정보처리학회논문지C (The KIPS Transactions:PartC)

한국정보처리학회 (Korea Information Processing Society)
권호 표지
DOI QR코드

DOI QR Code

연결설정 지연 단축을 위한 바이러스 쓰로틀링의 가변 비율 제한기

Variable Rate Limiter in Virus Throttling for Reducing Connection Delay

  • 발행 : 2006.10.30
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

연결요청(connection request) 패킷의 전송비율을 일정 비율 이하로 제한함으로써 월 발생을 탐지하는 바이러스 쓰로틀링(virus throttling)은 대표적인 웜 조기 탐지 기술 중의 하나이다. 기존 바이러스 쓰로틀링은 비율 제한기의 주기를 고정시키고 지연 큐 길이를 감시하여 웜 발생 여부를 판단한다. 본 논문에서는 가중치 평균 지연 큐 길이를 적용하여 비율 제한기의 주기를 자율적으로 조절하는 알고리즘을 제안하고, 가중치 평균 지연 큐 길이에 따른 다양한 주기결정 기법을 제시한다. 실험결과 제안 알고리즘은 웜 탐지시간에는 크게 영향을 미치지 않으면서도 연결설정 지연시간을 단축하여 사용자가 느끼는 불편함을 줄여 줄 수 있음을 확인하였다.

Virus throttling technique, one of many early worm detection techniques, detects the Internet worm propagation by limiting the connect requests within a certain ratio. The typical virus throttling detects worm occurrence by monitoring the length of delay queue with the fixed period of rate limiter. In this paper, we propose an algorithm that controls the period of rate limiter autonomically by utilizing the weighted average delay queue length and suggest various period determination policies that use the weighted average delay queue length as an input parameter. Through deep experiments, it is verified that the proposed technique is able to lessen inconvenience of users by reducing the connection delay time with haying just little effect on worm detection time.

키워드

참고문헌

  1. CERT, 'CERT Advisory CA-2001-26 Nimda Worm, Sept. 2001. http://www.cert.org/advisories/CA-2001-26. html
  2. CERT Advisory CA-2003-04: 'MS-SQL Server Worm,' Jan., 2003. http://www.cert.org/advisories/CA-2003-04.html
  3. CERT, 'CERT Advisory CA-2001-08 Code Red Worm Exploiting Buffer Overflow in IIS Indexing Service DLL,' July, 2001. http://www.cert.org/incident_notes/IN-2001-08.html
  4. CERT Advisory CA-2001-09: 'Code Red II: Another Worm Exploiting Buffer Overflow,' IIS Indexing Service DLL, Aug. 2001. http://www.cert.org/ incident_notes/IN-2001-09.html
  5. CERT, 'CERT Advisory CA-2000-04 Love Letter Worm, May 2002. http://www.cert.org/advisories/CA2000-04.html
  6. S. Sidiroglou and A. D. Keromytis, 'A Network Worm Vaccine Architecture,' Proc. of the IEEE Workshop on Enterprise Technologies: Infrastructure for Collaborative Enterprises (WETICE), Workshop on Enterprise Security, pp.220-225, June, 2003
  7. D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford and N. Weaver, 'Inside the Slammer worm,' IEEE Security and Privacy, Vol.1, pp.33-39, July, 2003 https://doi.org/10.1109/MSECP.2003.1219056
  8. Matthew M. Williamson, 'Throttling Viruses: Restricting propagation to defeat malicious mobile code,' Proc. of the 18th Annual Computer Security Applications Conference; Dec., 2002 https://doi.org/10.1109/CSAC.2002.1176279
  9. J. Twycross and M. M. Williamson, 'Implementing and testing a virus throttle,' Proc. of the 12th USENIX Security Symposium, pp.285-294, Aug., 2003
  10. X. Qin, D. Dagon, G. Gu, and W. Lee, 'Worm detection using local networks,' Technical report, College of Computing, Georgia Tech., Feb., 2004
  11. J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan, 'Fast port-scan detection using sequential hypothesis testing,' Proc. of the IEEE Symposium on Security and Privacy, May, 2004 https://doi.org/10.1109/SECPRI.2004.1301325
  12. J. Jung, S. E. Schechter, and A. W. Berger, 'Fast Detection of Scanning Worm Infections,' Proc. of 7th International Symposium on Recent Advances in Intrusion Detection (RAID), Sophia Antipolis, French Riviera, France. Sept., 2004
  13. C. C. Zou, W. Gong, and D. Towsley, 'Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense,' ACM CCS Workshop on Rapid Malcode (WORM'03), Washington DC, Oct., 2003 https://doi.org/10.1145/948187.948197
  14. C. Zou, L. Gao, W. Gong, D. Towsley, 'Monitoring and early warning for Internet worms,' ACM Conference on Computer and Communications Security, Washington, DC, Oct., 2003 https://doi.org/10.1145/948109.948136
  15. N. Gulati, C. Williamson and R. Bunt, 'LAN traffic locality: Characterization and application,' Proc. of the First International Conference of Local Area Network Interconnection, pp.233-250. Plenum, Oct., 1993
  16. 심재홍, 김장복, 최경희, 정기현, 'Virus Throttling의 웜 탐지오판 감소 및 탐지시간 단축', 정보처리학회논문지C, 제 12-C편, 제6호, pp. 847-854, 2005. 10 https://doi.org/10.3745/KIPSTC.2005.12C.6.847
  17. J. Kim, J. Shim, G. Jung, and K. Choi, 'Reducing Worm Detection Time and False Alarm in Virus Throttling,' LNAI, Vol. 3802, pp.297-302, Dec., 2005