which will induce visitors to pre-established honeypots are randomly inserted into search results, and then infectious can be detected and reported to search engines when their malicious scans hit honeypots. We study the relationship between the containment effectiveness and the honey-page insert rate with our propagation models and find that the Santy worm can be almost completely stopped at its early age by inserting no more than 2 honey pages in every 100 search results, which is extremely effective.",
author = "Jingyu Hua and Kouichi Sakurai",
year = "2010",
month = "8",
day = "3",
doi = "10.1007/978-3-642-14215-4_11",
language = "English",
isbn = "3642142141",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
pages = "183--199",
booktitle = "Detection of Intrusions and Malware, and Vulnerability Assessment - 7th International Conference, DIMVA 2010, Proceedings",

}

TY - GEN

T1 - Modeling and containment of search worms targeting web applications

AU - Hua, Jingyu

AU - Sakurai, Kouichi

PY - 2010/8/3

Y1 - 2010/8/3

N2 - Many web applications leak sensitive pages (we name them eigenpages) that can disclose their vulnerabilities. As a result, some worms like Santy locate their targets by searching specific eigenpages in search engines with well-crafted keywords. Such worms are so called search worms. In this paper, we focus on the modeling and containment of these search worms. We first study the influence of the eigenpage distribution on their spreading by introducing two propagation models: U-Model assuming eigenpages uniformly distributed on servers and PL-Model assuming the distribution follows a power law. We show that the uniform distribution maximizes the spreading speed of the search worm. Then we study the influence of the page ranking and introduce another propagation model: PR-Model. In this model, search results are ranked based on their PageRank values and the relative importance of their resident servers. Finally, we propose a containment system for search worms based on honey-page insertion: a small number of fake pages which will induce visitors to pre-established honeypots are randomly inserted into search results, and then infectious can be detected and reported to search engines when their malicious scans hit honeypots. We study the relationship between the containment effectiveness and the honey-page insert rate with our propagation models and find that the Santy worm can be almost completely stopped at its early age by inserting no more than 2 honey pages in every 100 search results, which is extremely effective.

AB - Many web applications leak sensitive pages (we name them eigenpages) that can disclose their vulnerabilities. As a result, some worms like Santy locate their targets by searching specific eigenpages in search engines with well-crafted keywords. Such worms are so called search worms. In this paper, we focus on the modeling and containment of these search worms. We first study the influence of the eigenpage distribution on their spreading by introducing two propagation models: U-Model assuming eigenpages uniformly distributed on servers and PL-Model assuming the distribution follows a power law. We show that the uniform distribution maximizes the spreading speed of the search worm. Then we study the influence of the page ranking and introduce another propagation model: PR-Model. In this model, search results are ranked based on their PageRank values and the relative importance of their resident servers. Finally, we propose a containment system for search worms based on honey-page insertion: a small number of fake pages which will induce visitors to pre-established honeypots are randomly inserted into search results, and then infectious can be detected and reported to search engines when their malicious scans hit honeypots. We study the relationship between the containment effectiveness and the honey-page insert rate with our propagation models and find that the Santy worm can be almost completely stopped at its early age by inserting no more than 2 honey pages in every 100 search results, which is extremely effective.

UR - http://www.scopus.com/inward/record.url?scp=77955031438&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=77955031438&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-14215-4_11

DO - 10.1007/978-3-642-14215-4_11

M3 - Conference contribution

SN - 3642142141

SN - 9783642142147

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 183

EP - 199

BT - Detection of Intrusions and Malware, and Vulnerability Assessment - 7th International Conference, DIMVA 2010, Proceedings

ER -