Journal of Internet Computing and Services (인터넷정보학회논문지)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

Security Framework for Improving the Performance of the Malicious Process Control System

악성 프로세스 제어 시스템의 성능 향상을 위한 보안 프레임워크

  • Kim, Iksu (School of Computer Science & Engineering, Soongsil University) ;
  • Choi, Jongmyung (Department of Computer Engineering, Mokpo National University)
  • Received : 2012.11.07
  • Accepted : 2013.02.18
  • Published : 2013.04.30
Download PDF
⟨ Previous Next ⟩

Abstract

Until now, there have been various studies against Internet worms. Most of intrusion detection and prevention systems against Internet worms use detection rules, but these systems cannot respond to new Internet worms. For this reason, a malicious process control system which uses the fact that Internet worms multicast malicious packets was proposed. However, the greater the number of servers to be protected increases the cost of the malicious process control system, and the probability of detecting Internet worms attacking only some predetermined IP addresses is low. This paper presents a security framework that can reduce the cost of the malicious process control system and increase the probability of detecting Internet worms attacking only some predetermined IP addresses. In the proposed security framework, virtual machines are used to reduce the cost of control servers and unused IP addresses are used to increase the probability of detecting Internet worms attacking only some predetermined IP addresses. Therefore the proposed security framework can effectively respond to a variety of new Internet worms at lower cost.

지금까지 인터넷 웜에 대응하기 위한 다양한 연구가 진행되어 왔다. 대부분의 인터넷 웜 탐지 및 차단 시스템은 탐지룰을 이용하여 인터넷 웜 공격에 대응하지만 새로운 인터넷 웜에 대응할 수 없는 문제가 있다. 이에 인터넷 웜의 멀티캐스트 특징을 이용한 악성 프로세스 제어 시스템이 제안되었다. 하지만 이 시스템은 서비스를 제공해야 할 서버의 수가 많을수록 시스템 구축비용이 증가하고 부분적 공격 유형의 인터넷 웜 공격 탐지 확률이 낮다. 본 논문에서는 악성 프로세스 제어 시스템의 구축비용을 절감하고, 부분적 공격 유형의 인터넷 웜 공격 탐지 확률을 높일 수 있는 보안 프레임워크를 제안한다. 제안된 보안 프레임워크에서는 가상머신을 이용하여 제어서버 구축비용을 줄이며, 사용되지 않는 여분의 IP 주소를 동적으로 인터넷 웜 공격 탐지에 이용함으로써 부분적 공격 유형의 인터넷 웜 공격 탐지 확률을 증가시킬 수 있다. 결국 제안된 보안 프레임워크는 비교적 낮은 비용으로 새로운 유형의 다양한 인터넷 웜에 효과적으로 대응할 수 있다.

Keywords

References

  1. Spitzer, L., Honeypots: Tracking Hackers, Addison-Wesley, 2002.
  2. Hwang, Y,. Park, D,. Yoo, S., Yim, H., Jang, J., and Oh, J., "A study of the worm detection method using self-replication," The Journal of Korea Information and Communications Society, vol.34, No.6, pp.169-178, 2009.
  3. Skormin, V., Volynkin, A., Summerville, D., and Moronski, J., "Prevention of information attacks by run-time detection of self-replication in computer codes," Journal of Computer Security, vol.15, No.2, pp.273-302, 2007. https://doi.org/10.3233/JCS-2007-15203
  4. Kim, I., "A malicious process control system for protecting servers from internet worm attacks," The Journal of Korea Information and Communications Society, vol.35, No.3, pp.431-439, 2010.
  5. Viega, J., Bloch, J., Kohno, T., and McGraw, G., "ITS4: A static vulnerability scanner for C and C++ code," In Proceeding of the 16th Annual Computer Security Applications Conference, 2000.
  6. Wagner, D., Foster, J., Brewer, E., and Aiken, A.k "A first step towards automated detection of buffer overrun vulnerabilities," In Proceedings of the Network and Distributed System Security Symposium, 2000.
  7. Xie, Y., Chou, A., and Engler, D., "ARCHER: Using symbolic, path-sensitive analysis to detect memory access errors," In Proceedings of the 9th European Software Engineering Conference, 2003.
  8. Bang, K. and Kong, J., "A study on secure code editor for secure software," Proc. of the KCC, pp.94-97, 2011.
  9. Cowan, C., Pu, C., Maier, D., Ginton, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., and Zhang, Q., "StackGuard: Automatic Adaptive Detection and Prevention of Buffer-overflow Attacks," In proceeding of the 7th conference on USENIX Security, 1998.
  10. Pincus, J. and Baker, B., "Beyond stack smaching: Recent advances in exploiting buffer overruns," IEEE Security and Privacy, vol.2, No.4, pp.20-27, 2004.
  11. https://projects.honeynet.org/honeyc, accessed Jul. 2012
  12. https://projects.honeynet.org/capture-hpc, accessed Jul. 2012
  13. Sun, X., Wang, Y., Ren, J., Zhu, Y., and Liu, S., "Collecting internet malware based on client-side honeypot," Proc. of the 9th International Conference for Young Computer Scientists, pp.1493-1498, Nov. 2008.
  14. Kim, D., Cho, S., and Kim, H., "Efficient method to detect malicious web contents based on time-bomb," Journal of KIISE : Computing Practices and Letters, Vol. 17, No.1, pp.51-55, 2011.
  15. Kim, D., Kim, H., Park, M., and Cho, S., "Combining devide-and-conquer and sequential visitation algorithms on high-interaction client honeypots," Journal of KIISE : Computer Systems and Theory, Vol.39, No.2, pp.76-83, 2012.
  16. Kim, I., Jo, H., and Kim. M., "Design and implementation of a system to detect intrusion and generate detection rul against scan-based internet worms," The KIPS Transactions, Vol.12-C, No.2, pp.191-200, 2005.
  17. Song, J. and Kwon, Y., "An RTSD system against various attacks for low false positive rate based on patterns of attacker's behaviors," IEICE Transactions on Information and Systems, vol.89-D, No.10, pp.2637-2643, Oct. 2006.
  18. http://www.snort.org
  19. Bowen, B., Hershkop, S., Keromytis, A., and Stolfo, S., "Baiting inside attackers using decoy document," Proc. of the 5th International ICST Conference, pp.51-70, Sep. 2009.
  20. Bowen, B., Salem, B., Hershkop, S., Keromytis, A., and Stolfo, S., "Designing host and network sensors to mitigate the insider threat," IEEE Security & Privacy, vol.7, No.6, pp.22-29, Nov. 2009.
  21. Salem, B., and Stolfo, S., "Decoy document deployment for effective masquerade attack detection," Proc. of the 8th International Conference on DIMVA, pp.35-54, Jul. 2011.
  22. Kim, I., and Kim, M., "Agent-based honeynet framework for protecting servers in campus networks," IET Information Security, vol.6, No.3, pp.202-211, Sep. 2012. https://doi.org/10.1049/iet-ifs.2011.0154
  23. Jain, P., and Sardana, A., "Defending against Internet Worms using Honeyfarm," Proc. of the CUBE International Information Technology Conference, pp. 795-800, Sep. 2012.