Journal of KIISE:Information Networking (한국정보과학회논문지:정보통신)

Korean Institute of Information Scientists and Engineers (한국정보과학회)
권호 표지

An Algorithm for Increasing Worm Detection Effetiveness in Virus Throttling

바이러스 쓰로틀링의 웜 탐지 효율 향상 알고리즘

  • 김장복 (아주대학교 정보통신전문대학원) ;
  • 김상중 (계명문화대학 컴퓨터 인터넷학부) ;
  • 최선정 (경문대학 정보통신과) ;
  • 심재홍 (조선대학교 인터넷소프트웨어공학부) ;
  • 정기현 (아주대학교 전자공학부) ;
  • 최경희 (아주대학교 정보통신전문대학원)
  • Published : 2007.06.15
Download PDF
⟨ Previous Next ⟩

Abstract

The virus throttling technique[5,6] is the one of well-known worm early technique. Virus throttling reduce the worm propagration by delaying connection packets artificially. However the worm detection time is not sufficiently fast as expected when the worm generated worm packets at a low rate. This is because the virus throttling technique use only delay queue length. In this paper we use the trend of weighted average delay queue length (TW AQL). By using TW AQL, the worm detection time is not only shorten at a low rate Internet worm, but also the false alarm does not largely increase. By experiment, we also proved our proposed algorithm had better performance.

인터넷 웜 조기 탐지 기법의 대표적인 기술 중 하나인 바이러스 쓰로틀링[5, 6]은 호스트에서 생성되는 접속 요청 패킷을 지연시킴으로써 인터넷 웜의 전파를 줄이는 방법이다. 그러나 기존 바이러스 쓰로틀링은 웜의 발생 시기를 판단하는데 있어서 지연된 접속 요청 패킷의 개수만을 이용한다. 이 때문에 낮은 비율로 웜 패킷을 생성시키는 인터넷웜의 경우에는 웜 탐지 시간이 느린 단점을 가지고 있다. 본 논문에서는 이러한 단점을 해결하기 위해서 지연 큐 길이의 가중치 평균(Weighted Average Queue Length)를 구하고, 그것의 성향을 반영하여 웜 탐지 시간을 단축하고자 한다. 뿐만 아니라 본 논문에서 제안한 알고리즘은 지연큐 변화 성향 반영으로 생길 수 있는 웜 탐지의 오판 가능성을 낮추도록 설계되었다. 그리고 실제 실험을 통해서 본 논문에서 제안한 알고리즘의 성능을 평가한다.

Keywords

References

  1. CERT, 'CERT Advisory CA-2003-04 MS-SQL Server Worm,' Jan. 2003. http://www.cert.org/advisories/CA-2003-04.html
  2. CERT, 'CERT Advisory CA-2001-09 Code Red II Another Worm Exploiting Buffer Overflow in IIS Indexing Service DLL,' Aug. 2001. http://www.cert.org/incident_notes/IN-2001-09.html
  3. CERT, 'CERT Advisory CA-2001-08 Code Red Worm Exploiting Buffer Overflow in IIS Indexing Service DLL,' July 2001. http://www.cert.org/incident_notes/IN-2001-08.html
  4. CERT, 'CERT Advisory CA-2001-26 Nimda Worm,' Sept. 2001. http://www.cert.org/advisories/CA-2001-26.html
  5. Matthew M. Williamson, 'Throttling Viruses: Restricting propagation to defeat malicious mobile code,' Proc. of the 18th Annual Computer Security Applications Conference, Dec. 2002 https://doi.org/10.1109/CSAC.2002.1176279
  6. J. Twycross and M. M. Williamson, 'Implementing and testing a virus throttle,' Proc. of the 12th USENIX Security Symposium, pp. 285-294, Aug. 2003
  7. X. Qin, D. Dagon, G. Gu, and W. Lee, 'Worm detection using local networks,' Technical report, College of Computing, Georgia Tech., Feb. 2004
  8. J. Jung, S. E. Schechter, and A. W. Berger, 'Fast Detection of Scanning Worm Infections,' Proc. of 7th International Symposium on Recent Advances in Intrusion Detection (RAID), Sophia Antipolis, French Riviera, France, Sept. 2004
  9. J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan, 'Fast portscan detection using sequential hypothesis testing,' Proc. of the IEEE Symposium on Security and Privacy, May 2004 https://doi.org/10.1109/SECPRI.2004.1301325
  10. C. C. Zou, W. Gong, and D. Towsley, 'Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense,' ACM CCS Workshop on Rapid Malcode (WORM'03), Washington DC, Oct.2003 https://doi.org/10.1145/948187.948197
  11. C. Zou, L. Gao, W. Gong, D. Towsley, 'Monitoring and early warning for Internet worms,' ACM Conference on Computer and Communications Security, Washington, DC, Oct. 2003 https://doi.org/10.1145/948109.948136
  12. Jangbok Kim, Jaehong Shim, Gihyun Jung, and Kyunghee Choi, 'Reducing Worm Detection Timeand False Alarm in Virus Throttling,' LNAI 3802, p.297, December 2005
  13. Stuart Staniford, 'Containment of scanning worms in enterprise networks,' Journal of Computer Security, 2004
  14. David Whyte, Evangelos Kranakis, P.C. van Oorschot, 'DNS-based Detection of Scanning Wormsin an Enterprise Network,' In Proc. of the 12th Annual Network and Distributed System Security Symposium, Feb. 2005