The KIPS Transactions:PartC (정보처리학회논문지C)

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

Reducing False Alarm and Shortening Worm Detection Time in Virus Throttling

Virus Throttling의 웜 탐지오판 감소 및 탐지시간 단축

  • 심재홍 (조선대학교 인터넷소프트웨어공학부) ;
  • 김장복 (아주대학교 정보통신전문대학원) ;
  • 최경희 (아주대학교 정보통신전문대학원) ;
  • 정기현 (아주대학교 전자공학부)
  • Published : 2005.10.01
Download PDF
⟨ Previous Next ⟩

Abstract

Since the propagation speed of the Internet worms is quite fast, worm detection in early propagation stage is very important for reducing the damage. Virus throttling technique, one of many early worm detection techniques, detects the Internet worm propagation by limiting the connection requests within a certain ratio.[6, 7] The typical throttling technique increases the possibility of false detection by treating destination IP addresses independently in their delay queue managements. In addition, it uses a simple decision strategy that determines a worn intrusion if the delay queue is overflown. This paper proposes a two dimensional delay queue management technique in which the sessions with the same destination IP are linked and thus a IP is not stored more than once. The virus throttling technique with the proposed delay queue management can reduce the possibility of false worm detection, compared with the typical throttling since the proposed technique never counts the number of a IP more than once when it chicks the length of delay queue. Moreover, this paper proposes a worm detection algorithm based on weighted average queue length for reducing worm detection time and the number of worm packets, without increasing the length of delay queue. Through deep experiments, it is verified that the proposed technique taking account of the length of past delay queue as well as current delay queue forecasts the worn propagation earlier than the typical iuぉ throttling techniques do.

인터넷 웜(worm)의 전파속도는 매우 빠르기 때문에, 발생초기에 웜의 전파를 탐지하여 막지 못하면 큰 피해를 초래 할 수 있다. 새로운 세션에 대한 연결요청을 일정 비율이하로 제한함으로써 웜의 발생여부를 탐지하는 바이러스 쓰로틀링(virus throttling)[6, 7]은 대표적인 웜 조기탐지 기술 중의 하나이다. 대부분의 기존 기술은 지연 큐 관리에 있어서 동일한 수신 IP 주소들을 개별적으로 처리함으로써 웜 탐지의 오판 가능성을 증가시켰고, 지연 큐가 가득 찼을 때에만 웜이 발생했다고 판단하는 단순 판단 기법을 사용했다. 본 논문은 지연 큐에서 동일 수신 IP 주소들을 하나의 연결 리스트로 묶어 별도로 관리함으로써 동일 수신 IP들을 중복하여 지연 큐에 저장하지 않는 이차원 지연 규 관리방안을 제안한다. 개선된 바이러스 쓰로틀링은 지연 큐 길이 산정 시동일 수신 IP 주소들을 중복하여 계산하지 않기 때문에 웜 탐지 오류를 줄일 수 있다. 그리고 동일한 크기의 지연 큐를 가지고도 웜 탐지시간을 줄이고 웜 패킷 전송 수를 줄일 수 있는 가중치 평균 큐 길이 기반의 새로운 웜 탐지 알고리즘을 제안한다. 지연 큐 길이 산정 시 현재의 큐 길이 뿐 아니라 과거의 큐 길이를 반영하는 방법이 웜의 발생 가능성을 사전에 예측하여 기존 기법보다 빠르게 웜을 탐지할 수 있음을 실험을 통해 확인하였다.

Keywords

References

  1. CERT, 'CERT Advisory CA-2003-04 MS-SQL Server Worm,' Jan., 2003. http://www.cert.org/advisories/CA-2oo304.html
  2. CERT, 'CERT Advisory CA-200H)9 Code Red II Another Worm Exploiting Buffer Overflow in IIS Indexing Service DLL,' Aug., 2001. http://www.cert.org/incident_notes/lN2001-09.html
  3. S. Sidiroglou and A. D. Keromytis, 'A Network Worm Vaccine Architecture,' Proc. of the IEEE Workshop on Enterprise Technologies: Infrastructure for Collaborative Enterprises (WETICE), Workshop on Enterprise Security, pp.220-225, June, 2003
  4. D. Moore, V. Paxson, S. Savage, C. Shannon, S. StaniPord and N. Weaver, 'Inside the Slammer worm,' IEEE Security and Privacy, vol. 1, pp. 33-39, July, 2003 https://doi.org/10.1109/MSECP.2003.1219056
  5. C. Zou, L. Gao, W. Gong, D. Towsley, 'Monitoring and early warning for Internet worms,' ACM Conference on Computer and Communications Security, Washington, DC, Oct., 2003 https://doi.org/10.1145/948109.948136
  6. Matthew M. Williamson, 'Throttling Viruses: Restricting propagation to defeat malicious mobile code,' Proc. of the 18th Annual Computer Security Applications Conference, Dec., 2002 https://doi.org/10.1109/CSAC.2002.1176279
  7. J. Twycross and M. M. Williamson, 'Implementing and testing a virus throttle,' Proc. of the 12th USENIX Security Symposium, pp.285-294, Aug., 2003
  8. J. Jung, S. E. Schechter, and A. W. Berger, 'Fast Detection of Scanning Worm Infections,' Proc. of 7th International Symposium on Recent Advances in Intrusion Detection (RAID), Sophia Antipolis, French Riviera, France, Sept., 2004
  9. J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan, 'Fast portscan detection using sequential hypothesis testing,' Proc. of the IEEE Symposium on Security and Privacy, May, 2004 https://doi.org/10.1109/SECPRI.2004.1301325
  10. X. Qin, D. Dagon, G. Gu, and W. Lee, 'Worm detection using local networks,' Technical report, College of Computing, Georgia Tech., Feb., 2004
  11. C. C. Zou, W. Gong, and D. Towsley, 'Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense,' ACM CCS Workshop on Rapid Malcode (WORM '03), Washington DC, Oct., 2003 https://doi.org/10.1145/948187.948197
  12. N. Gulati, C. Williamson and R. Bunt, 'LAN traffic locality: Characterization and application,' Proc. of the First International Conference of Local Area Network Interconnection, pp.233-250, Oct., 1993
  13. CERT, 'CERT Advisory CA-2001-08 Code Red Worm Exploiting Buffer Overflow in lIS Indexing Service DLL,' July 2001. http://www.cert.org/incidenLnotes/IN-2001-08.html
  14. CERT, 'CERT Advisory CA-2001-26 Nimda Worm, Sept. 2001. http://www.cert.org/advisories/CA-2001-26.html
  15. CERT, 'CERT Advisory CA-2000-04 Love Letter Worm, May 2002. http://www.cert.org/advisorieS/CA-2000-04.html