局域网蠕虫检测和控制技术研究
摘要
近年来,随着互联网应用的深入,网络蠕虫对计算机系统安全和网络安全的威胁日益严重,蠕虫的传播速度越来越快,造成的损失也越来越大。传统的基于特征码的蠕虫检测方法受限于蠕虫特征的获取,无法检测未知的蠕虫;现有基于行为的蠕虫检测方法虽然能够检测未知的蠕虫,但是在检测时间和误警率之间有一个平衡。在蠕虫控制方面,对于可疑的蠕虫流量,一般采取直接阻断的方法,但是这会给正常流量带来不利的影响。
针对上述问题,局域网蠕虫检测和控制系统基于网络蠕虫在不同传播阶段表现出的行为特征,对局域网各个网段的出口流量进行检测和控制。基于扫描行为特征的检测通过计算主机向外发起新连接的频率及时发现网段中具有扫描行为的主机;基于内容的检测对具有扫描行为的主机流量进行分析,在可疑主机发起的TCP流中寻找重复的数据包内容进行进一步检测,进而发现被蠕虫感染的主机。对于具有不同行为特征的主机,系统采取不同的控制策略,对于具有扫描行为的主机,采用限速机制对可疑的连接请求进行延迟,有效的抑制了蠕虫传播,同时避免了对正常的流量的负面影响。对于已被蠕虫感染的主机,采用阻断的方法丢弃含有蠕虫特征的数据包,彻底地阻碍蠕虫的传播。
基于扫描行为特征的检测技术、基于限速和阻断的蠕虫控制技术是基于Linux 2.4.x内核的Netfilter防火墙架构实现,通过在内核层加载钩子函数截获数据包,根据不同的控制策略对可疑的数据包进行不同力度的控制;基于内容的检测技术在网络链路层使用Libpcap监听可疑主机的数据包,通过分析TCP状态建立TCP连接表对数据包进行流重组,使用后缀树在多个数据流中寻找最长公共子串的方法提取蠕虫特征码。实验测试表明,局域网蠕虫检测和控制技术不仅能够实现对网络蠕虫的及时检测,还能够有效的阻碍蠕虫由局域网向外的传播,而且对正常用户流量影响很小。
With the recent popularity of Internet, worms have been exerting increasing severe threat to the computer system and network. Traditional signature based detection method is not suitable for detecting fast spreading worms since it requires worm signatures in advance. Behavior based detection method could detect unknown worms, however, there is a trade off between the detection time and false positive. On the other hand, the commonly used block-when-detect method of worm containment would have a negative effect on the normal traffic.
To deal with the problem mentioned above, we proposed a step by step worm detection and controlling scheme to contain worms in Local Area Network. The scheme uses different detection methods to identify distinct features of different stages during worm propagation, employs various control strategies to prevent the worms from going out of Local Area Network. The scan based detection method implements in time detection of worms by identifying their scanning features in the early stage; the content based detection method accomplishes the deeper inspection of packets’content to identify the repeated packet. To hosts with worm scanning behavior, the rate limiting based control method can effectively control worms’spreading and exerts little negative influence on the normal traffic, to hosts infected by worms, the block based control method can totally impede the worms by dropping packets containing worm signature.
Scan based detection and controlling method is implemented based on the Netfilter in Linux 2.4.x kernel, using different strategies to control the suspicious packets by loading its own hook functions. Content based detection method employs Libpcap to sniffer the suspicious traffic from the scanning hosts, reassembles the TCP streams and extracts longest common substrings from those streams using suffix tree algorism. Tests demonstrate that the step by step worm detection and controlling scheme can detect worms at the early stage and prevent worm from spreading efficiently without affecting the normal traffic.
针对上述问题,局域网蠕虫检测和控制系统基于网络蠕虫在不同传播阶段表现出的行为特征,对局域网各个网段的出口流量进行检测和控制。基于扫描行为特征的检测通过计算主机向外发起新连接的频率及时发现网段中具有扫描行为的主机;基于内容的检测对具有扫描行为的主机流量进行分析,在可疑主机发起的TCP流中寻找重复的数据包内容进行进一步检测,进而发现被蠕虫感染的主机。对于具有不同行为特征的主机,系统采取不同的控制策略,对于具有扫描行为的主机,采用限速机制对可疑的连接请求进行延迟,有效的抑制了蠕虫传播,同时避免了对正常的流量的负面影响。对于已被蠕虫感染的主机,采用阻断的方法丢弃含有蠕虫特征的数据包,彻底地阻碍蠕虫的传播。
基于扫描行为特征的检测技术、基于限速和阻断的蠕虫控制技术是基于Linux 2.4.x内核的Netfilter防火墙架构实现,通过在内核层加载钩子函数截获数据包,根据不同的控制策略对可疑的数据包进行不同力度的控制;基于内容的检测技术在网络链路层使用Libpcap监听可疑主机的数据包,通过分析TCP状态建立TCP连接表对数据包进行流重组,使用后缀树在多个数据流中寻找最长公共子串的方法提取蠕虫特征码。实验测试表明,局域网蠕虫检测和控制技术不仅能够实现对网络蠕虫的及时检测,还能够有效的阻碍蠕虫由局域网向外的传播,而且对正常用户流量影响很小。
With the recent popularity of Internet, worms have been exerting increasing severe threat to the computer system and network. Traditional signature based detection method is not suitable for detecting fast spreading worms since it requires worm signatures in advance. Behavior based detection method could detect unknown worms, however, there is a trade off between the detection time and false positive. On the other hand, the commonly used block-when-detect method of worm containment would have a negative effect on the normal traffic.
To deal with the problem mentioned above, we proposed a step by step worm detection and controlling scheme to contain worms in Local Area Network. The scheme uses different detection methods to identify distinct features of different stages during worm propagation, employs various control strategies to prevent the worms from going out of Local Area Network. The scan based detection method implements in time detection of worms by identifying their scanning features in the early stage; the content based detection method accomplishes the deeper inspection of packets’content to identify the repeated packet. To hosts with worm scanning behavior, the rate limiting based control method can effectively control worms’spreading and exerts little negative influence on the normal traffic, to hosts infected by worms, the block based control method can totally impede the worms by dropping packets containing worm signature.
Scan based detection and controlling method is implemented based on the Netfilter in Linux 2.4.x kernel, using different strategies to control the suspicious packets by loading its own hook functions. Content based detection method employs Libpcap to sniffer the suspicious traffic from the scanning hosts, reassembles the TCP streams and extracts longest common substrings from those streams using suffix tree algorism. Tests demonstrate that the step by step worm detection and controlling scheme can detect worms at the early stage and prevent worm from spreading efficiently without affecting the normal traffic.
引文
[1] Shoch, John F, Jon A. Hupp. The Worm Programs Early Experience with a Distributed Computation. Communications of the ACM, 1982, 25(3), 172~180
[2] Eugene H. Spafford. The Internet worm program: an analysis. ACM Computer Communication Review, 1989, 19(1): 17~57
[3] Kienzle D.M., Elder M. C. Recent worms: A Survey and Trends. In: Proceedings of the ACM CCS Workshop on Rapid Malcode (WORM 2003), Washington, 2003. 1~10
[4] 郑辉. Internet蠕虫研究: [博士学位论文]. 天津: 南开大学, 2003
[5] T. Eisenberg, D. Gries, J. Hartmanis, et al. The Cornell Commission: on Morris and the Worm. Communications of the ACM, 1989, 32(6): 706~710
[6] Orman, Hilarie K. The Morris Worm: a fifteen-year perspective. IEEE Security & Privacy Magazine, 2003, 1(5): 35~43
[7] Eugene H. Spafford. Crisis and aftermath. Communications of the ACM, 1989, 32(6): 678~687
[8] Jack R. Collins. RAMEN – A Linux Worm, http://rr.sans.org/malicious/ramen3.php
[9] David Moore, Colleen Shannon, K claffy. Code-Red: a case study on the spread and victims of an Internet worm. In: Proceedings of the second ACM SIGCOMM Workshop on Internet Measurement, 2002. 273~284
[10] C. C. Zou, W. Gong and D. Towsley. Code Red Worm Propagation Modeling and Analysis. In: Proceedings of 9th ACM Conference on Computer and Communication Security, Washington, DC, USA, 2002. 138~147
[11] 何文. 网络病毒Nimda的特性及防范方法. 重庆工商大学学报(自然科学版), 2004, 21(4): 396~398
[12] David Moore, Vern Paxson, Stefan Savage, et al. Inside the Slammer worm. IEEE Security & Privacy, 2003, 1(4): 33~39
[13] Bailey M., Cooke E., Jahanian F., et al. The Blaster Worm: Then and Now. IEEE Security & Privacy Magazine, 2005, 3(4): 26~31
[14] Symantec Security Response W32.Mydoom.A@mm, http://securityresponse.symantec. com/avcenter/venc/data/w32.mydoom.a@mm.html
[15] 张运凯, 王长广, 王方伟等. “震荡波”蠕虫分析与防范. 计算机工程, 2005, 31(18): 65~67
[16] Michael Attig, John Lockwood. A Framework for Rule Processing in Reconfigurable Network Systems. In: Proceedings of the 13th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, 2005. 255~234
[17] George Bakos, Vincent Berk. Early Detection of Internet Worm Activity by Metering ICMP Destination Unreachable Messages. In: Proceedings of the SPIE Aerosense, 2002. 89~101
[18] Shigang Chen, Yong Tang. Slowing Down Internet Worms. In: Proceedings of 24th International Conference on Distributed Computing and Systems, Tokyo, Japan, 2004. 117~124
[19] M. M. Williamson. Throttling Viruses: Restricting Propagation to Defeat Malicious Mobile Code. In: Proceedings of the 18th Annual Computer Security Applications Conference, Las Vegas, Neveda, USA, 2003. 41~49
[20] Twycross J., Williamson M. M.. Implementing and testing a virus throttle. In: the 12th USENIX Security Symposium, 2003. 285 ~ 294
[21] S. Singh, C. Estan, G. Varghese, et al. Automated worm fingerprinting. In: Proceedings of the 6th ACM/USENIX Symposium on Operating System Design and Implementation (OSDI), 2004. 45~60
[22] Lance Spitzner. The Honeynet Project: trapping the hackers. IEEE Security & Privacy Magazine, 2003, 1(2): 15~23
[23] Lance Spitzner. Honeypots: catching the insider threat. In: Proceedings of the 19th Annual Computer Security Applications Conference, 2003. 170~179
[24] Niels Provos. A virtual honeypot framework. Technical Report 03-1, CITI, 2003
[25] Laurent Oudot. Fighting internet worms with honeypots. http://www.securityfocus. com/infocus/1740, October 2003
[26] H. J. Wang, C. Guo, D. R. Simon, et al. Shield: vulnerability-driven network filters forpreventing known vulnerability exploits. In: Proceedings of ACM SIGCOMM 2004. 193~204
[27] Jesse. C. Rabek, Roger I. Khazan, S. Lewandowski, et al. Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code. In: Proceedings of the 2003 ACM workshop on Rapid Malcode. 2003. 76~82
[28] J. W. Lockwood, J. Moscola, M. Kulig, et al. Internet worm and virus protection in dynamically reconfigurable hardware. In Proceedings of the Military and Aerospace Programmable Logic Device Conference. 2003. 45~51
[29] Staniford S, Paxson V, Weaver N. How to own the Internet in your spare time. In: Proceedings of the 11th USENIX Security Symposium, San Francisco, 2002. 149~167
[30] G. F. Riley, M. I. Sharif, W. Lee. Simulating internet worms. In: Proceedings of the 12th International Workshop on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems (MASCOTS). 2004. 268~274
[31] D. Gusfield. Algorithms on Strings, Trees and Sequences. London: Cambridge University Press, 1997. 81~87
[32] N. Weaver, S. Staniford, and V. Paxson. Very Fast Containmnet of Scanning Worms.
[33] Andrew S. Tanenbaum. 计算机网路(第三版). 熊桂喜,王小虎译. 北京:清华大学出版社, 1998. 291~293
[34] 姚晓宇, 赵晨. Linux内核防火墙netfilter实现与应用研究. 计算机工程, 2003, 29(8): 112~113
[35] 王宏健, 邵佩英, 张籍. 基于Linux内核防火墙Netfilter的安全应用的设计方法. 小型微型计算机系统, 2001, 22(12): 1516~1518
[36] 李晓峰, 张玉清, 李星. Linux 2.4内核防火墙底层结构分析. 计算机工程与应用, 2002, 14: 138~140
[37] 杨武,方滨兴,云晓春等. 基于Linux系统的报文捕获技术研究. 计算机工程与应用, 2003, 26: 28~30
[38] 程凡, 张维勇, 程运安. 包过滤在网络入侵检测中的设计与实现. 合肥工业大学学报(自然科学版), 2003, 26(1): 96~99
[39] 胡文静, 陈松, 李外云. 基于LIBPCAP的网络流量实时采集与解析. 湖南理工学院学报(自然科学版), 2005, 18(2): 29~32
[40] Joel Sommers, Vinod Yegneswaran, Paul Barford. A Framework for Malicious Workload Generation. In: Proceedings of Internet Measurement Conference, 2004. 82~87
[2] Eugene H. Spafford. The Internet worm program: an analysis. ACM Computer Communication Review, 1989, 19(1): 17~57
[3] Kienzle D.M., Elder M. C. Recent worms: A Survey and Trends. In: Proceedings of the ACM CCS Workshop on Rapid Malcode (WORM 2003), Washington, 2003. 1~10
[4] 郑辉. Internet蠕虫研究: [博士学位论文]. 天津: 南开大学, 2003
[5] T. Eisenberg, D. Gries, J. Hartmanis, et al. The Cornell Commission: on Morris and the Worm. Communications of the ACM, 1989, 32(6): 706~710
[6] Orman, Hilarie K. The Morris Worm: a fifteen-year perspective. IEEE Security & Privacy Magazine, 2003, 1(5): 35~43
[7] Eugene H. Spafford. Crisis and aftermath. Communications of the ACM, 1989, 32(6): 678~687
[8] Jack R. Collins. RAMEN – A Linux Worm, http://rr.sans.org/malicious/ramen3.php
[9] David Moore, Colleen Shannon, K claffy. Code-Red: a case study on the spread and victims of an Internet worm. In: Proceedings of the second ACM SIGCOMM Workshop on Internet Measurement, 2002. 273~284
[10] C. C. Zou, W. Gong and D. Towsley. Code Red Worm Propagation Modeling and Analysis. In: Proceedings of 9th ACM Conference on Computer and Communication Security, Washington, DC, USA, 2002. 138~147
[11] 何文. 网络病毒Nimda的特性及防范方法. 重庆工商大学学报(自然科学版), 2004, 21(4): 396~398
[12] David Moore, Vern Paxson, Stefan Savage, et al. Inside the Slammer worm. IEEE Security & Privacy, 2003, 1(4): 33~39
[13] Bailey M., Cooke E., Jahanian F., et al. The Blaster Worm: Then and Now. IEEE Security & Privacy Magazine, 2005, 3(4): 26~31
[14] Symantec Security Response W32.Mydoom.A@mm, http://securityresponse.symantec. com/avcenter/venc/data/w32.mydoom.a@mm.html
[15] 张运凯, 王长广, 王方伟等. “震荡波”蠕虫分析与防范. 计算机工程, 2005, 31(18): 65~67
[16] Michael Attig, John Lockwood. A Framework for Rule Processing in Reconfigurable Network Systems. In: Proceedings of the 13th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, 2005. 255~234
[17] George Bakos, Vincent Berk. Early Detection of Internet Worm Activity by Metering ICMP Destination Unreachable Messages. In: Proceedings of the SPIE Aerosense, 2002. 89~101
[18] Shigang Chen, Yong Tang. Slowing Down Internet Worms. In: Proceedings of 24th International Conference on Distributed Computing and Systems, Tokyo, Japan, 2004. 117~124
[19] M. M. Williamson. Throttling Viruses: Restricting Propagation to Defeat Malicious Mobile Code. In: Proceedings of the 18th Annual Computer Security Applications Conference, Las Vegas, Neveda, USA, 2003. 41~49
[20] Twycross J., Williamson M. M.. Implementing and testing a virus throttle. In: the 12th USENIX Security Symposium, 2003. 285 ~ 294
[21] S. Singh, C. Estan, G. Varghese, et al. Automated worm fingerprinting. In: Proceedings of the 6th ACM/USENIX Symposium on Operating System Design and Implementation (OSDI), 2004. 45~60
[22] Lance Spitzner. The Honeynet Project: trapping the hackers. IEEE Security & Privacy Magazine, 2003, 1(2): 15~23
[23] Lance Spitzner. Honeypots: catching the insider threat. In: Proceedings of the 19th Annual Computer Security Applications Conference, 2003. 170~179
[24] Niels Provos. A virtual honeypot framework. Technical Report 03-1, CITI, 2003
[25] Laurent Oudot. Fighting internet worms with honeypots. http://www.securityfocus. com/infocus/1740, October 2003
[26] H. J. Wang, C. Guo, D. R. Simon, et al. Shield: vulnerability-driven network filters forpreventing known vulnerability exploits. In: Proceedings of ACM SIGCOMM 2004. 193~204
[27] Jesse. C. Rabek, Roger I. Khazan, S. Lewandowski, et al. Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code. In: Proceedings of the 2003 ACM workshop on Rapid Malcode. 2003. 76~82
[28] J. W. Lockwood, J. Moscola, M. Kulig, et al. Internet worm and virus protection in dynamically reconfigurable hardware. In Proceedings of the Military and Aerospace Programmable Logic Device Conference. 2003. 45~51
[29] Staniford S, Paxson V, Weaver N. How to own the Internet in your spare time. In: Proceedings of the 11th USENIX Security Symposium, San Francisco, 2002. 149~167
[30] G. F. Riley, M. I. Sharif, W. Lee. Simulating internet worms. In: Proceedings of the 12th International Workshop on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems (MASCOTS). 2004. 268~274
[31] D. Gusfield. Algorithms on Strings, Trees and Sequences. London: Cambridge University Press, 1997. 81~87
[32] N. Weaver, S. Staniford, and V. Paxson. Very Fast Containmnet of Scanning Worms.
[33] Andrew S. Tanenbaum. 计算机网路(第三版). 熊桂喜,王小虎译. 北京:清华大学出版社, 1998. 291~293
[34] 姚晓宇, 赵晨. Linux内核防火墙netfilter实现与应用研究. 计算机工程, 2003, 29(8): 112~113
[35] 王宏健, 邵佩英, 张籍. 基于Linux内核防火墙Netfilter的安全应用的设计方法. 小型微型计算机系统, 2001, 22(12): 1516~1518
[36] 李晓峰, 张玉清, 李星. Linux 2.4内核防火墙底层结构分析. 计算机工程与应用, 2002, 14: 138~140
[37] 杨武,方滨兴,云晓春等. 基于Linux系统的报文捕获技术研究. 计算机工程与应用, 2003, 26: 28~30
[38] 程凡, 张维勇, 程运安. 包过滤在网络入侵检测中的设计与实现. 合肥工业大学学报(自然科学版), 2003, 26(1): 96~99
[39] 胡文静, 陈松, 李外云. 基于LIBPCAP的网络流量实时采集与解析. 湖南理工学院学报(自然科学版), 2005, 18(2): 29~32
[40] Joel Sommers, Vinod Yegneswaran, Paul Barford. A Framework for Malicious Workload Generation. In: Proceedings of Internet Measurement Conference, 2004. 82~87