To clean or not to clean: Malware removal strategies for servers under load

Sherwin Doroudi, Thanassis Avgerinos, Mor Harchol-Balter

Research output: Contribution to journalArticlepeer-review

4 Scopus citations

Abstract

We consider how to best schedule reparative downtime for a customer-facing online service that is vulnerable to cyber attacks such as malware infections. These infections can cause performance degradation (i.e., a slower service rate) and facilitate data theft, both of which have monetary repercussions. Infections may go undetected and can only be removed by time-consuming cleanup procedures, which require temporarily taking the service offline. From a security-oriented perspective, cleanups should be undertaken as frequently as possible. From a performance-oriented perspective, frequent cleanups are desirable because they maintain faster service, but they are simultaneously undesirable because they lead to more frequent downtimes and subsequent loss of revenue. We ask when and how often cleanups should happen. In order to analyze various downtime scheduling policies, we combine queueing-theoretic techniques with a revenue model to capture the problem's tradeoffs. Unlike classical repair problems, this problem necessitates the analysis of a quasi-birth-death Markov chain, tracking the number of customer requests in the system and the (possibly unknown) infection state. We adapt a recent analytic technique, Clearing Analysis on Phases (CAP), to determine the exact steady-state distribution of the underlying Markov chain, which we then use to compute revenue rates and make recommendations. Prior work on downtime scheduling under cyber attacks relies on heuristic approaches, with our work being the first to address this problem analytically.

Original languageEnglish (US)
Pages (from-to)596-609
Number of pages14
JournalEuropean Journal of Operational Research
Volume292
Issue number2
DOIs
StatePublished - Jul 16 2021
Externally publishedYes

Bibliographical note

Publisher Copyright:
© 2020 Elsevier B.V.

Keywords

  • Computer security
  • Maintenance
  • Malware
  • Markov processes
  • Queueing

Fingerprint

Dive into the research topics of 'To clean or not to clean: Malware removal strategies for servers under load'. Together they form a unique fingerprint.

Cite this