KSII Transactions on Internet and Information Systems (TIIS)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

WORM-HUNTER: A Worm Guard System using Software-defined Networking

  • Hu, Yixun (Information Security Center, Beijing University of Posts and Telecommunications) ;
  • Zheng, Kangfeng (Information Security Center, Beijing University of Posts and Telecommunications) ;
  • Wang, Xu (Information Security Center, Beijing University of Posts and Telecommunications) ;
  • Yang, Yixian (Information Security Center, Beijing University of Posts and Telecommunications)
  • Received : 2016.08.09
  • Accepted : 2016.12.09
  • Published : 2017.01.31
Download PDF
⟨ Previous Next ⟩

Abstract

Network security is rapidly developing, but so are attack methods. Network worms are one of the most widely used attack methods and have are able to propagate quickly. As an active defense approach to network worms, the honeynet technique has long been limited by the closed architecture of traditional network devices. In this paper, we propose a closed loop defense system of worms based on a Software-Defined Networking (SDN) technology, called Worm-Hunter. The flexibility of SDN in network building is introduced to structure the network infrastructures of Worm-Hunter. By using well-designed flow tables, Worm-Hunter is able to easily deploy different honeynet systems with different network structures and dynamically. When anomalous traffic is detected by the analyzer in Worm-Hunter, it can be redirected into the honeynet and then safely analyzed. Throughout the process, attackers will not be aware that they are caught, and all of the attack behavior is recorded in the system for further analysis. Finally, we verify the system via experiments. The experiments show that Worm-Hunter is able to build multiple honeynet systems on one physical platform. Meanwhile, all of the honeynet systems with the same topology operate without interference.

Keywords

References

  1. Weaver, Nicholas, Vern Paxson, Stuart Staniford, and Robert Cunningham, "A taxonomy of computer worms," in Proc. of the 2003 ACM workshop on Rapid malcode, pp. 11-18, 2003.
  2. Moore, David, and Colleen Shannon, "Code-Red: a case study on the spread and victims of an Internet worm," in Proc. of the 2nd ACM SIGCOMM Workshop on Internet measurement, 2002.
  3. Moore, David, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, and Nicholas Weaver, "Inside the slammer worm," IEEE security and privacy, vol. 1, no. 4, pp. 33-39, 2003.
  4. Zou, Cliff Changchun, Weibo Gong, and Don Towsley, "Code red worm propagation modeling and analysis," in Proc. of the 9th ACM conference on Computer and communications security, pp. 138-147, 2002.
  5. Roesch, Martin, "Snort: Lightweight Intrusion Detection for Networks," LISA, vol. 99, no. 1, pp. 229-238. 1999.
  6. Spitzner, Lance, "The honeynet project: Trapping the hackers," IEEE Security & Privacy, vol. 1, no. 2, pp. 15-23, 2003.
  7. Paxson, Vern, "Bro: a system for detecting network intruders in real-time," Computer networks, vol. 31, no. 23, pp. 2435-2463, 1999. https://doi.org/10.1016/S1389-1286(99)00112-7
  8. Kreibich, Christian, and Jon Crowcroft, "Honeycomb: creating intrusion detection signatures using honeypots," ACM SIGCOMM computer communication review, vol. 34, no. 1, pp. 51-56, 2004. https://doi.org/10.1145/972374.972384
  9. Kim, Hyang-Ah, and Brad Karp, "Autograph: Toward Automated, Distributed Worm Signature Detection," USENIX security symposium, vol. 286, 2004.
  10. Singh, Sumeet, Cristian Estan, George Varghese, and Stefan Savage, "Automated Worm Fingerprinting," OSDI, vol. 4, pp. 4-4, 2004.
  11. Newsome, James, Brad Karp, and Dawn Song, "Polygraph: Automatically generating signatures for polymorphic worms," in Proc. of 2005 IEEE Symposium on Security and Privacy (S&P'05), pp. 226-241, 2005.
  12. Kong, Deguang, Yoon-Chan Jhi, Tao Gong, Sencun Zhu, Peng Liu, and Hongsheng Xi, "SAS: semantics aware signature generation for polymorphic worm detection," International Journal of Information Security, vol. 10, no. 5, pp. 269-283, 2011. https://doi.org/10.1007/s10207-011-0132-7
  13. Kruegel, Christopher, Engin Kirda, Darren Mutz, William Robertson, and Giovanni Vigna, "Polymorphic worm detection using structural information of executables," in Proc. of International Workshop on Recent Advances in Intrusion Detection, pp. 207-226, 2005.
  14. Bayoglu, Burak, and Ibrahim Sogukpinar, "Polymorphic worm detection using token-pair signatures," in Proc. of the 4th international workshop on Security, privacy and trust in pervasive and ubiquitous computing, pp. 7-12, 2008.
  15. Nychis, George, Vyas Sekar, David G. Andersen, Hyong Kim, and Hui Zhang, "An empirical evaluation of entropy-based traffic anomaly detection," in Proc. of the 8th ACM SIGCOMM conference on Internet measurement, pp. 151-156, 2008.
  16. Brauckhoff, Daniela, Bernhard Tellenbach, Arno Wagner, Martin May, and Anukool Lakhina, "Impact of packet sampling on anomaly detection metrics," in Proc. of the 6th ACM SIGCOMM conference on Internet measurement, pp. 159-164, 2006.
  17. Wagner, Arno, and Bernhard Plattner, "Entropy based worm and anomaly detection in fast IP networks," in Proc. of 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE'05), pp. 172-177, 2005.
  18. Gu, Yu, Andrew McCallum, and Don Towsley, "Detecting anomalies in network traffic using maximum entropy estimation," in Proc. of the 5th ACM SIGCOMM conference on Internet Measurement, pp. 32-32, 2005.
  19. Honeynet Project, "Know Your Enemy: Honeynets," http://www.symantec.com/connect/articles/know-your-enemy-honeynets, 2001.
  20. Provos, Niels, "Honeyd-a virtual honeypot daemon," in Proc. of 10th DFN-CERT Workshop, Hamburg, Germany, vol. 2, p. 4, 2003.
  21. Nance, Kara, Brian Hay, and Matt Bishop, "Virtual machine introspection," IEEE Computer Society, vol. 6, no. 05, pp. 32-37, 2008.
  22. Yang, Hwan-Seok, "A study on attack information collection using virtualization technology," Multimedia Tools and Applications, vol. 74, no. 20, pp. 8791-8799, 2015. https://doi.org/10.1007/s11042-013-1487-8
  23. Abbasi, Fahim H., and R. J. Harris, "Experiences with a Generation III virtual Honeynet," in Proc. of Telecommunication Networks and Applications Conference (ATNAC), 2009 Australasian, pp. 1-6, 2009.
  24. Spitzner, Lanz, "Know Your Enemy: Honeywall CDROM Roo 3rd Generation Technology," 2005.
  25. McKeown, Nick, Tom Anderson, Hari Balakrishnan, Guru Parulkar, Larry Peterson, Jennifer Rexford, Scott Shenker, and Jonathan Turner, "OpenFlow: enabling innovation in campus networks," ACM SIGCOMM Computer Communication Review, vol. 38, no. 2, pp. 69-74, 2008. https://doi.org/10.1145/1355734.1355746
  26. Shin, Seungwon, Vinod Yegneswaran, Phillip Porras, and Guofei Gu, "AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks," in Proc. of the 2013 ACM SIGSAC conference on Computer & communications security, pp. 413-424, 2013.
  27. Big Switch Network.
  28. Juniper.
  29. Huawei.
  30. Wang, Bing, Yao Zheng, Wenjing Lou, and Y. Thomas Hou, "DDoS attack protection in the era of cloud computing and software-defined networking," Computer Networks, vol. 81, pp. 308-319, 2015. https://doi.org/10.1016/j.comnet.2015.02.026
  31. Shin, Seungwon, and Guofei Gu, "Attacking software-defined networks: A first feasibility study," in Proc. of the second ACM SIGCOMM workshop on Hot topics in software defined networking, pp. 165-166, 2013.
  32. Kreutz, Diego, Fernando Ramos, and Paulo Verissimo, "Towards secure and dependable software-defined networks," in Proc. of the second ACM SIGCOMM workshop on Hot topics in software defined networking, pp. 55-60, 2013.
  33. Fan, Wenjun, David Fernandez, and Zhihui Du, " Adaptive and flexible virtual honeynet," in Proc. of International Conference on Mobile, Secure and Programmable Networking, pp. 1-17, 2015.