Journal of KIISE:Computing Practices and Letters (한국정보과학회논문지:컴퓨팅의 실제 및 레터)

Korean Institute of Information Scientists and Engineers (한국정보과학회)
권호 표지

A Macroscopic Framework for Internet Worm Containments

인터넷 웜 확산 억제를 위한 거시적 관점의 프레임워크

  • Published : 2009.09.15
Download PDF
⟨ Previous Next ⟩

Abstract

Internet worm can cause a traffic problem through DDoS(Distributed Denial of Services) or other kind of attacks. In those manners, it can compromise the internet infrastructure. In addition to this, it can intrude to important server and expose personal information to attacker. However, current detection and response mechanisms to worm have many vulnerabilities, because they only use local characteristic of worm or can treat known worms. In this paper, we propose a new framework to detect unknown worms. It uses macroscopic characteristic of worm to detect unknown worm early. In proposed idea, we define the macroscopic behavior of worm, propose a worm detection method to detect worm flow directly in IP packet networks, and show the performance of our system with simulations. In IP based method, we implement the proposed system and measure the time overhead to execute our system. The measurement shows our system is not too heavy to normal host users.

인터넷 웜은 분산 서비스 거부 공격 등을 통해 트래픽 장애를 유발하므로 인터넷 인프라를 사용 불능으로 만들 수 있고, 침입 기능을 갖고 있어 중요 서버를 장악하여 개인의 정보를 유출시키는 등 치명적인 피해를 일으키고 있다. 그러나 이러한 인터넷 웜을 탐지하여 대응하는 기존의 기법은 웜의 지역화된 특징만을 이용하거나 이미 알려진 웜에만 대응 가능한 단점을 지니고 있다. 본 논문에서는 알려지지 않은 웜을 상대적으로 빠른 시점에 탐지하기 위해 웜의 거시적 행위 특성을 추출하여 탐지하는 기법을 제안 한다. 이를 위해 원의 거시적인 행위를 논리적으로 정의하고, IP 패킷 환경에서 호스트간 직접적으로 전파 되는 웜을 탐지하는 기법을 제시하며, 이 기법이 실제 적용 되었을 때 웜 확신의 억제 효과를 시뮬레이션을 통해 보인다. IP 패킷 환경은 응답 시간에 대해 민감하므로 제안된 기법이 구현되었을 때 요구하는 시간을 측정하여 제시하고, 이를 통해 상대적으로 큰 오버헤드 없이 제안된 기법이 구현될 수 있음을 보인다.

Keywords

References

  1. Jose Nazairo, Jeremy Anderson, Rick Wash, Chris Connelly, "The Future of Internet Worms," Cri-melabs research, 2001
  2. Jose Nazario, “Defense and Detection Strategies against InternetWorms,” Artech House, pp.135-208, 2004
  3. Frederick B. Cohen, “Computer Viruses: Theory and Experiments,” Computers and Security 6, 1987 https://doi.org/10.1016/0167-4048(87)90122-2
  4. Eugene H. Spafford, “Computer Viruses as Arti-ficialLife,” Journal of Artificial Life, MIT Press, pp.249-265, 1994 https://doi.org/10.1162/artl.1994.1.249
  5. K Alamar, “VBS Worm Generator,” http://vx.netlux.org/vx.php?id=tv07, 2000
  6. B. K. Mun, “Vision-Power Malicious Code Analisys. Increase of Malicious Code for Wresting Informa-tion,” http://www.etnews.co.kr/news/detail.html?id=200804300118, 2001
  7. Charles Schmidt and Tom Durby, “The What, Why, and How of the 1988 Internet Worm,” http://snowplow.org/tom/worm/worm.html, 2001
  8. Song, D., R. Malan, and R. Stone, “A Snapshot of Global Worm Activity,”http://reserch.arbor.net/up_media/up_files/snapshot_worm_activity.pdf, 2001
  9. Pele Li, Mehdi Salour, and Xiao Su, “A Survey of Internet Worm Detection and Containment,” IEEE Communication Surveys, 1st quarter 2008, vol.10, no.1, 2008 https://doi.org/10.1109/COMST.2008.4483668
  10. Jeffrey O. Kephart, David M. Chess, Steve R. White, “Computers and Epidemiology,” IEEE SPECTRUM, vol.30, no.5, pp.20-26, 1993 https://doi.org/10.1109/6.275061
  11. K. Lee, C. Kim, S. Lee, M. Hong, “Macroscopic Treatment to Unknown Malicious Mobile Codes,” Journal of KIISE: Computing Practices, vol.12, no.6, pp.339-348, Dec. 2006 (in Korean)
  12. C. M. Kim, S. U. Lee, M. P. Hong, "Macroscopic Treatment to Polymorphic E-mail Based Viruses," Proc. of the KIISE Korea Computer Congress 2003, vol.30, no.1(A), pp.419-421, 2003 (in Korean)
  13. A. Perrig, D. Song and A. Yaar, “Pi: A Path Identification Mechanism to Defend against DDoS Attacks,” Proceedings of the 2003 Security and Privacy Symposium, 2003
  14. Sarah H. Seilke, Ness B. Shroff, Saurabh Bagchi, "Modeling and Automated Containment of Worms," IEEE Transaction on Dependable and Secure Computing, vol.5, no.2, pp.71-86, April 2008 https://doi.org/10.1109/TDSC.2007.70230
  15. Sapon Tanachaiwiwat and Ahmed Helmy, “Mode-ling and Analysis of Worm lnteractions(War of the Worms),” Broadnets 2007, Fourth Interrnational Conference on, pp.649-658, Sept. 2007
  16. Ram Dantu and $Joa^{~}o$ W. Cangussu, “Fast Worm Containment Using Feedback Control,” IEEE Trans-action on Dependable and Secure Computing, vol.4, no.2, pp.119-136, April 2007 https://doi.org/10.1109/TDSC.2007.1002
  17. Milan Vojnovic and Ayalvadi J. Ganesh, “On the Race of Worms, Alerts, and Patches,” IEEE/ACM Transaction on Networking, vol.16, no.5, pp.1066-1079, October 2008 https://doi.org/10.1109/TNET.2007.909678