网络蠕虫的早期检测和防护算法研究
|
摘要
随着计算机网络规模的迅速扩大,网络蠕虫攻击成为目前影响网络安全的一个重要问题。新一代蠕虫的传播速度越来越快,其破坏性也越来越大,实现蠕虫早期检测是蠕虫防御的前提和技术难点。传统的基于特征值匹配入侵检测系统已经不能适应蠕虫的检测和防御,需要从网络蠕虫传播的特性入手,研究检测和抑止蠕虫传播的有效方法。本文研究网络蠕虫的早期检测和防护算法,以尽早地防范网络蠕虫,降低网络蠕虫对网络的损害。
本文首先针对目前大部分蠕虫在扫描和传播的过程中会导致网络充满大量的ICMP-T3和RESET包这一问题,通过对网络中上述两类数据包的分析,提出一种高效的蠕虫早期检测算法。该算法只探测和分析RESET和ICMP-T3这两种网络数据包,避免了分析网络中的全部流量,从而提高了分析效率和实时响应性;同时通过分析蠕虫的传播过程,发现在蠕虫的传播过程中具有DS转换特征,而其他的人为扫描则没有这个特征,从而可以进一步比较精确地得到感染蠕虫的主机地址。
然后,本文针对目前网络上的蠕虫攻击方法,提出了一种基于资源操作域的主机防护模型。模型从系统资源入手,立足于控制进程行为,建立了一个授权访问系统资源的进程以及操作方法的最小集合,从根本上提高了防护的主动性和对未知蠕虫攻击的防范能力。
并且,基于本文提出的高效蠕虫早期检测算法研究,本文设计实现了一个蠕虫早期检测系统LEDW。该系统采用分布式结构设计,运行于Linux系统,采用Libpcap开发包和C++开发,基于Mysql存储采集数据。通过在现实网络环境中运行及对魔波蠕虫(Worm_Mocbot.A)的检测,表明该系统在蠕虫早期检测方面有比较好的实时性。
最后,论文指出需要进一步完善的工作和今后潜在的研究方向。
With the rapid growth of networks, worm attack in networks has become a serious problem. In the presence of the faster diffusion speed of the worm and the huger damage caused by it, the early detection of the worm has become the precondition and key technology challenge of the worm defending. As traditional intrusion detection system can’t detect and defend the worm, it is very necessary to study worm’s early-stage characteristics, so as to explore efficient methods for diffusion detection and control of worms. This thesis focuses on early-stage detection and defending algorithms of worms, in order to defend against worms as early as quickly, and decrease the damage caused by it.
Aiming at the fact that there always are a large number of ICMP-T3 and RESET packages caused by the worm diffusion, by analyzing the two kinds of packages, this thesis proposes an efficient early-stage worm detection method. This method only needs to detect and analyze RESET and ICMP-T3 packages, avoiding analyzing all data flow, improving analyzing efficiency and reducing response time; at the same time, the thesis can obtain the host address affected by worms accurately through analyzing worm diffusion process that will expose DS transform characteristic compared to factitious scan.
Secondly, based on existing various worm attacking methods, this thesis proposes a host protection model depending on resource operation field. This model start from the system resource, based on the control of procedure behavior, build a minimum aggregate of awarded visit system resource procedure and operation method. As a result, the defending of the worm is much more active and more effective to unknown worm’s attacking.
Based on the aforementioned theory analysis, a LEDW system was built to detect worms as early as possible. The system adopted distributed structure and run in Linux OS. It was developed in C++ by Libpcap and the gathered data was stored and managed by Mysql. By detecting the Worm Mocbot.A in real network, the system was showed to have good effect and can be used in real time application.
Finally, this thesis points out work to be improved and potential future researches.
本文首先针对目前大部分蠕虫在扫描和传播的过程中会导致网络充满大量的ICMP-T3和RESET包这一问题,通过对网络中上述两类数据包的分析,提出一种高效的蠕虫早期检测算法。该算法只探测和分析RESET和ICMP-T3这两种网络数据包,避免了分析网络中的全部流量,从而提高了分析效率和实时响应性;同时通过分析蠕虫的传播过程,发现在蠕虫的传播过程中具有DS转换特征,而其他的人为扫描则没有这个特征,从而可以进一步比较精确地得到感染蠕虫的主机地址。
然后,本文针对目前网络上的蠕虫攻击方法,提出了一种基于资源操作域的主机防护模型。模型从系统资源入手,立足于控制进程行为,建立了一个授权访问系统资源的进程以及操作方法的最小集合,从根本上提高了防护的主动性和对未知蠕虫攻击的防范能力。
并且,基于本文提出的高效蠕虫早期检测算法研究,本文设计实现了一个蠕虫早期检测系统LEDW。该系统采用分布式结构设计,运行于Linux系统,采用Libpcap开发包和C++开发,基于Mysql存储采集数据。通过在现实网络环境中运行及对魔波蠕虫(Worm_Mocbot.A)的检测,表明该系统在蠕虫早期检测方面有比较好的实时性。
最后,论文指出需要进一步完善的工作和今后潜在的研究方向。
With the rapid growth of networks, worm attack in networks has become a serious problem. In the presence of the faster diffusion speed of the worm and the huger damage caused by it, the early detection of the worm has become the precondition and key technology challenge of the worm defending. As traditional intrusion detection system can’t detect and defend the worm, it is very necessary to study worm’s early-stage characteristics, so as to explore efficient methods for diffusion detection and control of worms. This thesis focuses on early-stage detection and defending algorithms of worms, in order to defend against worms as early as quickly, and decrease the damage caused by it.
Aiming at the fact that there always are a large number of ICMP-T3 and RESET packages caused by the worm diffusion, by analyzing the two kinds of packages, this thesis proposes an efficient early-stage worm detection method. This method only needs to detect and analyze RESET and ICMP-T3 packages, avoiding analyzing all data flow, improving analyzing efficiency and reducing response time; at the same time, the thesis can obtain the host address affected by worms accurately through analyzing worm diffusion process that will expose DS transform characteristic compared to factitious scan.
Secondly, based on existing various worm attacking methods, this thesis proposes a host protection model depending on resource operation field. This model start from the system resource, based on the control of procedure behavior, build a minimum aggregate of awarded visit system resource procedure and operation method. As a result, the defending of the worm is much more active and more effective to unknown worm’s attacking.
Based on the aforementioned theory analysis, a LEDW system was built to detect worms as early as possible. The system adopted distributed structure and run in Linux OS. It was developed in C++ by Libpcap and the gathered data was stored and managed by Mysql. By detecting the Worm Mocbot.A in real network, the system was showed to have good effect and can be used in real time application.
Finally, this thesis points out work to be improved and potential future researches.
引文
[1] Eugene H.Spafford. The Internet worm program:an analysis.ACM SIGCOMM Computer Communication Review,1989, 19(l):17-57
[2] 文伟平,卿斯汉,蒋建春等. 网络蠕虫研究与进展.软件学报,2004,15(8): 1208-1219
[3] 郑辉.Internet 蠕虫研究[博士学位论文].天津:南开大学信息技术学院, 2003
[4] K.Tocheva. F-Secure Virus Descriptions about Nimda. http://www. europ e.fsecure.com/v-descs/nimda.shtml
[5] Nicholas Weaver. Potential Strategies for High Speed Active Worms. http://ww w .cs.berkeley.edu/~nweaver/worms.pdf
[6] S. Staniford, V. Paxson, Nicholas Weaver. How to Own the Internet in Your Spare Time.11th Usenix Security Symposium, San Francisco, August 2002. htt p://www.icir.org/vern/papers/cdc-usenix-sec02/cdc.pdf
[7] Nicholas Weaver. Potential strategies for high speed active worms: a worst case analysis. U.C.Berkeley BRASS group.http://www.es.berkeleyedu/-nweaver/wor ms.pdf
[8] David Moore, Colleen Shannon, Geoffrey Voelker, Stefan Savage. Internet Quarantine: Requirements for Containing Self-Propagating Code. to appear in Proceedings of the 2003 IEEE Infocom Conference, San Francisco, CA, April 2003.http://www-cse.ucsd.edu/users/savage/papers/Infocom03.pdf
[9] D. Song, R. Malan, R. Stone. A Snapshot of Global Internet Worm Activity. Arbor Networks, Tech. Rep., Nov. 2001. http://www.first.org/events/progconf /2002/d5-02-song-slides.pdf
[10] Martin Roesch. Snort-lightweight intrusion detection for networks. In USENIX Large Instal-lation Systems Administration Conference, Seat-tle, WA, USA, November 1999
[11] Vern Paxson. Bro: a system for detecting network intruders in real-time. Com puter Networks (Amsterdam, Netherlands: 1999), 1999(10):2435-2463
[12] T. M.Gil, M. Poletto. MULTOPS: A data-structure for bandwidth attack dete ction. In Proceedings of the USENIX Security Sympo-sium, Washington, D.C., USA, Au-gust 2001. USENIX
[13] S. Singh, C. Estan, G. Varghese, S. Savage. The earlybird system for real-timedetection of unknown worms. Technical Report CS2003-0761, University of California, San Diego, August 2003. http://ial.ucsd.edu/earlybird
[14] J.O. Kephart, D. M. Chess, S.R.White. Computers and epidemiology.IEEE Spectrum, 1993,30(5):20-26
[15] J.O. Kephart, S.R.White. Directed-graph epidemiological models of computer viruses. In Proceedings of IEEE Symposium on Security and Privacy, 1991,343-359
[16] J.O. Kephart, S.R. White. Measuring and modeling computer virus prevalence. In Proceedings of IEEE Symposium on Security and Privacy, Oakland,Calif ornia,1993
[17] 卿斯汉,文伟平,蒋建春等.一种基于网状关联分析的网络蠕虫预警新方法.通信学报,2004,25(7):62-70
[18] Shoch John .F, Jon A. Hupp. The Worm Programs Early Experience with a Dist ributed Computation. Communications of the ACM, 1982, 25(3): 172-180
[19] D.Ellis. Worm anatomy and model.The First Workshop on Rapid Malcode.Wash ington,DC ,ACM Press,2003(4): 2-50
[20] N.Weaver,V Paxson, S.Staniford,et al. At axonomy of computerworms.The F irst Workshopon Rapid Malcode.Washington,DC, ACM Press,2003:11-18
[21] Bryan Barber. Cheese Worm: Pros and Cons of a Friendly Worm. http://rr.sans.o rg/malicious/cheese.php
[22] 左晓栋,戴英侠“.狮子” 蠕虫分析及相关讨论.计算机工程,2002,28(1):16-17
[23] Austin Kasarda. The Lion Worm: King of the Jungle? http://rr.sans.org/maliciou s/lion.php
[24] Herbert HexXer. CodeGreen Source Code. http://www.incidents.org/archives/int rusions/msg00808.html
[25] Markus Kern. CRClean Source Code, http://archives.neohapsis.com/ archives/vu lndev/2001-q3/0577.html
[26] Gabrielle Allen, David Angulo,Ian Foster et al. The Cactus Worm: Experiments with Dynamic Resource Discovery and Allocation in a Grid Environment. http://xxx.lanl.gov/pdf/cs.DC/0108001
[27] United States General Accounting Office Report to the Chairman.GAO/IMTE C-89-57. ftp://coast.cs.purdue.edu/pub/doc/morris_worm/GAO-rpt.txt
[28] Bob Page. A Report On The Internet Worm. ftp://coast.cs.purdue.edu/pub/doc/m orris_worm/worm.paper
[29] Donn Seeley. A Tour of the Worm. Proc. Usenix Winter 1989 Conference, SanDiego,California, 1989. http://vx.netlux.org/lib/ase01.html
[30] Steve White. Open Problems in Computer Virus Research.http://www.rese arch.ibm.com/antivirus/SciPapers/White/Problems/Problems.html
[31] Bill Arnold, David Chess, John Morar, Alla Segal, Morton Swimmer. An Environment for Controlled Worm Replication and Analysis, published at the Virus Bulletin Conference, Orlando, Florida, 2000
[32] Jose Nazario, Jeremy Anderson, Rick Wash, Chris Connelly. The Future of Internet Worms. Presented at the Blackhat Briefings, July 2001, Las Vegas
[33] eEye Digital Security, Sapphire worm code disassembled. http://www.eey e.com/html/Research/Flash/sapphire.txt
[34] Brien M.Posey. Bufer-overflow attacks: How dothey work? http://searchesecuri ty.techtarget.com/originalcontent
[35] Buffer Overflow Attack. http://www.imperva.com/application_defense_center /
[36] P.Fayole,V.Glaume. A Bufer Overflow Study, Attacks & Defenses. http://ww w.enseirb.fr/~glaume/indexen.html
[37] James Bowman.Format String Attacks. http://www.ouah.org/sansformat string.h tm
[38] Curve. WhatDoS/DdoS Is. http://zine.dal.net/previousissues/issue I9/what-dos.p hp
[39] Ruby B. Lee. Taxonomies of distributed denial of service networks, attacks, tools, and counterm easures. http://www.prmce torL.edu/rblee/
[40] 诸葛建伟,叶志远,邹维.攻击技术分类研究.计算机工程,2005,31(21):121-123
[41] 张世永.网络安全原理与应用.科学出版社.2003.2
[42] C .C .Zou, L.Gao,W.Gong, and D.Towsley. Monitoring and early warning for in ternet worms. In Proceedings of the ACM conference on Computerand C ommunication Security,WashingtonD .C,USA, October 2003, 190-199
[43] J. Wu, S. Vangala, L.Gao, and K .Kwiat. An efficient architecture and algorithm f or detecting worms with various scan techniques. Proceedings of the 11th Annual Network and Distributed System Security Symposium,California, February 2004, 97-111
[44] Cliff C.Zou,D.Towsley,W.Gong,and S.Cai. Routing Worm:a Fast,Selective Atta ck Worm based on IP Address Information. Univ. Massachusetts Technical Report TRCSE-03-06,2003.11
[45] Kern M. Codegreen beta release. 2001. http://online.securityfocu s.com/archiv e/82/211462
[46] V .Berk,G .Bakos., Morris. Designing a Framework for Active Worm D etection on Global Networks, In Proceedings of the IEEE International Workshop on Information Assurance,Darmstadt,Germany, March 2003,13-23
[47] He H,Zhang HL,Zhang WZh,et al. Early warning of active worms based on multi-similarity[C].ICMLC,2005,3876-3883
[48] Xuan Chen,John Heidemann.Detecting Early Worm Propagation through Packet Matching[R].USC/Information Sciences Institute,2004
[49] 王佰玲,方滨兴,云晓春等. 基于平衡树的良性蠕虫扩散策略.计算机研究与发展,2006, 43(9):1593-1602
[50] 罗浩,方滨兴,云晓春等. 高速实时的一种邮件蠕虫异常检测模型.通信学报,2006,27(2):36-41
[2] 文伟平,卿斯汉,蒋建春等. 网络蠕虫研究与进展.软件学报,2004,15(8): 1208-1219
[3] 郑辉.Internet 蠕虫研究[博士学位论文].天津:南开大学信息技术学院, 2003
[4] K.Tocheva. F-Secure Virus Descriptions about Nimda. http://www. europ e.fsecure.com/v-descs/nimda.shtml
[5] Nicholas Weaver. Potential Strategies for High Speed Active Worms. http://ww w .cs.berkeley.edu/~nweaver/worms.pdf
[6] S. Staniford, V. Paxson, Nicholas Weaver. How to Own the Internet in Your Spare Time.11th Usenix Security Symposium, San Francisco, August 2002. htt p://www.icir.org/vern/papers/cdc-usenix-sec02/cdc.pdf
[7] Nicholas Weaver. Potential strategies for high speed active worms: a worst case analysis. U.C.Berkeley BRASS group.http://www.es.berkeleyedu/-nweaver/wor ms.pdf
[8] David Moore, Colleen Shannon, Geoffrey Voelker, Stefan Savage. Internet Quarantine: Requirements for Containing Self-Propagating Code. to appear in Proceedings of the 2003 IEEE Infocom Conference, San Francisco, CA, April 2003.http://www-cse.ucsd.edu/users/savage/papers/Infocom03.pdf
[9] D. Song, R. Malan, R. Stone. A Snapshot of Global Internet Worm Activity. Arbor Networks, Tech. Rep., Nov. 2001. http://www.first.org/events/progconf /2002/d5-02-song-slides.pdf
[10] Martin Roesch. Snort-lightweight intrusion detection for networks. In USENIX Large Instal-lation Systems Administration Conference, Seat-tle, WA, USA, November 1999
[11] Vern Paxson. Bro: a system for detecting network intruders in real-time. Com puter Networks (Amsterdam, Netherlands: 1999), 1999(10):2435-2463
[12] T. M.Gil, M. Poletto. MULTOPS: A data-structure for bandwidth attack dete ction. In Proceedings of the USENIX Security Sympo-sium, Washington, D.C., USA, Au-gust 2001. USENIX
[13] S. Singh, C. Estan, G. Varghese, S. Savage. The earlybird system for real-timedetection of unknown worms. Technical Report CS2003-0761, University of California, San Diego, August 2003. http://ial.ucsd.edu/earlybird
[14] J.O. Kephart, D. M. Chess, S.R.White. Computers and epidemiology.IEEE Spectrum, 1993,30(5):20-26
[15] J.O. Kephart, S.R.White. Directed-graph epidemiological models of computer viruses. In Proceedings of IEEE Symposium on Security and Privacy, 1991,343-359
[16] J.O. Kephart, S.R. White. Measuring and modeling computer virus prevalence. In Proceedings of IEEE Symposium on Security and Privacy, Oakland,Calif ornia,1993
[17] 卿斯汉,文伟平,蒋建春等.一种基于网状关联分析的网络蠕虫预警新方法.通信学报,2004,25(7):62-70
[18] Shoch John .F, Jon A. Hupp. The Worm Programs Early Experience with a Dist ributed Computation. Communications of the ACM, 1982, 25(3): 172-180
[19] D.Ellis. Worm anatomy and model.The First Workshop on Rapid Malcode.Wash ington,DC ,ACM Press,2003(4): 2-50
[20] N.Weaver,V Paxson, S.Staniford,et al. At axonomy of computerworms.The F irst Workshopon Rapid Malcode.Washington,DC, ACM Press,2003:11-18
[21] Bryan Barber. Cheese Worm: Pros and Cons of a Friendly Worm. http://rr.sans.o rg/malicious/cheese.php
[22] 左晓栋,戴英侠“.狮子” 蠕虫分析及相关讨论.计算机工程,2002,28(1):16-17
[23] Austin Kasarda. The Lion Worm: King of the Jungle? http://rr.sans.org/maliciou s/lion.php
[24] Herbert HexXer. CodeGreen Source Code. http://www.incidents.org/archives/int rusions/msg00808.html
[25] Markus Kern. CRClean Source Code, http://archives.neohapsis.com/ archives/vu lndev/2001-q3/0577.html
[26] Gabrielle Allen, David Angulo,Ian Foster et al. The Cactus Worm: Experiments with Dynamic Resource Discovery and Allocation in a Grid Environment. http://xxx.lanl.gov/pdf/cs.DC/0108001
[27] United States General Accounting Office Report to the Chairman.GAO/IMTE C-89-57. ftp://coast.cs.purdue.edu/pub/doc/morris_worm/GAO-rpt.txt
[28] Bob Page. A Report On The Internet Worm. ftp://coast.cs.purdue.edu/pub/doc/m orris_worm/worm.paper
[29] Donn Seeley. A Tour of the Worm. Proc. Usenix Winter 1989 Conference, SanDiego,California, 1989. http://vx.netlux.org/lib/ase01.html
[30] Steve White. Open Problems in Computer Virus Research.http://www.rese arch.ibm.com/antivirus/SciPapers/White/Problems/Problems.html
[31] Bill Arnold, David Chess, John Morar, Alla Segal, Morton Swimmer. An Environment for Controlled Worm Replication and Analysis, published at the Virus Bulletin Conference, Orlando, Florida, 2000
[32] Jose Nazario, Jeremy Anderson, Rick Wash, Chris Connelly. The Future of Internet Worms. Presented at the Blackhat Briefings, July 2001, Las Vegas
[33] eEye Digital Security, Sapphire worm code disassembled. http://www.eey e.com/html/Research/Flash/sapphire.txt
[34] Brien M.Posey. Bufer-overflow attacks: How dothey work? http://searchesecuri ty.techtarget.com/originalcontent
[35] Buffer Overflow Attack. http://www.imperva.com/application_defense_center /
[36] P.Fayole,V.Glaume. A Bufer Overflow Study, Attacks & Defenses. http://ww w.enseirb.fr/~glaume/indexen.html
[37] James Bowman.Format String Attacks. http://www.ouah.org/sansformat string.h tm
[38] Curve. WhatDoS/DdoS Is. http://zine.dal.net/previousissues/issue I9/what-dos.p hp
[39] Ruby B. Lee. Taxonomies of distributed denial of service networks, attacks, tools, and counterm easures. http://www.prmce torL.edu/rblee/
[40] 诸葛建伟,叶志远,邹维.攻击技术分类研究.计算机工程,2005,31(21):121-123
[41] 张世永.网络安全原理与应用.科学出版社.2003.2
[42] C .C .Zou, L.Gao,W.Gong, and D.Towsley. Monitoring and early warning for in ternet worms. In Proceedings of the ACM conference on Computerand C ommunication Security,WashingtonD .C,USA, October 2003, 190-199
[43] J. Wu, S. Vangala, L.Gao, and K .Kwiat. An efficient architecture and algorithm f or detecting worms with various scan techniques. Proceedings of the 11th Annual Network and Distributed System Security Symposium,California, February 2004, 97-111
[44] Cliff C.Zou,D.Towsley,W.Gong,and S.Cai. Routing Worm:a Fast,Selective Atta ck Worm based on IP Address Information. Univ. Massachusetts Technical Report TRCSE-03-06,2003.11
[45] Kern M. Codegreen beta release. 2001. http://online.securityfocu s.com/archiv e/82/211462
[46] V .Berk,G .Bakos., Morris. Designing a Framework for Active Worm D etection on Global Networks, In Proceedings of the IEEE International Workshop on Information Assurance,Darmstadt,Germany, March 2003,13-23
[47] He H,Zhang HL,Zhang WZh,et al. Early warning of active worms based on multi-similarity[C].ICMLC,2005,3876-3883
[48] Xuan Chen,John Heidemann.Detecting Early Worm Propagation through Packet Matching[R].USC/Information Sciences Institute,2004
[49] 王佰玲,方滨兴,云晓春等. 基于平衡树的良性蠕虫扩散策略.计算机研究与发展,2006, 43(9):1593-1602
[50] 罗浩,方滨兴,云晓春等. 高速实时的一种邮件蠕虫异常检测模型.通信学报,2006,27(2):36-41