Journal of KIISE:Computing Practices and Letters (한국정보과학회논문지:컴퓨팅의 실제 및 레터)

Korean Institute of Information Scientists and Engineers (한국정보과학회)
권호 표지

A Scalable Distributed Worm Detection and Prevention Model using Lightweight Agent

경량화 에이전트를 이용한 확장성 있는 분산 웜 탐지 및 방지 모델

  • 박연희 (아주대학교 정보통신공학과) ;
  • 김종욱 (아주대학교 정보통신공학과) ;
  • 이성욱 (신구대학 인터넷정보과) ;
  • 김철민 (시스온칩 부설 무선통신연구소) ;
  • 우즈만 (아주대학교 정보통신공학과) ;
  • 홍만표 (아주대학교 정보통신공학과)
  • Published : 2008.07.15
Download PDF
⟨ Previous Next ⟩

Abstract

A worm is a malware that propagates quickly from host to host without any human intervention. Need of early worm detection has changed research paradigm from signature based worm detection to the behavioral based detection. To increase effectiveness of proposed solution, in this paper we present mechanism of detection and prevention of worm in distributed fashion. Furthermore, to minimize the worm destruction; upon worm detection we propagate the possible attack aleγt to neighboring nodes in secure and organized manner. Considering worm behavior, our proposed mechanism detects worm cycles and infection chains to detect the sudden change in network performance. And our model neither needs to maintain a huge database of signatures nor needs to have too much computing power, that is why it is very light and simple. So, our proposed scheme is suitable for the ubiquitous environment. Simulation results illustrate better detection and prevention which leads to the reduction of infection rate.

웜은 사람의 개입 없이 취약점이 존재하는 네트워크 서비스에 대한 공격을 시행하고 사용자가 원치 않는 패킷을 복사 및 전파하는 악성코드이다. 기존의 웜 탐지 기법은 주로 시그너쳐 기반의 방식이 주를 이루었으나 조기탐지의 한계로 인해 최근에는 웜 전파의 행동 특성을 감지하는 방식이 각광 받고 있다. 본 논문에서는 웜 행동 주기와 감염 체인으로 대표되는 웜의 행위적 특성을 탐지하고 대응할 수 있는 분산 웜 탐지 및 방지 방법을 제안하고, 제안된 탐지 및 방지 모델 적용 시 웜의 감염 속도가 감소되는 현상을 시뮬레이션을 통해 증명한다. 제안하는 웜 탐지모델은 규모가 큰 시그너쳐 데이타베이스가 필요하지 않을 뿐더러 컴퓨팅 파워가 비교적 적게 소요되므로, 개인용 컴퓨터 뿐 아니라 유비쿼터스와 모바일 환경과 같이 개별 기기가 낮은 컴퓨팅 파워를 가지는 상황에도 적합하다.

Keywords

References

  1. David Moore, Vern Paxson, Stefan savage, Colleen Shannon, Stuart Staniford, and Nicholas Weaver, "Inside the Slammer worm," IEEE security and Privacy, July 2003
  2. Nicholas Weaver, Vern Paxson, Stuart Staniford and Robert Cunningham, "A taxonomy of computer worms," In WORM'03 October 27, 2003
  3. Stuart E.Schechter, Jaeyeon Jung, Arthur W. Berger, "Fast Detection of Scanning Worm Infections," Recent Advances in Intrusion Detection, 7th International Symposium, RAID 2004, Sophia, France, September 15-17, 2004
  4. H.A.Kim, B.Karp, "Autograph: Toward Autumated, Distributed Worm Signature Detection," In Proc. Of 13th Usenix Security Symposium, August, 2004
  5. Nicholas Weaver, Stuart Staniford, Vern Paxson, "Very Fast Containment of Scanning Worms," Proc. Of the 13th Usenix Security Conference, 2004
  6. Y.Xie, V.Sekar, D.Maltz, M.K.Reiter, and H.Zhang, "Worm Origin Identification Using Random Moonwalks," In Proc. Of IEEE Symposium on Security and Privacy, 2005
  7. Y.Al-Hammadi, C.Leckie, "Anomaly Detection for Internet Worms," 2005 9th IFIP/IEEE International Symposium, Intergrated Network Management, 2005
  8. Martin Roesch, "Snort-lightweight intrusion detection for networks," In USENIX Large Installation Systems Administration Conference, Seattle, WA, USA, November 1999
  9. Vern Paxson, "Bro: a system for detecting network intruders in real-time," Computer Networks, 1999
  10. Kangsan Lee, Cholmin Kim, Seong-uck Lee, Manpyu Hong, "Macroscopic Treatment to Unknown Malicious Mobile Codes," Journal of KISS, 2006
  11. A.S.Savage, D.Wetherall, A.Karlin, and T.Anderson, "Practical network support for IP traceback," In Proc. Of the 2000 ACM SIGCOMM conference, August 2000