The Journal of the Institute of Internet, Broadcasting and Communication (한국인터넷방송통신학회논문지)

The Institute of Internet, Broadcasting and Communication (한국인터넷방송통신학회)
권호 표지
DOI QR코드

DOI QR Code

Worm Detection and Containment using Earlybird and Snort on Deterlab

Deterlab 환경에서 Earlybird를 이용한 웜 탐지와 Snort 연동을 통한 웜 확산 차단

  • Lee, Hyeong-Yun (Dept. of Computer & Information Communications Engineering, Hongik University) ;
  • Hwang, Seong-Oun (Dept. of Computer & Information Communications Engineering, Hongik University) ;
  • An, Beongku (Dept. of Computer & Information Communications Engineering, Hongik University)
  • 이형윤 (홍익대학교 컴퓨터정보통신공학과) ;
  • 황성운 (홍익대학교 컴퓨터정보통신공학과) ;
  • 안병구 (홍익대학교 컴퓨터정보통신공학과)
  • Received : 2012.12.12
  • Accepted : 2013.02.08
  • Published : 2013.02.28
Download PDF
⟨ Previous Next ⟩

Abstract

A computer worm is a standalone malware computer program that probes and exploits vulnerabilities of systems. It replicates and spreads itself to other computers via networks. In this paper, we study how to detect and prevent worms. First, we generated Codered II traffic on the emulated testbed called Deterlab. Then we identified dubious parts using Earlybird and wrote down Snort rules using Wireshark. Finally, by applying the Snort rules to the traffic, we could confirmed that worm detection was successfully done.

웜이란 시스템의 취약점을 탐색하고 취약한 시스템을 공격하여 훼손시키는 독립형 프로그램으로서, 네트워크를 통하여 자신을 복제하고 확산한다. 본 논문에서는 웜 탐지 및 차단 방법을 연구하였다. 먼저 가상 시뮬레이션 테스트베드인 Deterlab 환경에서 Codered II 웜 트래픽을 발생시켰다. 이 트래픽을 Earlybird를 이용하여 의심스러운 부분을 식별한 후, Wireshark를 통해 분석하여 Snort 규칙을 작성하였다. 다음으로 Codered II 웜 트래픽에, 앞에서 작성된 Snort 규칙을 적용함으로써, 생성된 로그 파일의 확인을 통해, 정상적으로 웜 탐지가 이루어짐을 확인할 수 있었다.

Keywords

References

  1. Songjie Wei, Jelena Mirkovic, Martin Swany "Distributed Worm Simulation with a Realistic Internet Model" Computer and Information Sciences University of Delaware Newark.
  2. Cliff Changchun Zou, Weibo Gong, Don Towsley "Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense" Dept. Electrical and Computer Engineering Univ. Massachusetts Amherst.
  3. Songjie Wei, Calvin Ko, Jelena Mirkovic, Alefiya Hussain "Tools for Worm Experimentation on the DETER Testbed".
  4. http://www.deter-project.org/.
  5. http://isi.deterlab.net/index.php3.
  6. Sumeet Singh, Cristian Estan, George Varghese, Stefan Savage "Automated Worm Fingerprinting" Department of Computer Science and Engineering, University of California, San Diego.
  7. Sumeet Singh, Cristian Estan, George Varghese, Stefan Savage "The EarlyBird System for Realtime Detection of Unknown Worms" University of California, San Diego.
  8. http://www.snort.org.
  9. https://trac.deterlab.net/wiki/NodeTypes.