多态蠕虫自动检测技术研究
|
摘要
随着网络的普及和深入,网络蠕虫对计算机系统安全和网络安全的威胁日益增加,尤其是网络蠕虫的多样化传播途径和复杂的应用环境使网络蠕虫的爆发频率激增。而且随着计算机技术的发展,网络蠕虫与木马技术、病毒技术的结合使得蠕虫的潜伏性更强,查杀难度更大,造成的损失也越来越大。应付网络蠕虫威胁已经成为一项极其紧迫的任务。
世界上很多研究机构针对蠕虫检测和预防做了很多研究,并且有了一些重要的进展。但是目前最有效的蠕虫检测机制还是特征码匹配,这种方式在时间上有一定的滞后性,而且特征码多靠人工自动提取,费时费力。所以如何自动进行网络蠕虫的特征提取,如何实现蠕虫的预发现、预阻止就成了计算机网络安全界最关心的话题。
本课题在对目前各种网络蠕虫检测方法分析、验证的基础上,总结出蠕虫的四个方面的特征:蠕虫的扫描行为特征、蠕虫的自我繁殖特征、蠕虫的分布式特征及蠕虫的规模爆发特征。提出了一种蠕虫的多维特征提取方案,并以此多维特征为依据,利用神经网络能够自我学习、自我训练的特性,使用经典的BP神经网络模型构造一个能够自动识别未知蠕虫,高效检测已知蠕虫的智能蠕虫检测系统。
首先,系统以虚拟蜜罐技术为基础,设计了一个既支持客户端蜜罐又支持服务器端蜜罐的虚拟蜜罐系统。同时利用虚拟化技术的支持,在一个物理网段中构建多个逻辑物理网段,为蠕虫检测搭建了一个分布式网络环境。然后利用基于细粒度的时间域和频率域的扫描特征码提取技术、基于相似度匹配的繁殖特征提取技术、基于统计网络字节流的分布特征提取技术以及基于分层叠加模型的规模特征提取技术进行蠕虫特征码的提取。最后,为了保证系统各模块间数据通信的安全性和有效性,本系统在开源SSL的基础上通过自定义的通信协议,实现了安全保密的系统通信机制。
最后,对本系统进行性能和功能方面的评估,并对本课题研究的不足进行了总结。
As the internet is becoming more and more popular, network worms threat the security of computer system and network much more seriously. Particularly, the diversification of the worm transmission and the complex application environments surges the outbreak frequency of network worms. Moreover, with the development of computer technology, worms cooperate much more with Trojan horses and virus, which makes the worm more latent, more difficult to kill and resulting in more loss of wealth. So, it is an urgent task to confront the threat of network worms.
A lot of research institutions in the world have done a lot of research on the detection and prevention ways of worms, and made some important progress. But at present the most effective way for worm detection is signature match; this way has a certain time lag and depends much on manual work, so it is time-consuming and labor wasting. Which force people in the network security field to focus much more attention on how to extract worm signatures automatically and then to pre-found and pre-block network worms from destroying the network.
On the basis of a lot of analysis and validation work on current worm detection technologies, we got the most important features of network worms. They are: network scan, self-reproduction, distribution on the network, and large size breakout. On this basis, we proposed a new mechanism called multi-dimensional feature extraction mechanism to extract worm features. As we know, BP neural network can learn and train itself automatically, and then we use the classical BP neural network modeling to design an intelligent system so that to identify unknown worm automatically, and detect known worms effectively.
First of all, with the support of virtual honeypot technology, we designed a virtual honeypot system which supports both a client-side honeypot and a server-side honeypot. Then we build a distributed virtual network environment by using virtualization technologies. Then using the following worm feature extraction technologies to extract worm features, these technologies are: extract scanning feature based on time-domain and frequency domain, extract self-preproduction feature based on similarity matching, extract network behaviors based on anglicizing network byte streams, as well as the large-scale breakout feature based on distribution of layered overlay model. Finally, in order to ensure safety and effectiveness of system data communication between modules, by modifying the open source SSL protocol to our own way to achieve a secure and confidential system communication mechanism.
At the end of this thesis, we made an assessment on the system’s performance and its functionality.And summarized the lack of study on this topic and also did some periscopic work.
世界上很多研究机构针对蠕虫检测和预防做了很多研究,并且有了一些重要的进展。但是目前最有效的蠕虫检测机制还是特征码匹配,这种方式在时间上有一定的滞后性,而且特征码多靠人工自动提取,费时费力。所以如何自动进行网络蠕虫的特征提取,如何实现蠕虫的预发现、预阻止就成了计算机网络安全界最关心的话题。
本课题在对目前各种网络蠕虫检测方法分析、验证的基础上,总结出蠕虫的四个方面的特征:蠕虫的扫描行为特征、蠕虫的自我繁殖特征、蠕虫的分布式特征及蠕虫的规模爆发特征。提出了一种蠕虫的多维特征提取方案,并以此多维特征为依据,利用神经网络能够自我学习、自我训练的特性,使用经典的BP神经网络模型构造一个能够自动识别未知蠕虫,高效检测已知蠕虫的智能蠕虫检测系统。
首先,系统以虚拟蜜罐技术为基础,设计了一个既支持客户端蜜罐又支持服务器端蜜罐的虚拟蜜罐系统。同时利用虚拟化技术的支持,在一个物理网段中构建多个逻辑物理网段,为蠕虫检测搭建了一个分布式网络环境。然后利用基于细粒度的时间域和频率域的扫描特征码提取技术、基于相似度匹配的繁殖特征提取技术、基于统计网络字节流的分布特征提取技术以及基于分层叠加模型的规模特征提取技术进行蠕虫特征码的提取。最后,为了保证系统各模块间数据通信的安全性和有效性,本系统在开源SSL的基础上通过自定义的通信协议,实现了安全保密的系统通信机制。
最后,对本系统进行性能和功能方面的评估,并对本课题研究的不足进行了总结。
As the internet is becoming more and more popular, network worms threat the security of computer system and network much more seriously. Particularly, the diversification of the worm transmission and the complex application environments surges the outbreak frequency of network worms. Moreover, with the development of computer technology, worms cooperate much more with Trojan horses and virus, which makes the worm more latent, more difficult to kill and resulting in more loss of wealth. So, it is an urgent task to confront the threat of network worms.
A lot of research institutions in the world have done a lot of research on the detection and prevention ways of worms, and made some important progress. But at present the most effective way for worm detection is signature match; this way has a certain time lag and depends much on manual work, so it is time-consuming and labor wasting. Which force people in the network security field to focus much more attention on how to extract worm signatures automatically and then to pre-found and pre-block network worms from destroying the network.
On the basis of a lot of analysis and validation work on current worm detection technologies, we got the most important features of network worms. They are: network scan, self-reproduction, distribution on the network, and large size breakout. On this basis, we proposed a new mechanism called multi-dimensional feature extraction mechanism to extract worm features. As we know, BP neural network can learn and train itself automatically, and then we use the classical BP neural network modeling to design an intelligent system so that to identify unknown worm automatically, and detect known worms effectively.
First of all, with the support of virtual honeypot technology, we designed a virtual honeypot system which supports both a client-side honeypot and a server-side honeypot. Then we build a distributed virtual network environment by using virtualization technologies. Then using the following worm feature extraction technologies to extract worm features, these technologies are: extract scanning feature based on time-domain and frequency domain, extract self-preproduction feature based on similarity matching, extract network behaviors based on anglicizing network byte streams, as well as the large-scale breakout feature based on distribution of layered overlay model. Finally, in order to ensure safety and effectiveness of system data communication between modules, by modifying the open source SSL protocol to our own way to achieve a secure and confidential system communication mechanism.
At the end of this thesis, we made an assessment on the system’s performance and its functionality.And summarized the lack of study on this topic and also did some periscopic work.
引文
[1] D. R. Ellis, John G. Aiken, Kira S. Attwood, Scott D. Tenaglia, A Behavioral Approach to Worm Detection, WORM'04, October 29, 2004, Washington, DC, USA. 2004 ACM
[2] Eugene H. Spafford. The Internet worm program: An analysis.ACM SIGCOMM Computer Communication Review, 1989, 19(1):p17-57.
[3] D.M.Kienze, M.C.Elder. Recent Wroms: A Survey and Trends, In Proceedings of the 2003 ACM workshop on Rapid Malcode Washington DC, October 2003.
[4] Nicholas Weaver.Potential strategies for high spee active worm: a worst case analysis.Technical Report, 2002.
[5] George F.Riley.The Georgia Tech network simulator.Proc.of the ACM SIGCOMM workshop on Models, methods and tools for reproducible network research, 2003, p5-12.
[6] C. Kruegel, E. Kirda, D. Mutz, W. Robertson and G. Vigna, Polymorphic Worm Detection using Structural Information of Executables
[7] Tom Vogt. Simulation and optimizing worm propagation algorithms. 2003. http://web.lemuria.org/security/wormPropagation.pdf
[8] University of Oregon route views project. http://www.routeview.org/
[9] Sarah Sellke, Ness B.Shro,Saurabh Bagchi.Modeling and automated containment of worms.Proc of the International Conference on Dependable Systems and Networks,2005,p528-537.
[10] Cliff Changchun Zou,Weibo Gong,Don Towsley.Code Red worm propagation modeling and analysis.Proc of the ACM Conference on Computer and Communications Security,2002,p138-147.
[11] Zesheng Chen,Lixin Gao,Kevin Kwiat.Modeling the spread of active worms.Proc.of IEEE IN FOCOM,2003,v3,p1890-1900.
[12] Jonghyun Kim, Sridhar Radhakrishnan, Sudarshan K.Dhall.Measurement and analysis of worm on internet network topology. Proc.of Internation Conference on Computer Communications and Networks, 2004, p495-500.
[13] The network simulator– ns -2. http://www.jsj.edu/nsname/ms/
[14] Scalable simulation framework. http://www.ssfnet.org/homePage.html
[15] GTNetS Home. http://www.ece.gatech.edu/research/labs/MANIACS/GTNetS/
[16] Stuart Staniford Vern Paxsony Nicholas Weaver.How to own the Internet in your Spare time.Prpc of the USENIX Security Symposium,2007, p149-167.
[17] DDosVax. http://www.tik.ee.ethz.ch/~ddosvax/
[18] Simulating network worms.http://www.users.qwest.net/~eballen/nws/
[19] George F.Riley,Monirul I.Sharif,Wenke Lee.Simulation internet worms.Proc.of IEEE Computer Security’s Annual International Symposium on Modeling,Analysis,and Simulation of Computer and Telecommunications Systems,2004, p268-274.
[20] Arno Wagner, Thomas DubendorfermBernhard Plattner, Roman Hiestand.Experiences with worm propagation simulations.Proc.of the ACM workshop on Rapid Malcode, 2003,p34-41.
[21] Michael Liljenstam,Yougu Tuan,BJ Premore,David Nicol.Amixed abstraction level simulation model of largte-scale Internet worm infestations.Proc.of 10th IEEE International Symposium on Modeling,Analysis and Simulation of Computer and Telecommunications Systems.2002 p109-116.
[22] Michael Liljenstam,David M.Nicol,Vincent H.Berk,Robert S.Gray,Simulating realistic Network worm traffic for worm warning system design and testing.Proc.of the ACM conference on Computer and communication security,2003,p190-199.
[23] Snort. http://www.snort.org.
[24] Bro intrusion detection system. http://bro-ids.org
[25] Internet Security Systems. http://www.iss.net
[26] Cisco Systems, Inc. http://www.cisco.com
[27] Donn Seeley. A tour of the worm. Proc. Of 1989 Winter USENIX Conference,2008, p287-304.
[28] V. Paxson. Bro: a system for detecting network intruders in real-time. Computer Networks, 31(23-24), December 2004.
[29] T. S. Project. Snort, the open-source network intrusion detection system. http://www.snort.rog/.
[30]文伟平,卿斯汉,蒋建春,王业君,网络蠕虫研究与进展,软件学报,Vol.15, No.8
[31] J. O. Kephart and W. C. Arnold. Automatic extraction of computer virus signatures. In Proceedings of the 4th International Virus Bulletin Conference, Sept. 1994.
[32]夏春和,石昀平,李肖坚,基于应用识别的P2P蠕虫检测,北京航空航天大学学报2006.8 vol.32(8)
[33] H.-A.Kim and B.Karp. Autograph: toward automated, distributed worm signature detection. In Proceedings of the 13th USENIX Security Symposium, August 2007.
[34]郑辉,段海新,Internet蠕虫主动防治系统原理与设计,2004软件学报
[35] T.Detristan, T.Ulenspiegel, Y.Malcom, and M.V.Underduk. Polymorphic shellcode engine using spectrum analysis. http://www.phrack.org/show.php?p==61&a=9
[36] J. Newsome, B. Karp, D. Song, NO.6 Polygraph: Automatically Generating Signatures for Polymorphic Worms.
[37]郑辉,孙彬,郑先伟,段海新,大规模网络中Internet蠕虫主动防治技术研究--利用DNS服务抑制蠕虫传播,2004软件学报
[38] David Harley.计算机病毒揭秘(朱代祥,译者).北京:人民邮电出版社,2002
[39] Nicholas Weaver.How many ways to own the Internet. 2007. http://www.cs.berkele.edu/~nweaver/wormdefense.ppt
[40] K. Wang, G. Cretu, Salvatore J. Stolfo, Anomalous Payload-based Worm Detection and Signature Generation
[41] John F.Shoch, Jon A.Hupp.The”worm”programs-early experience with a distributed computation.Communications of the ACM,2002,25(3): 172-180.
[42] Shi gang Chen and Yong Tang, "Slowing Down Internet Worms". Proc. of 24th international Conference on Distributed Computing Systems (ICDCS’04), Tokyo, Japan. Mar. 2004
[43] Stuart E. Schechter,“Fast Detection of Scanning Worm Infections”www.wormblog.com/2004/12
[44] X. Yang, J.Lu, Y. G. Zhu, P. Wang, Simulation and Evaluation OF A New Algorithm of Worm Detection and Containment, Proceedings of the Seventh International Conference on Parallel and Distributed Computing, Applications and Technologies (PDCAT’06), 2007 IEEE.
[45] S. Singh, C.Estan, G. Varghese.Automated worm fingerprinting. In Proceedings of the 6th ACM/USENIX symposium Design and Implementation (OSDI), Dec. 2008
[46] Z. Li, M. Sanghi, Y, Chen, M. Y. Kao, B. Chavez, Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience, Proceedings of the 2006 IEEE Symposium on Security and Privacy (S&P’06)
[47]张吉谭建龙郭莉,基于包内容的未知蠕虫发现,北京2705信箱中国科学院计算技术研究所
[48] CISCO SYSTEMS Network-Based Application Recognition. http://www.cisco.com/univercd/cc/td/doc/prod /ios122/122newf%t/122t/122t8/dtnbarad.htm.
[49] C.Kreibich and J. Crowcroft. Honeycomb– creating intrusion detection signatures using honeypots. In Proceedings of the Second Workshop on Hot Topics in Networks (HotNets-II, November 2007.
[50] R. Perdisci, D. Dagon, W. Lee, P. Fogla and M. Sharif, Misleading Worm Signature Generators Using Deliberate Noise Injection, Proceedings of the 2006 IEEE Symposium on Security and Privacy (S&P’06)
[51] John Wilander, Mariam Kamkar. A comparison of publicly available tools for dynamic buffer overflow prevention. In 10th Network and Distributed System Security Symposium (NDSS), 2003
[2] Eugene H. Spafford. The Internet worm program: An analysis.ACM SIGCOMM Computer Communication Review, 1989, 19(1):p17-57.
[3] D.M.Kienze, M.C.Elder. Recent Wroms: A Survey and Trends, In Proceedings of the 2003 ACM workshop on Rapid Malcode Washington DC, October 2003.
[4] Nicholas Weaver.Potential strategies for high spee active worm: a worst case analysis.Technical Report, 2002.
[5] George F.Riley.The Georgia Tech network simulator.Proc.of the ACM SIGCOMM workshop on Models, methods and tools for reproducible network research, 2003, p5-12.
[6] C. Kruegel, E. Kirda, D. Mutz, W. Robertson and G. Vigna, Polymorphic Worm Detection using Structural Information of Executables
[7] Tom Vogt. Simulation and optimizing worm propagation algorithms. 2003. http://web.lemuria.org/security/wormPropagation.pdf
[8] University of Oregon route views project. http://www.routeview.org/
[9] Sarah Sellke, Ness B.Shro,Saurabh Bagchi.Modeling and automated containment of worms.Proc of the International Conference on Dependable Systems and Networks,2005,p528-537.
[10] Cliff Changchun Zou,Weibo Gong,Don Towsley.Code Red worm propagation modeling and analysis.Proc of the ACM Conference on Computer and Communications Security,2002,p138-147.
[11] Zesheng Chen,Lixin Gao,Kevin Kwiat.Modeling the spread of active worms.Proc.of IEEE IN FOCOM,2003,v3,p1890-1900.
[12] Jonghyun Kim, Sridhar Radhakrishnan, Sudarshan K.Dhall.Measurement and analysis of worm on internet network topology. Proc.of Internation Conference on Computer Communications and Networks, 2004, p495-500.
[13] The network simulator– ns -2. http://www.jsj.edu/nsname/ms/
[14] Scalable simulation framework. http://www.ssfnet.org/homePage.html
[15] GTNetS Home. http://www.ece.gatech.edu/research/labs/MANIACS/GTNetS/
[16] Stuart Staniford Vern Paxsony Nicholas Weaver.How to own the Internet in your Spare time.Prpc of the USENIX Security Symposium,2007, p149-167.
[17] DDosVax. http://www.tik.ee.ethz.ch/~ddosvax/
[18] Simulating network worms.http://www.users.qwest.net/~eballen/nws/
[19] George F.Riley,Monirul I.Sharif,Wenke Lee.Simulation internet worms.Proc.of IEEE Computer Security’s Annual International Symposium on Modeling,Analysis,and Simulation of Computer and Telecommunications Systems,2004, p268-274.
[20] Arno Wagner, Thomas DubendorfermBernhard Plattner, Roman Hiestand.Experiences with worm propagation simulations.Proc.of the ACM workshop on Rapid Malcode, 2003,p34-41.
[21] Michael Liljenstam,Yougu Tuan,BJ Premore,David Nicol.Amixed abstraction level simulation model of largte-scale Internet worm infestations.Proc.of 10th IEEE International Symposium on Modeling,Analysis and Simulation of Computer and Telecommunications Systems.2002 p109-116.
[22] Michael Liljenstam,David M.Nicol,Vincent H.Berk,Robert S.Gray,Simulating realistic Network worm traffic for worm warning system design and testing.Proc.of the ACM conference on Computer and communication security,2003,p190-199.
[23] Snort. http://www.snort.org.
[24] Bro intrusion detection system. http://bro-ids.org
[25] Internet Security Systems. http://www.iss.net
[26] Cisco Systems, Inc. http://www.cisco.com
[27] Donn Seeley. A tour of the worm. Proc. Of 1989 Winter USENIX Conference,2008, p287-304.
[28] V. Paxson. Bro: a system for detecting network intruders in real-time. Computer Networks, 31(23-24), December 2004.
[29] T. S. Project. Snort, the open-source network intrusion detection system. http://www.snort.rog/.
[30]文伟平,卿斯汉,蒋建春,王业君,网络蠕虫研究与进展,软件学报,Vol.15, No.8
[31] J. O. Kephart and W. C. Arnold. Automatic extraction of computer virus signatures. In Proceedings of the 4th International Virus Bulletin Conference, Sept. 1994.
[32]夏春和,石昀平,李肖坚,基于应用识别的P2P蠕虫检测,北京航空航天大学学报2006.8 vol.32(8)
[33] H.-A.Kim and B.Karp. Autograph: toward automated, distributed worm signature detection. In Proceedings of the 13th USENIX Security Symposium, August 2007.
[34]郑辉,段海新,Internet蠕虫主动防治系统原理与设计,2004软件学报
[35] T.Detristan, T.Ulenspiegel, Y.Malcom, and M.V.Underduk. Polymorphic shellcode engine using spectrum analysis. http://www.phrack.org/show.php?p==61&a=9
[36] J. Newsome, B. Karp, D. Song, NO.6 Polygraph: Automatically Generating Signatures for Polymorphic Worms.
[37]郑辉,孙彬,郑先伟,段海新,大规模网络中Internet蠕虫主动防治技术研究--利用DNS服务抑制蠕虫传播,2004软件学报
[38] David Harley.计算机病毒揭秘(朱代祥,译者).北京:人民邮电出版社,2002
[39] Nicholas Weaver.How many ways to own the Internet. 2007. http://www.cs.berkele.edu/~nweaver/wormdefense.ppt
[40] K. Wang, G. Cretu, Salvatore J. Stolfo, Anomalous Payload-based Worm Detection and Signature Generation
[41] John F.Shoch, Jon A.Hupp.The”worm”programs-early experience with a distributed computation.Communications of the ACM,2002,25(3): 172-180.
[42] Shi gang Chen and Yong Tang, "Slowing Down Internet Worms". Proc. of 24th international Conference on Distributed Computing Systems (ICDCS’04), Tokyo, Japan. Mar. 2004
[43] Stuart E. Schechter,“Fast Detection of Scanning Worm Infections”www.wormblog.com/2004/12
[44] X. Yang, J.Lu, Y. G. Zhu, P. Wang, Simulation and Evaluation OF A New Algorithm of Worm Detection and Containment, Proceedings of the Seventh International Conference on Parallel and Distributed Computing, Applications and Technologies (PDCAT’06), 2007 IEEE.
[45] S. Singh, C.Estan, G. Varghese.Automated worm fingerprinting. In Proceedings of the 6th ACM/USENIX symposium Design and Implementation (OSDI), Dec. 2008
[46] Z. Li, M. Sanghi, Y, Chen, M. Y. Kao, B. Chavez, Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience, Proceedings of the 2006 IEEE Symposium on Security and Privacy (S&P’06)
[47]张吉谭建龙郭莉,基于包内容的未知蠕虫发现,北京2705信箱中国科学院计算技术研究所
[48] CISCO SYSTEMS Network-Based Application Recognition. http://www.cisco.com/univercd/cc/td/doc/prod /ios122/122newf%t/122t/122t8/dtnbarad.htm.
[49] C.Kreibich and J. Crowcroft. Honeycomb– creating intrusion detection signatures using honeypots. In Proceedings of the Second Workshop on Hot Topics in Networks (HotNets-II, November 2007.
[50] R. Perdisci, D. Dagon, W. Lee, P. Fogla and M. Sharif, Misleading Worm Signature Generators Using Deliberate Noise Injection, Proceedings of the 2006 IEEE Symposium on Security and Privacy (S&P’06)
[51] John Wilander, Mariam Kamkar. A comparison of publicly available tools for dynamic buffer overflow prevention. In 10th Network and Distributed System Security Symposium (NDSS), 2003