网络蠕虫传播的实验环境的构建
|
摘要
网络蠕虫已经对互联网的安全造成严重威胁。追踪蠕虫传播的路径可以全面认知其攻击传播的构架。对网络蠕虫开展防御和响应可提高网络的抗打击能力。为检测和防御大规模Internet蠕虫的爆发,建立能够运行真实蠕虫的安全方便的实验环境成为我们观察大规模蠕虫感染、破坏和传播的重要工作。提出了一个用于大规模蠕虫传播的实验环境ZE,能够进行相关实验的隔离环境,实验环境使用虚拟机技术,虚拟大量主机和网络设备参加,尽量符合网络实际。根据实际的蠕虫,在人们可控的范围内,引发大规模蠕虫的爆发,观测蠕虫的传播过程,实验检测和防御方法。发现蠕虫的传播特性,如扫描,传染过程,能实时收集网络流量数据和传染过程。对网络流量开展调查。可以获取真实的蠕虫传播过程,用于和算法实验结果进行比较。为了降低ZE的重用成本,使用脚本进行ZE的重建。
Network worms have been a serious security threat on the Internet. Tracing worm propagation path can identify the overall structure of a worm attack’s propagation. To detect and defense large scale Internet worms, setting up a convenient and safe experimental environment that capable of running and observing real world worm become an important work, it can be a large scale worm test bed for forensic evidence.
Large scale network worm tracing research needs a reliable algorithm experimental environment. First, real time tracing algorithm needs to carry out theoretical analysis, and prove the correctness of tracing algorithm under some assumptions and prerequisite conditions. Second, different tracing model with different parameters in the algorithm are established. But theoretical deduce can not reflect the real execution of algorithm. Many researchers use some network simulation platform like ns2 [22] or parallel-ns2 to establish the tracing simulation testing environment, simulate running thousands of nodes in different network topology and bandwidth. But simulation is more applicable to modeling, not real worm spread. Simulation process is too idealistic, not a true reflect of the operating system and demand high performance experimental host. Using physical host for large-scale network worm tracing experiment is also unfeasible. First thousands of physical hosts can not be guaranteed. Second, because of worms destructive, the large number of physical host unable to quickly reuse, management and configuration workload is huge.
In recent years, virtual machine technology’s development promoted its application in the field of network security research. Researchers have begun network worm detection and defense experiments using virtual machine technology [23, 24, 25]. One physical host can run a number of virtual machine installed real operating system, and connected to the network. External visitors perceived no internal differences except for a little performance odds. So they can use the virtual machine technology to establish a high realistically, control flexibility, encapsulate and reusable virtual experimental environment. After optimize virtual machine and the installed operating system, the performance requirements of physical host can be reduced. Optimal use of virtual machine technology can simulate thousands of virtual operating system nodes in nearly dozens of physical host, more clearly discover propagation process of network worm in the operating system and network, further observe invaders motivation, tools and methods.
UML[8] is a lightweight virtual machine system on Linux. It can run numerous instances on physical host, with the various versions of Linux operation systems. It can customize operation system of the virtual machine according to the requirement; only need install the necessary system software and system services. Therefore it has a higher performance and occupy fewer resources of the physical host.
Each host installs a UML system in the experimental environment, running advance customized client operating system image, serve as various experimental roles according to the pre-configuration. After environment launched, several virtual machines in a physical host form a virtual local network (VN), and connected via UML virtual switch. Each physical host, as a gateway of its own local network, connects other VNs on other host. Extending like this, a basic multi-VN experimental environment can be setup.
Using UML virtual machine technology, we establish an experimental environment include 1000 virtual nodes base on 25 PCs. Virtual clients running Redhat Linux 6.1 operation system with BIND security holes. Physical hosts running Redhat Linux 9.0 operating system. Several virtual clients in a physical host form a VN, virtual clients in different host communicate with each other using gateway in every physical host.
Manually launch a worm propagation break source in one of the twenty LANs, startup Lion worm attack [9], then running tracing algorithm to analyze the final result and true infections. The continuous real time collection network flows include not only worm flows, but also pre-installed normal background flows.
We provide a systemic analysis of large-scale worm propagation tracing experiment strategy which is based on virtual machine technology by setting up an experimental environment called zooecium (ZE). First, the framework of ZE is addressed. Then, the design and control of ZE is given. Finally, ZE is analyzed with experiments. Experimental results show that ZE can trigger large-scale worm outbreaks within the controllable scope of human, observe propagation process of the worm, experiment detection and defense techniques, discover worm propagation characteristic such as scanning method and propagation process, real-time collect network traffic and propagation process, investigate network traffic, dynamically throw out the result, launch speculate algorithm for reconstructing out propagation path of the worm. Then actual worm propagation process can be captured and compared with the results using tracing algorithm.
Network worms have been a serious security threat on the Internet. Tracing worm propagation path can identify the overall structure of a worm attack’s propagation. To detect and defense large scale Internet worms, setting up a convenient and safe experimental environment that capable of running and observing real world worm become an important work, it can be a large scale worm test bed for forensic evidence.
Large scale network worm tracing research needs a reliable algorithm experimental environment. First, real time tracing algorithm needs to carry out theoretical analysis, and prove the correctness of tracing algorithm under some assumptions and prerequisite conditions. Second, different tracing model with different parameters in the algorithm are established. But theoretical deduce can not reflect the real execution of algorithm. Many researchers use some network simulation platform like ns2 [22] or parallel-ns2 to establish the tracing simulation testing environment, simulate running thousands of nodes in different network topology and bandwidth. But simulation is more applicable to modeling, not real worm spread. Simulation process is too idealistic, not a true reflect of the operating system and demand high performance experimental host. Using physical host for large-scale network worm tracing experiment is also unfeasible. First thousands of physical hosts can not be guaranteed. Second, because of worms destructive, the large number of physical host unable to quickly reuse, management and configuration workload is huge.
In recent years, virtual machine technology’s development promoted its application in the field of network security research. Researchers have begun network worm detection and defense experiments using virtual machine technology [23, 24, 25]. One physical host can run a number of virtual machine installed real operating system, and connected to the network. External visitors perceived no internal differences except for a little performance odds. So they can use the virtual machine technology to establish a high realistically, control flexibility, encapsulate and reusable virtual experimental environment. After optimize virtual machine and the installed operating system, the performance requirements of physical host can be reduced. Optimal use of virtual machine technology can simulate thousands of virtual operating system nodes in nearly dozens of physical host, more clearly discover propagation process of network worm in the operating system and network, further observe invaders motivation, tools and methods.
UML[8] is a lightweight virtual machine system on Linux. It can run numerous instances on physical host, with the various versions of Linux operation systems. It can customize operation system of the virtual machine according to the requirement; only need install the necessary system software and system services. Therefore it has a higher performance and occupy fewer resources of the physical host.
Each host installs a UML system in the experimental environment, running advance customized client operating system image, serve as various experimental roles according to the pre-configuration. After environment launched, several virtual machines in a physical host form a virtual local network (VN), and connected via UML virtual switch. Each physical host, as a gateway of its own local network, connects other VNs on other host. Extending like this, a basic multi-VN experimental environment can be setup.
Using UML virtual machine technology, we establish an experimental environment include 1000 virtual nodes base on 25 PCs. Virtual clients running Redhat Linux 6.1 operation system with BIND security holes. Physical hosts running Redhat Linux 9.0 operating system. Several virtual clients in a physical host form a VN, virtual clients in different host communicate with each other using gateway in every physical host.
Manually launch a worm propagation break source in one of the twenty LANs, startup Lion worm attack [9], then running tracing algorithm to analyze the final result and true infections. The continuous real time collection network flows include not only worm flows, but also pre-installed normal background flows.
We provide a systemic analysis of large-scale worm propagation tracing experiment strategy which is based on virtual machine technology by setting up an experimental environment called zooecium (ZE). First, the framework of ZE is addressed. Then, the design and control of ZE is given. Finally, ZE is analyzed with experiments. Experimental results show that ZE can trigger large-scale worm outbreaks within the controllable scope of human, observe propagation process of the worm, experiment detection and defense techniques, discover worm propagation characteristic such as scanning method and propagation process, real-time collect network traffic and propagation process, investigate network traffic, dynamically throw out the result, launch speculate algorithm for reconstructing out propagation path of the worm. Then actual worm propagation process can be captured and compared with the results using tracing algorithm.
引文
[1] E.H. Spafford. The Internet Worm Program: An Analysis. Technical Report CSD-TR-823, Department of Computer Science, Purdue University. 1988. 1~29
[2] Steve White.Open Problems in Computer Virus Research,1998. URL: http://www.research.ibm.com/antivirus/SciPapers/White/Problems/Problems.html
[3] Bill Arnold, David Chess, John Morar, Alla Segal, Morton Swimmer. An Environment for Controlled Worm Replication and Analysis, published at the Virus Bulletin, 2000
[4] Jose Nazario, Jeremy Anderson, Rick Wash, Chris Connelly. The Future of Internet Worms, Presented at the Blackhat Briefings, July, 2001, Las Vegas. URL: http://www.crimelabs.net/docs/worm.html
[5] Nicholas Weaver. Potential Strategies for High Speed Active Worms, 2002.URL: http://www.cs.berkeley.edu/~nweaver/worms.pdf
[6] S. Staniford, V. Paxson, N. Weaver. How to Own the Internet in Your Spare Time.11th Usenix Security Symposium, San Francisco, August 2002. URL: http://www. icir.org/vern/papers/cdc-usenix-sec02/cdc.pdf
[7] C.C. Zou, W. Gong, D. Towsley. Code Red Worm Propagation Modeling and Analysis. In 9th ACM Symposium on Computer and Communication Security, Washington DC, 2002. 138~147
[8] David Moore, Colleen Shannon, Geoffrey Voelker and Stefan Savage. Internet Quarantine: Requirements for Containing Self-Propagating Code, to appear in Proceedings of the 2003 IEEE Infocom Conference, San Francisco, CA, April 2003.URL:http://www- cse.ucsd.edu/users/savage/papers/Infocom03.pdf
[9] F. Cohen. Computational Aspects Of Computer Viruses. Computers & Security, 8(4), 1989, pp325—344
[10]郑辉. Internet蠕虫研究.博士学位论文.天津:南开大学信息技术科学学院,2003
[11] S.E. Schechter, M.D. Smith. Access For Sale : a new class of worm. In Proceedings of the 2003 ACM workshop on Rapid Malcode, Washington DC, 2003. 138~147
[12] F. Cohen. Computer Viruses, Ph.D. thesis, University of Southern California, 1985
[13] C.C. Zou, D. Towsley, W. Gong, S. Cai. Routing Worm: A Fast, Selective Attack Worm based on IP Address Information. Umass ECE Technical Report TR-03-CSE- 06, November, 2003
[14] G. Streftaris, G.J. Gibson. Statistical Inference for Stochastic Epidemic Models. Proceedings of the 17th international Workshop on Statistical Modelling, Chania, 2002.609- 616
[15] J.C. Frauenthal. Mathematical Modeling in Epidemiology. Springer-Verlag, New York, 1980
[16] Y. Wang, C.X. Wang. Modeling the Effects of Timing Parameters on Virus Propagation.In ACM CCS Workshop on Rapid Malcode (WORM’03), Washington DC, October, 27 2003
[17] J. DIKE. User mode linux[EB/OL]. http://user-mode-linux.sourceforge.net.
[18] Linux lion worms[EB/OL]. http://www.whitehats.com/library/worms/lion/, 2001.
[19] M. Kienzle and M. C. Elder. Recent worms: a survey and trends. In WORM‘03: Proceedings of the 2003 ACM workshop on Rapid Malcode, pages 1–10, New York, NY, USA, 2003. ACM Press.
[20] Abu Rajab, M., Monrose, F., and Terzis, A. Worm evolution tracking via timing analysis. In Proceedings of the 2005 ACM Workshop on Rapid Malcode (Fairfax, VA, USA, November 11 - 11, 2005). WORM '05. ACM Press, New York, NY, 52-59.
[21] Yinglian Xie, Vyas Sckar, David A.Maltz,Michael K. Reiter, and Hui Zhang. Worm Origin Identification Using Random Moonwalks. In Proceedings of IEEE Symposium on Security and Privacy, pages 242–256, May 2005.
[22] The Network Simulator-2, http://www.isi.edu/nsnam/ns/, 2004.
[23] X. Jiang, D. Xu, H. J. Wang, and E. H. Spafford, "Virtual Playgrounds for Worm Behavior Investigation", Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID 2005), Seattle, WA, September 2005.
[24] Michael Vrable, Justin Ma, Jay chen, David Moore, Erik Vandekieft, Alex C. Snoeren, Geoffrey M. Voelker and Stefan Savage, Scalability, Fidelity andContainment in the Potemkin Virtual Honeyfarm, Proceedings of the ACM Symposium on Operating System Principles (SOSP), Brighton, UK, October 2005.
[25] Michael Vrable, Justin MaSamuel T. King, Peter M. Chen, Yi-Min Wang, Chad Verbowski, Helen J. Wang, Jacob R. Lorch, "SubVirt: Implementing malware with virtual machines", Proceedings of the 2006 IEEE Symposium on Security and Privacy, May 2006.
[2] Steve White.Open Problems in Computer Virus Research,1998. URL: http://www.research.ibm.com/antivirus/SciPapers/White/Problems/Problems.html
[3] Bill Arnold, David Chess, John Morar, Alla Segal, Morton Swimmer. An Environment for Controlled Worm Replication and Analysis, published at the Virus Bulletin, 2000
[4] Jose Nazario, Jeremy Anderson, Rick Wash, Chris Connelly. The Future of Internet Worms, Presented at the Blackhat Briefings, July, 2001, Las Vegas. URL: http://www.crimelabs.net/docs/worm.html
[5] Nicholas Weaver. Potential Strategies for High Speed Active Worms, 2002.URL: http://www.cs.berkeley.edu/~nweaver/worms.pdf
[6] S. Staniford, V. Paxson, N. Weaver. How to Own the Internet in Your Spare Time.11th Usenix Security Symposium, San Francisco, August 2002. URL: http://www. icir.org/vern/papers/cdc-usenix-sec02/cdc.pdf
[7] C.C. Zou, W. Gong, D. Towsley. Code Red Worm Propagation Modeling and Analysis. In 9th ACM Symposium on Computer and Communication Security, Washington DC, 2002. 138~147
[8] David Moore, Colleen Shannon, Geoffrey Voelker and Stefan Savage. Internet Quarantine: Requirements for Containing Self-Propagating Code, to appear in Proceedings of the 2003 IEEE Infocom Conference, San Francisco, CA, April 2003.URL:http://www- cse.ucsd.edu/users/savage/papers/Infocom03.pdf
[9] F. Cohen. Computational Aspects Of Computer Viruses. Computers & Security, 8(4), 1989, pp325—344
[10]郑辉. Internet蠕虫研究.博士学位论文.天津:南开大学信息技术科学学院,2003
[11] S.E. Schechter, M.D. Smith. Access For Sale : a new class of worm. In Proceedings of the 2003 ACM workshop on Rapid Malcode, Washington DC, 2003. 138~147
[12] F. Cohen. Computer Viruses, Ph.D. thesis, University of Southern California, 1985
[13] C.C. Zou, D. Towsley, W. Gong, S. Cai. Routing Worm: A Fast, Selective Attack Worm based on IP Address Information. Umass ECE Technical Report TR-03-CSE- 06, November, 2003
[14] G. Streftaris, G.J. Gibson. Statistical Inference for Stochastic Epidemic Models. Proceedings of the 17th international Workshop on Statistical Modelling, Chania, 2002.609- 616
[15] J.C. Frauenthal. Mathematical Modeling in Epidemiology. Springer-Verlag, New York, 1980
[16] Y. Wang, C.X. Wang. Modeling the Effects of Timing Parameters on Virus Propagation.In ACM CCS Workshop on Rapid Malcode (WORM’03), Washington DC, October, 27 2003
[17] J. DIKE. User mode linux[EB/OL]. http://user-mode-linux.sourceforge.net.
[18] Linux lion worms[EB/OL]. http://www.whitehats.com/library/worms/lion/, 2001.
[19] M. Kienzle and M. C. Elder. Recent worms: a survey and trends. In WORM‘03: Proceedings of the 2003 ACM workshop on Rapid Malcode, pages 1–10, New York, NY, USA, 2003. ACM Press.
[20] Abu Rajab, M., Monrose, F., and Terzis, A. Worm evolution tracking via timing analysis. In Proceedings of the 2005 ACM Workshop on Rapid Malcode (Fairfax, VA, USA, November 11 - 11, 2005). WORM '05. ACM Press, New York, NY, 52-59.
[21] Yinglian Xie, Vyas Sckar, David A.Maltz,Michael K. Reiter, and Hui Zhang. Worm Origin Identification Using Random Moonwalks. In Proceedings of IEEE Symposium on Security and Privacy, pages 242–256, May 2005.
[22] The Network Simulator-2, http://www.isi.edu/nsnam/ns/, 2004.
[23] X. Jiang, D. Xu, H. J. Wang, and E. H. Spafford, "Virtual Playgrounds for Worm Behavior Investigation", Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID 2005), Seattle, WA, September 2005.
[24] Michael Vrable, Justin Ma, Jay chen, David Moore, Erik Vandekieft, Alex C. Snoeren, Geoffrey M. Voelker and Stefan Savage, Scalability, Fidelity andContainment in the Potemkin Virtual Honeyfarm, Proceedings of the ACM Symposium on Operating System Principles (SOSP), Brighton, UK, October 2005.
[25] Michael Vrable, Justin MaSamuel T. King, Peter M. Chen, Yi-Min Wang, Chad Verbowski, Helen J. Wang, Jacob R. Lorch, "SubVirt: Implementing malware with virtual machines", Proceedings of the 2006 IEEE Symposium on Security and Privacy, May 2006.