• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.12 no.1
• /
• pp.81-86
• /
• 2008

Fast spreading Internet worms, such as Code Red and Slammer, have become one of the new major throne of the Internet recently. In order to defend against theses worms, it is essential to understand how Internet worms propagate and how different Internet factors affect worm spreading. In this paper, we intend to describe the spread of worms on Internet environments accurately. Therefore we model and analyze the spreading effects by various simulations considering Internet addressing and speed. The results lead to a better prediction of the worm spreading on current and future Internet environments.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.32 no.5B
• /
• pp.277-285
• /
• 2007

In this paper, we present a simulation model of Slammer worm propagation process which caused serious disruptions on Internet in the you of 2003 and analyze the process of Slammer by using NS-2. Recently introduced NS-2 modeling called "Detailed Network-Abstract Network Model" had enabled packet level analysis. However, it had deficiency of accommodating only small sized network. By extending the NS-2 DN-AN model to AN-AN model (Abstract Network-Abstract Network model), it is effectively simulated that the whole process from the initial infection to the total network congestion on hourly basis not only for the Korean network but also for the rest of the world networks. Furthermore, the progress of the propagation from Korean network to the other country was also simulated through the AN-AN model. 8,848 hosts in Korean network were infected in 290 second and 66,152 overseas hosts were infected in 308 second. Moreover, the scanning traffics of the worm at the Korean international gateway saturated the total bandwidth in 154 seconds for the inbound traffic and in 135 seconds for the outbound one.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.32 no.8B
• /
• pp.529-538
• /
• 2007

In this paper, we have analyzed a simulation model of Slammer worm propagation process which caused serious disruptions on the Internet in the year of 2003 by using NS-2. Previously we had presented and analyzed Abstract Network to Abstract Network(AN-AN) model being modified from the Detailed Network to Abstract Network(DN-AN) of NS-2. However, packet analysis in AN-AN model had a problem of taking 240 hours to simulate the initial 300 seconds of infection. We have reduced the AN-AN model to save the simulation time and analyzed total 3.5 hours of the network congestions within 107 hours. Moreover, we have derived optimal quarantine rate of 0.0022 considering service outage of network devices caused by the heavy infected traffics, which was not taken into consideration in previous works. As the result of simulation, Although the inbound traffic at the Korean international gateway was back in normal conditions at 4,787 second, due to the revese direction saturation was maintained until 12,600 seconds, the service outage was persisted for 3.5 hours.

• Electronics and Telecommunications Trends
• /
• v.20 no.1 s.91
• /
• pp.9-16
• /
• 2005

최초의 인터넷 웜(worm)으로 불리는 Morris 웜이 1988년 11월에 발표된 이래로 현재까지 많은 웜 공격이 발생되고 또 발표되어 왔다. 초기의 웜은 작은 규모의 네트워크에서 퍼지는 정도였으며, 실질적인 피해를 주는 경우는 거의 없었다. 그러나 2001년 CodeRed 웜은 인터넷에 연결된 많은 컴퓨터들을 순식간에 감염시켜 많은 피해를 발생시켰으며 그 이후 2003년 1월에 발생한 Slammer 웜은 10분이라는 짧은시간안에 75,000여 대 이상의 호스트를 감염시키고 네트워크 자체를 마비시켰다. 특히 Slammer 웜은 국내에서 더욱 유명하다. 명절 구정과 맞물려 호황을 누리던 인터넷 쇼핑 몰, 은행 거래 등을 일시에 마비시켜 버리면서 경제적으로도 막대한 피해를 우리에게 주었다. 이런 웜을 막기 위해서 많은 보안 업체들이나서고 있으나, 아직은 사전에 웜의 피해를 막을만한 확실한 대답을 얻지 못하고 있다. 본 문서에서는 현재 웜의 발생 초기 단계를 탐지하고 이를 피해가 커지기 이전에 막기 위한 연구들을 설명할 것이다.

• Proceedings of the Korea Information Assurance Society Conference
• /
• 2004.05a
• /
• pp.327-331
• /
• 2004

The new cyber world has created by Internet that is prosperous rapidly. But with the expansion of Internet the hacking and intrusion are also increased very much. Actually there were many incidents in Internet, but the damage was restricted within a local area and local system. However, the Great 1.25 Internet Disturbance has paralyzed the national wide Internet environment. It because the Slammer Worm. The worm is a malformed program that uses both of the hacking and computer virus techniques. It autonomously attacks the vulnerability of Windows system, duplicates and spreads by itself. Jus like the Slammer Worm, almost every worms attack the vulnerability of Windows systems that installed in personal PC. Therefore, the vulnerability in personal PC could destroy the whole Internet world. So, in this paper we propose a Internet Worm Expanding Prevention System that could be installed in personal PC to prevent from expanding the Internet Worm. And we will introduce the results of developed system.

• Journal of KIISE:Information Networking
• /
• v.35 no.6
• /
• pp.474-481
• /
• 2008

Scanning worm increases network traffic load and result in severe network congestion because it is a self-replicating worm and send copies of itself to a number of hosts through the Internet. So an early detection system which can automatically detect scanning worms is needed to protect network from those attacks. Although many studies are conducted to detect scanning worms, most of them are focusing on the method using packet header information. The method using packet header information has long detection delay since it must examine the header information of all packets entering or leaving the network. Therefore we propose an algorithm to detect scanning worms using network traffic characteristics such as variance of traffic volume, differentiated traffic volume, mean of differentiated traffic volume, and product of mean traffic volume and mean of differentiated traffic volume. We verified the proposed algorithm by analyzing the normal traffic captured in the real network and the worm traffic generated by simulator. The proposed algorithm can detect CodeRed and Slammer which are not detected by existing algorithm. In addition, all worms were detected in early stage: Slammer was detected in 4 seconds and CodeRed and Witty were detected in 11 seconds.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.37 no.3B
• /
• pp.212-218
• /
• 2012

An Internet worm is a self-replicating malware program which uses a computer network. As the network connectivity among computers increases, Internet worms have become widespread and are still big threats. There are many approaches to model the propagation of Internet worms such as Code Red, Nimda, and Slammer to get the insight of their behaviors and to devise possible defense methods to suppress worms' propagation activities. The influence of the network characteristics on the worm propagation has usually been modeled by medical epidemic model, named SI model, due to its simplicity and the similarity of propagation patterns. So far, SI model is still dominant and new variations of the SI model, called SI-style models, are being proposed for the modeling of new Internet worms. In this paper, we elaborate the problems of SI-style models and then propose a new accurate stochastic model using an occupancy problem.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2006.05a
• /
• pp.521-524
• /
• 2006

인터넷 사용의 급증과 함께 Code-Red나 Slammer와 같은 웜이 급격히 확산 되고 있으며 네트워크를 통해 스스로 전파되면서 네트워크 자원을 고갈시킴으로써 문제가 더욱 심각해지고 있다. 이에 따라 웜을 탐지하기 위한 많은 방법들이 제시되었다. 본 논문에서는 DoS 탐지를 위해 고안 된 트래픽 비율 분석법을 이용하여 정상 네트워크와 웜이 발생 시키는 스캐닝 관련 행위에 대한 패킷 비율을 비교하였다. 이 방법을 통해 네트워크 내에서 웜에 감염된 호스트를 찾아내고 오탐지율을 최소화하는 방법과 웜 전파 행위를 탐지해 내는 방법에 대해서 제안한다. 또한 실제 네트워크에서 수집된 트래픽으로부터 웜의 특성을 분석해 본 결과 최근 웜들의 전파방식을 분석 할 수 있었다.

• Electronics and Telecommunications Trends
• /
• v.19 no.2 s.86
• /
• pp.28-36
• /
• 2004

컴퓨터 바이러스에 의한 시스템 마비와 해킹을 통한 정보파괴나 도용 등과 같은 직접적인 부작용은 물론 인터넷상의 익명성을 이용한 악의적 정보유포나 개인정보의 유출 등을 포함하는 간접적 피해사례도 급격히 증가하고 있는 추세이다. 이와 같은 정보화 혁명의 부작용은 정보화의 진전에 따라 그 파괴력도 비례적으로 증가하고 있음이 실증적으로 드러나고 있다. 1994년부터 국가적 차원에서 초고속정보통신망 구축을 시작한 이래, 세계적인 인터넷 선도국가로 도약한 우리나라가 1.25 SQL Slammer Worm 대란의 가장 큰 피해국이라는 사실이 단적인 예라고 하겠다. 이에 본 논문에서는 정보보호산업의 선진국인 미국, 유럽, 일본에 대한 정보보호 정책을 살펴봄으로써 향후 우리의 정보보호정책 수립에 도움을 주고자 한다.

• Journal of the Korea Society for Simulation
• /
• v.13 no.3
• /
• pp.21-29
• /
• 2004

The major objective of this paper is to analyze network vulnerabilities using the SIMVA (SIMualtion-based Vulnerability Analyzer). SIMVA is capable of monitor network status and analyze vulnerabilities automatically. To do this, we have employed the advanced modeling and simulation concepts such as SES/MB (System Entity Structure / Model Base) framework, DEVS (Discrete Event System Specification) formalism, and experimental frame for developing network security models and simulation-based analysis of vulnerability. SIMVA can analyze static vulnerability as well as dynamic vulnerability consistently and quantitatively. In this paper, we verified and tested the capability of application of SIMVA by slammer worm attack scenario.