基于异常流量的蠕虫检测系统研究与实现
|
摘要
近年来,随着互联网应用的深入,网络蠕虫对计算机系统安全和网络安全的威胁日益严重。传统的基于特征匹配的蠕虫检测方法受限于蠕虫特征的获取,无法检测未知的蠕虫;现有基于行为的蠕虫检测方法虽然能够检测未知的蠕虫,但是在检测时间和误报率之间仍然有一个平衡。因此,如何快速准确地检测未知蠕虫是目前亟待解决的现实问题。
在蠕虫的传染爆发阶段,受感染主机数目急剧增加,短时间内会产生大量网络流量,因此设计了一种基于异常流量的蠕虫检测系统,旨在没有蠕虫特征库的情况下,根据流量的变化及时发现未知蠕虫的传播。
系统采用NetFlow技术实现网络流量的采集,这就不需要关心数据包的负荷,直接获取所需要的流信息,减少了对系统资源的需求,大大提高了系统的实效性。在收集到实时的网络流量数据之后,采用基于动态流量基线的蠕虫检测算法来判断网络中是否存在蠕虫的攻击,该算法同时监测多个目的端口的流量,分别根据它们正常的流量基线模型确认出蠕虫的异常流量,并且进一步从异常数据流的TOP N主机中找出受蠕虫感染的可疑主机。为了降低误报率,算法根据实际流量的大小动态更新基线值,这样即使网络高峰造成正常流量的增加,也不会超过阈值范围。另外,对流量统计记录采用自适应哈希桶的存储结构,它们根据端口号的不同分别进行链表排列,并且按照流量值的大小递减排序,这样各个端口的监听线程只需要管理自己的链表,使算法的检测效率得到了提高。在发现蠕虫攻击之后,根据异常流量的严重程度,产生不同级别的报警信息,并且利用防火墙联动和路由器访问控制列表过滤两种响应机制来阻止蠕虫的继续传播,从而抑制了网络蠕虫的大规模泛滥。
最后,构建了模拟的测试环境对蠕虫检测系统进行功能和性能测试,结果表明,该系统能够及时准确地检测出未知网络蠕虫。
With the recent popularity of Internet, worms have been exerting increasing severe threat to the computer system and network. Traditional signature based detection method is not suitable for detecting unknown worms since it requires worm signatures in advance. Behavior based detection method can detect unknown worms. However, there is a trade off between the detection time and false positive. Therefore, it becomes a pressing task to detect unknown worms quickly and accurately.
In the phase of worm eruption, the number of infected hosts sharp increases. It produces a lot of network traffic. So, an anomaly traffic based worm detection system is presented. It detects worms depending on the traffic fluctuation. It can detect unknown worms effectively and warn early in the epidemic phase.
The system collects traffic by NetFlow. It does not care the contents of data packet, but directly gets flow information. Consequently it reduces the demand for system resources and enhances the efficiency. Then, the system detects worms using the detection algorithm based on dynamic traffic baseline. This algorithm monitors several destination ports and confirms anomaly traffic by the baseline of normal traffic. Then, using the TOP N data of NetFlow, infected hosts are probed. In order to reduce false positive, the detection algorithm updates traffic baseline dynamically according to the practical traffic. Then, even if the network reaches a peak and results in the sudden increase of normal traffic, it will not exceed the above critical value. In addition, the traffic records are stored in an adaptive hash bucket. Records of different ports are put into different linked list and arranged by the decreasing order of traffic value. As a result, each thread only needs to manage its own linked list and the efficiency of detection algorithm is improved. After worms are detected, the system sends out alarming information of different levels, and adopts active defending measures which are firewall linkage and router ACL to alleviate the ongoing worm attacks. Thus, it can restrain the large scale spread of network worms.
Finally, the system is tested in a simulative environment. The results show that it can detect unknown worms accurately and in time.
在蠕虫的传染爆发阶段,受感染主机数目急剧增加,短时间内会产生大量网络流量,因此设计了一种基于异常流量的蠕虫检测系统,旨在没有蠕虫特征库的情况下,根据流量的变化及时发现未知蠕虫的传播。
系统采用NetFlow技术实现网络流量的采集,这就不需要关心数据包的负荷,直接获取所需要的流信息,减少了对系统资源的需求,大大提高了系统的实效性。在收集到实时的网络流量数据之后,采用基于动态流量基线的蠕虫检测算法来判断网络中是否存在蠕虫的攻击,该算法同时监测多个目的端口的流量,分别根据它们正常的流量基线模型确认出蠕虫的异常流量,并且进一步从异常数据流的TOP N主机中找出受蠕虫感染的可疑主机。为了降低误报率,算法根据实际流量的大小动态更新基线值,这样即使网络高峰造成正常流量的增加,也不会超过阈值范围。另外,对流量统计记录采用自适应哈希桶的存储结构,它们根据端口号的不同分别进行链表排列,并且按照流量值的大小递减排序,这样各个端口的监听线程只需要管理自己的链表,使算法的检测效率得到了提高。在发现蠕虫攻击之后,根据异常流量的严重程度,产生不同级别的报警信息,并且利用防火墙联动和路由器访问控制列表过滤两种响应机制来阻止蠕虫的继续传播,从而抑制了网络蠕虫的大规模泛滥。
最后,构建了模拟的测试环境对蠕虫检测系统进行功能和性能测试,结果表明,该系统能够及时准确地检测出未知网络蠕虫。
With the recent popularity of Internet, worms have been exerting increasing severe threat to the computer system and network. Traditional signature based detection method is not suitable for detecting unknown worms since it requires worm signatures in advance. Behavior based detection method can detect unknown worms. However, there is a trade off between the detection time and false positive. Therefore, it becomes a pressing task to detect unknown worms quickly and accurately.
In the phase of worm eruption, the number of infected hosts sharp increases. It produces a lot of network traffic. So, an anomaly traffic based worm detection system is presented. It detects worms depending on the traffic fluctuation. It can detect unknown worms effectively and warn early in the epidemic phase.
The system collects traffic by NetFlow. It does not care the contents of data packet, but directly gets flow information. Consequently it reduces the demand for system resources and enhances the efficiency. Then, the system detects worms using the detection algorithm based on dynamic traffic baseline. This algorithm monitors several destination ports and confirms anomaly traffic by the baseline of normal traffic. Then, using the TOP N data of NetFlow, infected hosts are probed. In order to reduce false positive, the detection algorithm updates traffic baseline dynamically according to the practical traffic. Then, even if the network reaches a peak and results in the sudden increase of normal traffic, it will not exceed the above critical value. In addition, the traffic records are stored in an adaptive hash bucket. Records of different ports are put into different linked list and arranged by the decreasing order of traffic value. As a result, each thread only needs to manage its own linked list and the efficiency of detection algorithm is improved. After worms are detected, the system sends out alarming information of different levels, and adopts active defending measures which are firewall linkage and router ACL to alleviate the ongoing worm attacks. Thus, it can restrain the large scale spread of network worms.
Finally, the system is tested in a simulative environment. The results show that it can detect unknown worms accurately and in time.
引文
[1] Brown D, Gunderson L, Evans M. Interactive analysis of computer crimes. Computer, 2000, 33(8):69~77
[2] Leavitt N. Scob attack: a sign of bad things to come. IEEE Magazine of Security and Privacy, 2004, 37(9):16~18
[3] Spafford E. The Internet worm program: An analysis. ACM Computer Communication Review, 1989, 19(1):17~57
[4] Moore D, Shannon C. Code-Red: a case study on the spread and victims of an Internet worm. In: Proceedings of the 2002 ACM SICGOMM. Marseille: Internet Measurement workshop, 2002. 273~284
[5] Dantu Ram, Cangussu W, Patwardhan Sudeep. Fast Worm Containment Using Feedback Control. Dependable and Secure Computing, 2007, 5(2):119~136
[6] Moore D, Paxson V, Savage S et al. Inside the slammer worm. IEEE Magazine of Security and Privacy, 2003, 1(4):33~39
[7] Grenander U. General Pattern Theory: A Mathematical Study of Regular Structures. SLAM Review, 1995, 37(2):258~261
[8] Lockwood J, Moscola J, Kulig M et al. Internet worm and virus protection in dynamically reconfigurable hardware. In: Proceedings of the ACM CCS Workshop on Rapid Malcode. Washington DC: Military and Aerospace Programmable Logic Device, 2003. 110~117
[9] Lockwood J, Naufel N, Turner JS et al. Reprogrammable network packet processing on the field programmable port extender. In: Proceedings of the ACM Int’l Symposium. Monterey: Field Programmable Gate Arrays, 2001. 87~93
[10] Xia Jianhong, Sarma, Vangala et al. Effective worm detection for various scan techniques. Journal of Computer Security, 2006, 14(4):359~387
[11] Spitzner L. Honeypot: Tracking Hackers. Addison Wesley Professional, 2002, 19(4):277~309
[12] Provos N. A Virtual Honeypot Framework. Center of Information Technology Integration, 2003, 3(1):2~14
[13] Shoch J, Hupp J. The Worm Programs Early Experience with a Distributed Computation. Communications of the ACM, 1982, 25(3):172~180
[14] Kienzle D, Elder M. Recent Worms: A Survey and Trends. In: Proceedings of the 2003 ACM workshop on Rapid Malcode. New York: ACM Press, 2003. 5~12
[15]郑辉. Internet蠕虫研究: [博士学位论文].天津:南开大学, 2003
[16] Schechter S, Smith M. Access For Sale: a new class of worm. In: Proceedings of the 2003 ACM workshop on Rapid Malcode. New York: ACM Press, 2003. 138~147
[17]文伟平,卿斯汉,蒋建春等.网络蠕虫研究与进展.软件学报, 2004, 15(8): 1208~1219
[18] Fred Cohen. Computer Viruses: Theory and Experiments. Computer and Security, 1984, 6(1):22~35
[19] Dantu R, Cangussu J, Yelimeli A. Dynamic control of worm propagation. Information Technology, 2004, 1(3):419~423
[20] Pincus J, Baker B. Beyond stack smashing: recent advances in exploiting buffer overruns. IEEE Magazine of Security and Privacy, 2004, 2(4):20~27
[21] Arce I, Levy E. An analysis of the Slapper worm. IEEE Magazine of Security and Privacy, 2003, 1(1):82~87
[22] Staniford S, Paxson V, Weaver N. How to own the Internet in your spare time. In: Proceedings of the 11th USENIX Security Symposium. Berkeley: USENIX Association, 2002. 149~167
[23] Zou C, Towsley D, Gong W et al. Routing worm: A fast, selective attack worm based on IP address information. Principles of Advanced and Distributed Simulation, 2005, 1(3):199~206
[24] Deshpande S, Thottan M, Sikdar B. Early detection of BGP instabilities resulting from Internet worm attacks. Global Telecommunications Conference, 2004, 4(2):2266~2270
[25] Staniford S, Moore D, Paxson V et al. The top speed of flash worms. In: Proceedings of the 2004 ACM Workshop on Rapid Malcode. New York: ACM Press, 2004. 33~42
[26] Zou C, Towsley D, Gong Weibo. On the performance of Internet worm scanning strategies. Performance Evaluation, 2006, 63(7):700~723
[27] Wu Jiang, Vangala Sarma, Gao Lixin et al. An effective architecture and algorithm for detecting worms with various scan techniques. In: Proceedings of the Network and Distributed System Security Symposium. San Diego: Internet Society, 2004. 143~156
[28] Berk V, Bakos G, Morris R. Designing a framework for active worm detection on global networks. In: Proceedings of First IEEE International Workshop on Information Assurance. Washington DC: IEEE Computer Society, 2003. 13~23
[29] Zou C, Towsley Don, Gong Weibo. Modeling and Simulation Study of the Propagation and Defense of Internet E-mail Worms. Dependable and Secure Computing, 2007, 5(2):105~118
[30] Griffin C, Brooks R. A note on the spread of worms in scale-free networks. Man and Cybernetics, 2006, 36(1):198~202
[31] Zou C, Gong Weibo, Towsley Don. Code Red worm propagation modeling and analysis. In: Proceedings of the 9th ACM Symposium. New York: Computer and Communications Security, 2002. 138~147
[32] Hia H, Midkiff S. Securing SNMP across backbone networks. Computer Communications and Networks, 2001, 19(1):190~196
[33] Teegan H. Distributed performance monitoring using SNMP V2. Network perations and Management Symposium, 1996, 2(1):616~619
[34] Fuentes Felix, Kar D. Ethereal vs Tcpdump: a comparative study on packet sniffing tools for educational purpose. Journal of Computing Sciences in Colleges, 2005, 20(4):169~176
[35] Liu D, Huebner F. Application profiling of IP traffic. In: Proceedings of the 27th Annual IEEE Conference on Local Computer Networks. Washington DC: IEEE Computer Society, 2002. 220~229
[36] Yin Xiaoxin, Yurcik W, Slagell A. The design of VisFlowConnect-IP: a link analysis system for IP security situational awareness. In: Proceedings of the Third IEEE International Workshop on Information Assurance. Washington DC: IEEE Computer Society, 2005. 141~153
[37]刘健. Netflow技术原理与应用.铁通通信信号, 2005, 41(1):34~35
[38] Estan Cristian, Keys Ken, Moore David et al. Building a better NetFlow. In: Proceedings of the 2004 conference on Computer Communications. New York: ACM Press, 2004. 245~256
[39] Wang Kuangming. A NetFlow Based Internet-worm Detecting System in Large Network: [Master’s Thesis]. Kaohsiung: Sun Yat-sen University, 2004
[40]曹铮.互联网异常流量的Netflow分析.中国数据通信, 2004, 6(8):77~82
[41] Mark F, Steve R. The OSU flow-tools package and Cisco NetFlow logs. In:Proceedings of the 14th USENIX conference on System administration. Berkeley: USENIX Association, 2000. 291~304
[42] Estan Cristian, Varghese George. New directions in traffic measurement and accounting. In: Proceedings of the 2002 conference on Computer Communications. New York: ACM Press, 2002. 323~336
[43] Lee Inbok, Park Kunsoo, Choi Yanghee et al. A Simple and Scalable Algorithm for the IP Address Lookup Problem. Fundamenta Informaticae, 2003, 56(2):181~190
[44] Broder A, Karlin A. Multilevel Adaptive Hashing. In: Proceedings of the first ACM-SIAM Symposium on Discrete Algorithms. Philadelphia: Society for Industrial and Applied Mathematics, 1990. 43~53
[45]程光,龚俭,丁伟等.面向IP流测量的哈希算法研究.软件学报, 2005, 16(5):652~658
[46] Ning Peng, Cui Yun, Reeves D. Techniques and tools for analyzing intrusion alerts. ACM Transactions on Information and System Security, 2004, 7(2):274~318
[47] Fawcett Tom. An introduction to ROC analysis. Pattern Recognition Letters, 2006, 27(8):861~874
[48] Chen Zesheng, Ji Chuanyi. A self-learning worm using importance scanning. In: Proceedings of the 2005 ACM workshop on Rapid Malcode. New York: ACM Press, 2005. 22~29
[2] Leavitt N. Scob attack: a sign of bad things to come. IEEE Magazine of Security and Privacy, 2004, 37(9):16~18
[3] Spafford E. The Internet worm program: An analysis. ACM Computer Communication Review, 1989, 19(1):17~57
[4] Moore D, Shannon C. Code-Red: a case study on the spread and victims of an Internet worm. In: Proceedings of the 2002 ACM SICGOMM. Marseille: Internet Measurement workshop, 2002. 273~284
[5] Dantu Ram, Cangussu W, Patwardhan Sudeep. Fast Worm Containment Using Feedback Control. Dependable and Secure Computing, 2007, 5(2):119~136
[6] Moore D, Paxson V, Savage S et al. Inside the slammer worm. IEEE Magazine of Security and Privacy, 2003, 1(4):33~39
[7] Grenander U. General Pattern Theory: A Mathematical Study of Regular Structures. SLAM Review, 1995, 37(2):258~261
[8] Lockwood J, Moscola J, Kulig M et al. Internet worm and virus protection in dynamically reconfigurable hardware. In: Proceedings of the ACM CCS Workshop on Rapid Malcode. Washington DC: Military and Aerospace Programmable Logic Device, 2003. 110~117
[9] Lockwood J, Naufel N, Turner JS et al. Reprogrammable network packet processing on the field programmable port extender. In: Proceedings of the ACM Int’l Symposium. Monterey: Field Programmable Gate Arrays, 2001. 87~93
[10] Xia Jianhong, Sarma, Vangala et al. Effective worm detection for various scan techniques. Journal of Computer Security, 2006, 14(4):359~387
[11] Spitzner L. Honeypot: Tracking Hackers. Addison Wesley Professional, 2002, 19(4):277~309
[12] Provos N. A Virtual Honeypot Framework. Center of Information Technology Integration, 2003, 3(1):2~14
[13] Shoch J, Hupp J. The Worm Programs Early Experience with a Distributed Computation. Communications of the ACM, 1982, 25(3):172~180
[14] Kienzle D, Elder M. Recent Worms: A Survey and Trends. In: Proceedings of the 2003 ACM workshop on Rapid Malcode. New York: ACM Press, 2003. 5~12
[15]郑辉. Internet蠕虫研究: [博士学位论文].天津:南开大学, 2003
[16] Schechter S, Smith M. Access For Sale: a new class of worm. In: Proceedings of the 2003 ACM workshop on Rapid Malcode. New York: ACM Press, 2003. 138~147
[17]文伟平,卿斯汉,蒋建春等.网络蠕虫研究与进展.软件学报, 2004, 15(8): 1208~1219
[18] Fred Cohen. Computer Viruses: Theory and Experiments. Computer and Security, 1984, 6(1):22~35
[19] Dantu R, Cangussu J, Yelimeli A. Dynamic control of worm propagation. Information Technology, 2004, 1(3):419~423
[20] Pincus J, Baker B. Beyond stack smashing: recent advances in exploiting buffer overruns. IEEE Magazine of Security and Privacy, 2004, 2(4):20~27
[21] Arce I, Levy E. An analysis of the Slapper worm. IEEE Magazine of Security and Privacy, 2003, 1(1):82~87
[22] Staniford S, Paxson V, Weaver N. How to own the Internet in your spare time. In: Proceedings of the 11th USENIX Security Symposium. Berkeley: USENIX Association, 2002. 149~167
[23] Zou C, Towsley D, Gong W et al. Routing worm: A fast, selective attack worm based on IP address information. Principles of Advanced and Distributed Simulation, 2005, 1(3):199~206
[24] Deshpande S, Thottan M, Sikdar B. Early detection of BGP instabilities resulting from Internet worm attacks. Global Telecommunications Conference, 2004, 4(2):2266~2270
[25] Staniford S, Moore D, Paxson V et al. The top speed of flash worms. In: Proceedings of the 2004 ACM Workshop on Rapid Malcode. New York: ACM Press, 2004. 33~42
[26] Zou C, Towsley D, Gong Weibo. On the performance of Internet worm scanning strategies. Performance Evaluation, 2006, 63(7):700~723
[27] Wu Jiang, Vangala Sarma, Gao Lixin et al. An effective architecture and algorithm for detecting worms with various scan techniques. In: Proceedings of the Network and Distributed System Security Symposium. San Diego: Internet Society, 2004. 143~156
[28] Berk V, Bakos G, Morris R. Designing a framework for active worm detection on global networks. In: Proceedings of First IEEE International Workshop on Information Assurance. Washington DC: IEEE Computer Society, 2003. 13~23
[29] Zou C, Towsley Don, Gong Weibo. Modeling and Simulation Study of the Propagation and Defense of Internet E-mail Worms. Dependable and Secure Computing, 2007, 5(2):105~118
[30] Griffin C, Brooks R. A note on the spread of worms in scale-free networks. Man and Cybernetics, 2006, 36(1):198~202
[31] Zou C, Gong Weibo, Towsley Don. Code Red worm propagation modeling and analysis. In: Proceedings of the 9th ACM Symposium. New York: Computer and Communications Security, 2002. 138~147
[32] Hia H, Midkiff S. Securing SNMP across backbone networks. Computer Communications and Networks, 2001, 19(1):190~196
[33] Teegan H. Distributed performance monitoring using SNMP V2. Network perations and Management Symposium, 1996, 2(1):616~619
[34] Fuentes Felix, Kar D. Ethereal vs Tcpdump: a comparative study on packet sniffing tools for educational purpose. Journal of Computing Sciences in Colleges, 2005, 20(4):169~176
[35] Liu D, Huebner F. Application profiling of IP traffic. In: Proceedings of the 27th Annual IEEE Conference on Local Computer Networks. Washington DC: IEEE Computer Society, 2002. 220~229
[36] Yin Xiaoxin, Yurcik W, Slagell A. The design of VisFlowConnect-IP: a link analysis system for IP security situational awareness. In: Proceedings of the Third IEEE International Workshop on Information Assurance. Washington DC: IEEE Computer Society, 2005. 141~153
[37]刘健. Netflow技术原理与应用.铁通通信信号, 2005, 41(1):34~35
[38] Estan Cristian, Keys Ken, Moore David et al. Building a better NetFlow. In: Proceedings of the 2004 conference on Computer Communications. New York: ACM Press, 2004. 245~256
[39] Wang Kuangming. A NetFlow Based Internet-worm Detecting System in Large Network: [Master’s Thesis]. Kaohsiung: Sun Yat-sen University, 2004
[40]曹铮.互联网异常流量的Netflow分析.中国数据通信, 2004, 6(8):77~82
[41] Mark F, Steve R. The OSU flow-tools package and Cisco NetFlow logs. In:Proceedings of the 14th USENIX conference on System administration. Berkeley: USENIX Association, 2000. 291~304
[42] Estan Cristian, Varghese George. New directions in traffic measurement and accounting. In: Proceedings of the 2002 conference on Computer Communications. New York: ACM Press, 2002. 323~336
[43] Lee Inbok, Park Kunsoo, Choi Yanghee et al. A Simple and Scalable Algorithm for the IP Address Lookup Problem. Fundamenta Informaticae, 2003, 56(2):181~190
[44] Broder A, Karlin A. Multilevel Adaptive Hashing. In: Proceedings of the first ACM-SIAM Symposium on Discrete Algorithms. Philadelphia: Society for Industrial and Applied Mathematics, 1990. 43~53
[45]程光,龚俭,丁伟等.面向IP流测量的哈希算法研究.软件学报, 2005, 16(5):652~658
[46] Ning Peng, Cui Yun, Reeves D. Techniques and tools for analyzing intrusion alerts. ACM Transactions on Information and System Security, 2004, 7(2):274~318
[47] Fawcett Tom. An introduction to ROC analysis. Pattern Recognition Letters, 2006, 27(8):861~874
[48] Chen Zesheng, Ji Chuanyi. A self-learning worm using importance scanning. In: Proceedings of the 2005 ACM workshop on Rapid Malcode. New York: ACM Press, 2005. 22~29