Journal of KIISE:Information Networking (한국정보과학회논문지:정보통신)

Korean Institute of Information Scientists and Engineers (한국정보과학회)
권호 표지

Scanning Worm Detection Algorithm Using Network Traffic Analysis

네트워크 트래픽 특성 분석을 통한 스캐닝 웜 탐지 기법

  • Published : 2008.12.15
Download PDF
⟨ Previous Next ⟩

Abstract

Scanning worm increases network traffic load and result in severe network congestion because it is a self-replicating worm and send copies of itself to a number of hosts through the Internet. So an early detection system which can automatically detect scanning worms is needed to protect network from those attacks. Although many studies are conducted to detect scanning worms, most of them are focusing on the method using packet header information. The method using packet header information has long detection delay since it must examine the header information of all packets entering or leaving the network. Therefore we propose an algorithm to detect scanning worms using network traffic characteristics such as variance of traffic volume, differentiated traffic volume, mean of differentiated traffic volume, and product of mean traffic volume and mean of differentiated traffic volume. We verified the proposed algorithm by analyzing the normal traffic captured in the real network and the worm traffic generated by simulator. The proposed algorithm can detect CodeRed and Slammer which are not detected by existing algorithm. In addition, all worms were detected in early stage: Slammer was detected in 4 seconds and CodeRed and Witty were detected in 11 seconds.

스캐닝 웜은 자기 스스로 복제가 가능하며 네트워크를 통해서 짧은 시간 안에 아주 넓은 범위에 걸쳐 전파되므로 네트워크의 부하를 증가시켜 심각한 네트워크 혼잡현상을 일으킨다. 따라서 실시간으로 스캐닝 웜을 탐지하기 위해 많은 연구가 진행되고 있으나 대부분의 연구가 패킷 헤더 정보를 이용하는 방법에 중점을 두고 있으며, 이 방법은 네트워크의 모든 패킷을 검사해야 하므로 비효율적이며 탐지시간이 오래 걸린다는 단점이 있다. 따라서 본 논문에서는 네트워크 트래픽량, 트래픽량의 미분값, 트래픽량의 평균 미분값, 트래픽량의 평균 미분값과 평균 트래픽량의 곱에 대한 variance를 통해 스캐닝 웜을 탐지하는 기법을 제안한다. 실제 네트워크에서 측정한 정상 트래픽과 시뮬레이터로 생성한 웜 트래픽에 대해 성능을 분석한 결과, 기존의 탐지기법으로는 탐지되지 않는 코드레드와 슬래머를 제안한 탐지기법으로 탐지할 수 있었다. 또한 탐지속도를 측정한 결과 웜 발생초기에 모두 탐지가 되었는데, 슬래머는 발생 후 4초만에 탐지되었으며, 코드레드와 위티는 발생한지 11초만에 탐지되었다.

Keywords

References

  1. N. Weaver, V. Paxson, S. Staniford, and R. Cunningham, "A Taxonomy of Computer Worms," in Proc. ACM workshop on rapid malcode, 2003, pp. 11-18
  2. D.M. Kienzie and M.C. Elder, "Recent Worms: A Survey and Trends," in Proc. ACM workshop on rapid malcode, 2003, pp. 1-10
  3. D. Moore, C. Shannon, and J.Brown, "Code-Red: a case study on the spread and victims of an Internet worm," in Proc. Second Internet Measurement Workshop, 2002, pp. 273-284
  4. D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver, "Inside the Slammer Worm," IEEE Security & Privacy, pp. 33-39, Jul./Aug. 2003
  5. "W32.Blaster.Worm," [Online]. Available: http://secu rityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
  6. C. Shannon and D. Moore, "The Spread of the Witty Worm," IEEE Security & Privacy, pp. 46-50, Jul./Aug. 2004
  7. K. Wang, G. Cretu, and S. Stolfo, "Anomalous Payload-Based Worm Detection and Signature Generation," Lecture Notes in Computer Science, 3858, pp. 227-246, 2006
  8. H. Kim, I. Kang, and S. Bahk, "Real-Time Visualization of Network Attacks on High-Speed Links," IEEE Network, pp. 30-39, Sep./Oct. 2004
  9. S. Noh, C. Lee, K. Ryu, K. Choi, and G. Jung, "Detecting Worm Propagation Using Traffic Concentration Analysis and Inductive Learning," Lecture Notes in Computer Science, 3177(1), pp. 402-408, 2004
  10. M. Kim, H. Kang, S. Hong, S. Chung, and W. Hong, "A Flow-based Method for Abnormal Network Traffic Detection," in Proc. IEEE/IFIP NOMS, 2004, pp. 599-612
  11. C. Zou, W. Gong, D. Towsley, and L. Gao, "The Monitoring and Early Detection of Internet Worms," in Proc. 10th ACM conference on Computer and communication security, 2003, pp. 190-199
  12. B. Roh and S. Yoo, "A Novel Detection Methodology of Network Attack Symptoms at Aggregate Traffic Level on Highspeed Internet Backbone Links," Lecture Notes in Computer Science, 3124, pp. 1226-1235, Aug. 2004
  13. 김재현, 강신헌, "네트워크 트래픽 특성을 이용한 스캐닝 웜 탐지기법", 한국정보보호학회논문지, 제 17권, 제 1호, pp. 57-66, 2007년 2월
  14. C. C. Zou, W. Gong, and D. Towsley, "Code Red Worm Propagation Modeling and Analysis," in Proc. 9th ACM Conference on Computer and Communications Security, 2002, pp. 138-147
  15. "MAWI Working Group Traffic Archive," [Online]. Available: http://tracer.csl.sony.co.jp/mawi/