Self-similar properties of malicious teletraffic

Abstract

StudiesofmaliciousteletrafficrecordedinrealnetworksshouldhelptofindnewmethodsofprotectingInternetusersagainstvirusesandspam,makingweb serversimmunetovirusattacksand/orprotectingthemagainstdataloss.Sincecomputervirusescanself-propagate,thenumberofcontaminatedpackets canquicklygrowexponentially,leadingtonetworkcongestionorblockages.Similardamagingeffectscanbecausedbylargevolumesofspam,i.e.,by unwanteddatacomingfromemails,electronicboardsandmessengers.Widelyvaryingestimatesofthecostsassociatedwithspamareavailableinthe literature.Quantitativeanalysisofthestochasticpropertiesofmaliciousteletraffic,formedbyvirusesandspam,isstillanopenproblem.Inthispaperwe investigatea4-yeardatasampleofrealmalicioustrafficrecordedbyJIRANSOFT’sSpamSniper,attheingressofthelocalnetworkofKoreanBibleUniversity inSouthKorea,betweenMay2005andJuly2009.Ourmajorfindingsarethat:(i)real-timeinboundteletrafficcarryingvirusesandspamdataisstatistically morecorrelated(self-similar)whencomparedtonormalteletraffic,and(ii)thedegreeofself-similaritymeasuredintermsoftheHurstparameterHand obtainedfromdifferentestimationtechniquesisveryhigh.Sinceself-similarteletrafficrequiresmoreresourcesforagivenQoS,thissuggeststhatthecosts ofsuchmaliciousteletrafficmaybeevenhigherthancurrentlyestimated.