Title :
Assessing Vulnerabilities in Apache and IIS HTTP Servers
Author :
Woo, Sung-Whan ; Alhazmi, Omar H. ; Malaiya, Yashwant K.
Author_Institution :
Dept. of Comput. Sci., Colorado State Univ., Fort Collins, CO
fDate :
Sept. 29 2006-Oct. 1 2006
Abstract :
We examine the feasibility of quantitatively characterizing the vulnerabilities in the two major HTTP servers. In particular, we investigate the applicability of quantitative empirical models to the vulnerabilities discovery process for these servers. Such models can allow us to predict the number of vulnerabilities that may potentially be present in a server but may not yet have been found. The data on vulnerabilities found in the two servers is mined and analyzed. We explore the applicability of a time-based and an effort-based vulnerability discovery model. The effort-based model requires data of the current market-share of a server. Both models have been successfully used for vulnerabilities in the major operating systems. Our results show that both vulnerabilities discovery models fit the data for the HTTP servers well. We also examine a separate classification schemes for server vulnerabilities that based on the source of error, and then explore the applicability of the quantitative methods to individual classes
Keywords :
Internet; data mining; file servers; telecommunication security; transport protocols; Apache; IIS HTTP server; Internet information services; effort-based vulnerability discovery model; time-based vulnerability discovery model; Computer science; Data security; Databases; Internet; National security; Open source software; Operating systems; Predictive models; Protocols; Web server;
Conference_Titel :
Dependable, Autonomic and Secure Computing, 2nd IEEE International Symposium on
Conference_Location :
Indianapolis, IN
Print_ISBN :
0-7695-2539-3
DOI :
10.1109/DASC.2006.21
