• Proceedings of the Korean Information Science Society Conference
• /
• 2005.07a
• /
• pp.214-216
• /
• 2005

현재 인터넷 웜에 관한 관심과 연구가 활발해 지면서 인터넷 웜 전파 특성 시뮬레이션 방법에 관한 연구가 많이 진행 되고 있다. 하지만, 연구 되어온 기법들은 대부분 웜의 스캔기법과 같은 웜 자체에 전파 되는 알고리즘에 대해서만 고려한 시뮬레이션 환경을 제시 하였다. 웜의 특성 상 좀더 실제 네트워크 환경과 비슷한 환경을 제공 하려면, 웜의 전파 알고리즘 외에, 각 호스트들에 취약점 패치 유무, 타깃 호스트들의 Computing Power, 각 네트워크의 밴드위스 & 지연시간, 네트워크 별 보안 장비(방화벽, IPS)의 유무 등 여러 가지 웜 전파에 영향을 미치는 요소들이 존재한다. 따라서 본 연구에서는 먼저 웜의 전파에 영향을 미치는 요소를 특성에 따라 크게 4가지로 분류 해보고, 이를 효율적으로 시뮬레이션 환경에 적용 할 수 있는 방안을 제안한다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.18 no.1
• /
• pp.89-102
• /
• 2008

Internet becomes more and more popular, and most companies and institutes use web services for e-business and many other purposes. With the explosion of Internet, the attack of internet worm has grown. Simulation is one of the most widely used method to study internet worms. But, it is quite challenging to simulate very large-scale worm attacks because of various reasons. By this reason, we often use the modeling network simulation technique. But, it also has problem that it difficult to apply each worm attacks to simulation. In this paper, we propose worm attack representation and mapping methods for apply worm attack to simulation. The proposed method assist to achieve the simulation efficiency. And we can express each worm attacks more detail. Consequently, the simulation of worm attacks has the time-efficiency and the minuteness.

• The Journal of the Korea Contents Association
• /
• v.6 no.12
• /
• pp.155-162
• /
• 2006

It was well known that how much seriously the Internet worm such as the Code Red had an effect on our daily activities. Recently the rapid growth of the Internet speed will produce more swift damage us in a short term period. In order to defend against future worm, we need to understand the propagation pattern during the lifetime of worms. In this paper, we analyze the propagation pattern of the Code Red worm by a computer simulation. In particular, we show that an existing simulation result about the number of infectious hosts does not match the observed data, and then we introduce a factor of revised human countermeasures into the simulation. We also show the simulation results presenting the importance of patching and pre-patching of the Internet worm.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.17 no.3
• /
• pp.43-53
• /
• 2007

Internet becomes more and more popular, and most companies and institutes use web services for e-business and many other purposes. With the explosion of Internet, the occurrence of cyber terrorism has grown very rapidly. Simulation is one of the most widely used method to study internet worms. But, it is quite challenging to simulate very large-scale worm attacks because of various reasons. In this paper, we propose a hybrid modeling method for RCS(Random Constant Spreading) worm simulation. The proposed hybrid model simulates worm attacks by synchronizing modeling network and packet network. So, this model will be both detailed enough to generate realistic packet traffic, and efficient enough to model a worm spreading through the Internet. Moreover, our model have the capability of dynamic updates of the modeling parameters. Finally, we simulate the hybrid model with the CodeRed worm to show validity of our proposed model for RCS worm simulation.

• Proceedings of the Korean Information Science Society Conference
• /
• 2006.10c
• /
• pp.570-574
• /
• 2006

인터넷 보급에 따라 웜에 의한 피해가 꾸준히 이어지고 있다. 인터넷 웜을 방어하기 위해서는 웜에 대한 연구가 이루어 져야하는데 웜을 연구하기 위해 대규모 네트워크를 구성하여 연구하기에는 어려움이 따르게 된다. 그래서 실제 네트워크를 구성하는 대신 시뮬레이션을 이용한 연구가 이루어지게 되었는데 시뮬레이션이라 할지라도 대규모 네트워크를 시뮬레이션 하는 것은 여러 문제점이 존재하게 된다. 그래서 본 논문에서는 대규모 네트워크를 시뮬레이션 하기위해 네트워크 모델링 시뮬레이션 방법을 기본으로 한 패킷 네트워크를 이용한 네트워크 모델링 시뮬레이션 방법에 대해 제안을 하였다. 이 방법을 기존의 대규모 네트워크 시뮬레이션의 문제를 패킷 네트워크와 모델링 네트워크가 서로 보완을 하여 해결하도록 구성되어 있다. 그리고 제안한 방법을 이용하여 웜의 전파를 실험한 시뮬레이션을 수행해 보았다.

• Journal of KIISE:Computing Practices and Letters
• /
• v.15 no.9
• /
• pp.675-684
• /
• 2009

Internet worm can cause a traffic problem through DDoS(Distributed Denial of Services) or other kind of attacks. In those manners, it can compromise the internet infrastructure. In addition to this, it can intrude to important server and expose personal information to attacker. However, current detection and response mechanisms to worm have many vulnerabilities, because they only use local characteristic of worm or can treat known worms. In this paper, we propose a new framework to detect unknown worms. It uses macroscopic characteristic of worm to detect unknown worm early. In proposed idea, we define the macroscopic behavior of worm, propose a worm detection method to detect worm flow directly in IP packet networks, and show the performance of our system with simulations. In IP based method, we implement the proposed system and measure the time overhead to execute our system. The measurement shows our system is not too heavy to normal host users.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.17 no.5
• /
• pp.1154-1159
• /
• 2013

Now we are facing various threats as side effects against the growth of smartphone markets. Malicious codes such as mobile worms may bring about disclosures of personal information and confusions to upset a national wireless backbone. In this paper, we examine the existed spreading models and try to describe the correct spread of mobile worms on smartphones. We also analyze the spreading effects, and simulate bluetooth, MMS and Wi-Fi worms by various experiments.

• Proceedings of the Korean Information Science Society Conference
• /
• 2005.11a
• /
• pp.16-18
• /
• 2005

2003년 1.25 대란을 통해 우리나라와 같이 초고속 인터넷망의 인프라를 갖춘 국가는 웜에 의한 DDoS공격 등에 취약하다는 것이 입증되었다. 이러한 취약성을 극복하기 위해서는 웜의 공격에 대해 웜 코드 자체에 대한 세부적인 분석과 전파 특성을 관찰하는 것이 중요하다. 하지만 웜의 전파 특성이나 취약점을 확인할 수 있는 방법으로는 소스코드 디어셈블러, 웜이 전파된 후 감염된 호스트들을 분석하는 방법이외에는 타당한 기법들이 제시되지 않고 있다. 웜 코드를 실제 네트워크 환경에서 테스트하기 위한 환경을 구축하기 위해서는 많은 시간과 비용이 소요되며 , 제도나 법률에 반하는 비현실적인 방법이라 할 수 있다. 이에 본 논문에서는 심각한 피해를 유발할 수 있는 치명적인 웜들의 시뮬레이션을 통해 웜의 전파 과정에서 발생하는 트래픽을 분석, 확인할 수 있는 시뮬레이터를 제시하고자 한다.

• The Journal of the Institute of Internet, Broadcasting and Communication
• /
• v.13 no.1
• /
• pp.71-76
• /
• 2013

A computer worm is a standalone malware computer program that probes and exploits vulnerabilities of systems. It replicates and spreads itself to other computers via networks. In this paper, we study how to detect and prevent worms. First, we generated Codered II traffic on the emulated testbed called Deterlab. Then we identified dubious parts using Earlybird and wrote down Snort rules using Wireshark. Finally, by applying the Snort rules to the traffic, we could confirmed that worm detection was successfully done.

• Journal of KIISE:Computing Practices and Letters
• /
• v.12 no.6
• /
• pp.339-348
• /
• 2006

Recently, many researches on detecting and responding worms due to the fatal infrastructural damages explosively damaged by automated attack tools, particularly worms. Network service vulnerability exploiting worms have high propagation velocity, exhaust network bandwidth and even disrupt the Internet. Previous worm researches focused on signature-based approaches however these days, approaches based on behavioral features of worms are more highlighted because of their low false positive rate and the attainability of early detection. In this paper, we propose a Distributed Worm Detection Model based on packet marking. The proposed model detects Worm Cycle and Infection Chain among which the behavior features of worms. Moreover, it supports high scalability and feasibility because of its distributed reacting mechanism and low processing overhead. We virtually implement worm propagation environment and evaluate the effectiveness of detecting and responding worm propagation.