• Title/Summary/Keyword: Slammer

Search Result 15, Processing Time 0.027 seconds

Modeling and Network Simulator Implementation for analyzing Slammer Worm Propagation Process (슬래머 웜 전파과정 분석을 위한 네트워크 모델링 및 시뮬레이터 구현)

  • Lim, Jae-Myung;Yoon, Chong-Ho
    • The Journal of Korean Institute of Communications and Information Sciences
    • /
    • v.32 no.5B
    • /
    • pp.277-285
    • /
    • 2007
  • In this paper, we present a simulation model of Slammer worm propagation process which caused serious disruptions on Internet in the you of 2003 and analyze the process of Slammer by using NS-2. Recently introduced NS-2 modeling called "Detailed Network-Abstract Network Model" had enabled packet level analysis. However, it had deficiency of accommodating only small sized network. By extending the NS-2 DN-AN model to AN-AN model (Abstract Network-Abstract Network model), it is effectively simulated that the whole process from the initial infection to the total network congestion on hourly basis not only for the Korean network but also for the rest of the world networks. Furthermore, the progress of the propagation from Korean network to the other country was also simulated through the AN-AN model. 8,848 hosts in Korean network were infected in 290 second and 66,152 overseas hosts were infected in 308 second. Moreover, the scanning traffics of the worm at the Korean international gateway saturated the total bandwidth in 154 seconds for the inbound traffic and in 135 seconds for the outbound one.

A Survey of Worm Detection Techniques (인터넷 웜 공격 탐지 방법 동향)

  • Shin, S.W.;Oh, J.T.;Kim, K.Y.;Jang, J.S.
    • Electronics and Telecommunications Trends
    • /
    • v.20 no.1 s.91
    • /
    • pp.9-16
    • /
    • 2005
  • 최초의 인터넷 웜(worm)으로 불리는 Morris 웜이 1988년 11월에 발표된 이래로 현재까지 많은 웜 공격이 발생되고 또 발표되어 왔다. 초기의 웜은 작은 규모의 네트워크에서 퍼지는 정도였으며, 실질적인 피해를 주는 경우는 거의 없었다. 그러나 2001년 CodeRed 웜은 인터넷에 연결된 많은 컴퓨터들을 순식간에 감염시켜 많은 피해를 발생시켰으며 그 이후 2003년 1월에 발생한 Slammer 웜은 10분이라는 짧은시간안에 75,000여 대 이상의 호스트를 감염시키고 네트워크 자체를 마비시켰다. 특히 Slammer 웜은 국내에서 더욱 유명하다. 명절 구정과 맞물려 호황을 누리던 인터넷 쇼핑 몰, 은행 거래 등을 일시에 마비시켜 버리면서 경제적으로도 막대한 피해를 우리에게 주었다. 이런 웜을 막기 위해서 많은 보안 업체들이나서고 있으나, 아직은 사전에 웜의 피해를 막을만한 확실한 대답을 얻지 못하고 있다. 본 문서에서는 현재 웜의 발생 초기 단계를 탐지하고 이를 피해가 커지기 이전에 막기 위한 연구들을 설명할 것이다.

A Study on the Spread of Internet Worms by Internet Environments (인터넷 환경에 따른 인터넷 웜 확산 방식 연구)

  • Shin, Weon
    • Journal of the Korea Institute of Information and Communication Engineering
    • /
    • v.12 no.1
    • /
    • pp.81-86
    • /
    • 2008
  • Fast spreading Internet worms, such as Code Red and Slammer, have become one of the new major throne of the Internet recently. In order to defend against theses worms, it is essential to understand how Internet worms propagate and how different Internet factors affect worm spreading. In this paper, we intend to describe the spread of worms on Internet environments accurately. Therefore we model and analyze the spreading effects by various simulations considering Internet addressing and speed. The results lead to a better prediction of the worm spreading on current and future Internet environments.

Simulation and Analysis of Slammer Worm Propagation With Automatic Quarantine (자동 격리를 감안한 슬래머 웜 전파과정에 대한 모의실험 및 분석)

  • Lim, Jae-Myung;Jung, Han-Gyun;Yoon, Chong-Ho
    • The Journal of Korean Institute of Communications and Information Sciences
    • /
    • v.32 no.8B
    • /
    • pp.529-538
    • /
    • 2007
  • In this paper, we have analyzed a simulation model of Slammer worm propagation process which caused serious disruptions on the Internet in the year of 2003 by using NS-2. Previously we had presented and analyzed Abstract Network to Abstract Network(AN-AN) model being modified from the Detailed Network to Abstract Network(DN-AN) of NS-2. However, packet analysis in AN-AN model had a problem of taking 240 hours to simulate the initial 300 seconds of infection. We have reduced the AN-AN model to save the simulation time and analyzed total 3.5 hours of the network congestions within 107 hours. Moreover, we have derived optimal quarantine rate of 0.0022 considering service outage of network devices caused by the heavy infected traffics, which was not taken into consideration in previous works. As the result of simulation, Although the inbound traffic at the Korean international gateway was back in normal conditions at 4,787 second, due to the revese direction saturation was maintained until 12,600 seconds, the service outage was persisted for 3.5 hours.

Design and Implementation of Tools for Security Patch Management (보안패치 관리도구의 설계 및 구현)

  • Kim, Yun-Ju;Moon, Jong-Sub
    • Annual Conference of KIPS
    • /
    • 2005.11a
    • /
    • pp.1011-1014
    • /
    • 2005
  • 1.25 대란을 일으켰던 SQL Slammer 웜과 최근 IRCBot웜을 비롯한 다양한 악성코드들은 보안 취약점을 이용하여 전파되고 있다. 이러한 공격의 대부분은 사전에 보안패치를 적용하는 것만으로 막을 수 있기 때문에, 네트워크의 각 시스템들이 최신 패치 버전으로 업데이트 되었는지 점검하고 필요한 보안패치를 분배하는 자동화된 도구의 필요성은 강조되어 왔다. 본 논문에서는 보안패치 관리도구가 관리대상 컴퓨터의 취약점을 분석하는 방안을 제시하고, 제시한 방안을 적용한 보안패치 관리도구를 설계 및 구현하였다.

  • PDF

Scanning Worm Detection Algorithm Using Network Traffic Analysis (네트워크 트래픽 특성 분석을 통한 스캐닝 웜 탐지 기법)

  • Kang, Shin-Hun;Kim, Jae-Hyun
    • Journal of KIISE:Information Networking
    • /
    • v.35 no.6
    • /
    • pp.474-481
    • /
    • 2008
  • Scanning worm increases network traffic load and result in severe network congestion because it is a self-replicating worm and send copies of itself to a number of hosts through the Internet. So an early detection system which can automatically detect scanning worms is needed to protect network from those attacks. Although many studies are conducted to detect scanning worms, most of them are focusing on the method using packet header information. The method using packet header information has long detection delay since it must examine the header information of all packets entering or leaving the network. Therefore we propose an algorithm to detect scanning worms using network traffic characteristics such as variance of traffic volume, differentiated traffic volume, mean of differentiated traffic volume, and product of mean traffic volume and mean of differentiated traffic volume. We verified the proposed algorithm by analyzing the normal traffic captured in the real network and the worm traffic generated by simulator. The proposed algorithm can detect CodeRed and Slammer which are not detected by existing algorithm. In addition, all worms were detected in early stage: Slammer was detected in 4 seconds and CodeRed and Witty were detected in 11 seconds.

Design and Implementation of Internet Worm Spreading Prevention System (인터넷 웜 확산방지 시스템의 설계 및 구현)

  • 최양서;서동일
    • Proceedings of the Korea Information Assurance Society Conference
    • /
    • 2004.05a
    • /
    • pp.327-331
    • /
    • 2004
  • The new cyber world has created by Internet that is prosperous rapidly. But with the expansion of Internet the hacking and intrusion are also increased very much. Actually there were many incidents in Internet, but the damage was restricted within a local area and local system. However, the Great 1.25 Internet Disturbance has paralyzed the national wide Internet environment. It because the Slammer Worm. The worm is a malformed program that uses both of the hacking and computer virus techniques. It autonomously attacks the vulnerability of Windows system, duplicates and spreads by itself. Jus like the Slammer Worm, almost every worms attack the vulnerability of Windows systems that installed in personal PC. Therefore, the vulnerability in personal PC could destroy the whole Internet world. So, in this paper we propose a Internet Worm Expanding Prevention System that could be installed in personal PC to prevent from expanding the Internet Worm. And we will introduce the results of developed system.

  • PDF

A Study on Worm Detection Algorithm Using Network Traffic Analysis (네트워크 트래픽 분석을 통한 웜 탐지방법에 관한 연구)

  • Noh Dae-Jong;Noh Tea-Yol;Park Seung-Seob
    • Annual Conference of KIPS
    • /
    • 2006.05a
    • /
    • pp.521-524
    • /
    • 2006
  • 인터넷 사용의 급증과 함께 Code-Red나 Slammer와 같은 웜이 급격히 확산 되고 있으며 네트워크를 통해 스스로 전파되면서 네트워크 자원을 고갈시킴으로써 문제가 더욱 심각해지고 있다. 이에 따라 웜을 탐지하기 위한 많은 방법들이 제시되었다. 본 논문에서는 DoS 탐지를 위해 고안 된 트래픽 비율 분석법을 이용하여 정상 네트워크와 웜이 발생 시키는 스캐닝 관련 행위에 대한 패킷 비율을 비교하였다. 이 방법을 통해 네트워크 내에서 웜에 감염된 호스트를 찾아내고 오탐지율을 최소화하는 방법과 웜 전파 행위를 탐지해 내는 방법에 대해서 제안한다. 또한 실제 네트워크에서 수집된 트래픽으로부터 웜의 특성을 분석해 본 결과 최근 웜들의 전파방식을 분석 할 수 있었다.

  • PDF

Information Security Policies of Advanced Countries (해외 정보보호정책 동향)

  • Park, S.U.;Lee, H.W.
    • Electronics and Telecommunications Trends
    • /
    • v.19 no.2 s.86
    • /
    • pp.28-36
    • /
    • 2004
  • 컴퓨터 바이러스에 의한 시스템 마비와 해킹을 통한 정보파괴나 도용 등과 같은 직접적인 부작용은 물론 인터넷상의 익명성을 이용한 악의적 정보유포나 개인정보의 유출 등을 포함하는 간접적 피해사례도 급격히 증가하고 있는 추세이다. 이와 같은 정보화 혁명의 부작용은 정보화의 진전에 따라 그 파괴력도 비례적으로 증가하고 있음이 실증적으로 드러나고 있다. 1994년부터 국가적 차원에서 초고속정보통신망 구축을 시작한 이래, 세계적인 인터넷 선도국가로 도약한 우리나라가 1.25 SQL Slammer Worm 대란의 가장 큰 피해국이라는 사실이 단적인 예라고 하겠다. 이에 본 논문에서는 정보보호산업의 선진국인 미국, 유럽, 일본에 대한 정보보호 정책을 살펴봄으로써 향후 우리의 정보보호정책 수립에 도움을 주고자 한다.

Mutual Information Applied to Anomaly Detection

  • Kopylova, Yuliya;Buell, Duncan A.;Huang, Chin-Tser;Janies, Jeff
    • Journal of Communications and Networks
    • /
    • v.10 no.1
    • /
    • pp.89-97
    • /
    • 2008
  • Anomaly detection systems playa significant role in protection mechanism against attacks launched on a network. The greatest challenge in designing systems detecting anomalous exploits is defining what to measure. Effective yet simple, Shannon entropy metrics have been successfully used to detect specific types of malicious traffic in a number of commercially available IDS's. We believe that Renyi entropy measures can also adequately describe the characteristics of a network as a whole as well as detect abnormal traces in the observed traffic. In addition, Renyi entropy metrics might boost sensitivity of the methods when disambiguating certain anomalous patterns. In this paper we describe our efforts to understand how Renyi mutual information can be applied to anomaly detection as an offline computation. An initial analysis has been performed to determine how well fast spreading worms (Slammer, Code Red, and Welchia) can be detected using our technique. We use both synthetic and real data audits to illustrate the potentials of our method and provide a tentative explanation of the results.