• Title/Summary/Keyword: worm attack

Search Result 68, Processing Time 0.023 seconds

WORM-HUNTER: A Worm Guard System using Software-defined Networking

  • Hu, Yixun;Zheng, Kangfeng;Wang, Xu;Yang, Yixian
    • KSII Transactions on Internet and Information Systems (TIIS)
    • /
    • v.11 no.1
    • /
    • pp.484-510
    • /
    • 2017
  • Network security is rapidly developing, but so are attack methods. Network worms are one of the most widely used attack methods and have are able to propagate quickly. As an active defense approach to network worms, the honeynet technique has long been limited by the closed architecture of traditional network devices. In this paper, we propose a closed loop defense system of worms based on a Software-Defined Networking (SDN) technology, called Worm-Hunter. The flexibility of SDN in network building is introduced to structure the network infrastructures of Worm-Hunter. By using well-designed flow tables, Worm-Hunter is able to easily deploy different honeynet systems with different network structures and dynamically. When anomalous traffic is detected by the analyzer in Worm-Hunter, it can be redirected into the honeynet and then safely analyzed. Throughout the process, attackers will not be aware that they are caught, and all of the attack behavior is recorded in the system for further analysis. Finally, we verify the system via experiments. The experiments show that Worm-Hunter is able to build multiple honeynet systems on one physical platform. Meanwhile, all of the honeynet systems with the same topology operate without interference.

IARAM: Internet Attack Representation And Mapping Mechanism for a Simulator (IARAM: 시뮬레이터를 위한 인터넷 공격 표현 및 맵핑 기법)

  • Lee, Cheol-Won;Kim, Jung-Sik;Kim, Dong-Kyu
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.18 no.1
    • /
    • pp.89-102
    • /
    • 2008
  • Internet becomes more and more popular, and most companies and institutes use web services for e-business and many other purposes. With the explosion of Internet, the attack of internet worm has grown. Simulation is one of the most widely used method to study internet worms. But, it is quite challenging to simulate very large-scale worm attacks because of various reasons. By this reason, we often use the modeling network simulation technique. But, it also has problem that it difficult to apply each worm attacks to simulation. In this paper, we propose worm attack representation and mapping methods for apply worm attack to simulation. The proposed method assist to achieve the simulation efficiency. And we can express each worm attacks more detail. Consequently, the simulation of worm attacks has the time-efficiency and the minuteness.

A Study on Tools for Worm Virus & DDoS Detection (대규모 백본망의 웜 바이러스와 분산서비스거부공격 탐지시스템 연구)

  • Lee Myung-Sun;Lee Jae-Kwang
    • The KIPS Transactions:PartC
    • /
    • v.11C no.7 s.96
    • /
    • pp.993-998
    • /
    • 2004
  • As Worm Virus & DDoS attack appeares, the targets and damage of infringement accidents are extending from specific system or services to paralysis of the network itself. These attacks are expending very frequently and strongly, and ISP who will be used as the path of these attacks will face serious damages. But compare to Worm Virus & DDoS attack that generally occures in many Systems at one time with it's fast propagation velocity, network dimensional opposition is slow and disable to deal with the whole appearance for it is operated manually by the network manager. Therefore, this treatise present devices how to detect Worm Virus & DDoS attack's outbreak and the attacker(attacker IP adderss) automatically.

Harmful Traffic Detection by Protocol and Port Analysis (프로토콜과 포트 분석을 통한 유해 트래픽 탐지)

  • Shin Hyun-Jun;Choi Il-Jun;Oh Chang-Suk;Koo Hyang-Ohk
    • The Journal of the Korea Contents Association
    • /
    • v.5 no.5
    • /
    • pp.172-181
    • /
    • 2005
  • The latest attack type against network traffic appeared by worm and bot that are advanced in DDoS. It is difficult to detect them because they are diversified, intelligent, concealed and automated. The exisiting traffic analysis method using SNMP has a vulnerable problem; it considers normal P2P and other application program to be harmful traffic. It also has limitation that does not analyze advanced programs such as worm and bot to harmful traffic. Therefore, we analyzed harmful traffic out Protocol and Port analysis. We also classified traffic by protocol, well-known port, P2P port, existing attack port, and specification port, apply singularity weight to detect, and analyze attack availability. As a result of simulation, it is proved that it can effectively detect P2P application, worm, bot, and DDoS attack.

  • PDF

Passive Benign Worm Propagation Modeling with Dynamic Quarantine Defense

  • Toutonji, Ossama;Yoo, Seong-Moo
    • KSII Transactions on Internet and Information Systems (TIIS)
    • /
    • v.3 no.1
    • /
    • pp.96-107
    • /
    • 2009
  • Worm attacks can greatly distort network performance, and countering infections can exact a heavy toll on economic and technical resources. Worm modeling helps us to better understand the spread and propagation of worms through a network, and combining effective types of mitigation techniques helps prevent and mitigate the effects of worm attacks. In this paper, we propose a mathematical model which combines both dynamic quarantine and passive benign worms. This Passive Worm Dynamic Quarantine (PWDQ) model departs from previous models in that infected hosts will be recovered either by passive benign worms or quarantine measure. Computer simulation shows that the performance of our proposed model is significantly better than existing models, in terms of decreasing the number of infectious hosts and reducing the worm propagation speed.

Implementation of Automatic Worm Signature Generator in DHT Network (DHT 기반 네트워크의 웜 시그니쳐 자동 생성기의 구현)

  • Kim, Ji-Hun;Lee, You-Ri;Park, Dong-Gue;Oh, Jin-Te;Jang, Jong-Soo;Min, Byeong-Jun
    • Journal of the Korea Academia-Industrial cooperation Society
    • /
    • v.7 no.6
    • /
    • pp.1206-1213
    • /
    • 2006
  • Fast detection and automatic generation of worm signatures are essential to contain zero-day worms because the speed of self-propagating worms is too fast for humans to respond. In this paper, we propose an automatic signature generation method against worm's attack, and show the effectiveness of the proposed method by implementing it and appling it to the DHT based network and generating the worm signatures for it.

  • PDF

Effective traffic analysis in DDos attack (DDos 공격에서 효율적인 트래픽 분석)

  • 구향옥;백순화;오창석
    • Proceedings of the Korea Contents Association Conference
    • /
    • 2004.05a
    • /
    • pp.268-272
    • /
    • 2004
  • Recently most of hacking attack are either DDos attack or worm attack. However detection algorithms against those attacks are insufficient. In this paper, we propose a method which is able to detect attack traffic very efficiently by reducing traffic overhead. In this scheme, network traffics are collected using SNMP and classified. if they are identified as normal traffic, traffic analysis delay timer is started to reduce traffic overhead.

  • PDF

An Architecture Design of Distributed Internet Worm Detection System for Fast Response

  • Lim, Jung-Muk;Han, Young-Ju;Chung, Tai-Myoung
    • Proceedings of the Korea Society of Information Technology Applications Conference
    • /
    • 2005.11a
    • /
    • pp.161-164
    • /
    • 2005
  • As the power of influence of the Internet grows steadily, attacks against the Internet can cause enormous monetary damages nowadays. A worm can not only replicate itself like a virus but also propagate itself across the Internet. So it infects vulnerable hosts in the Internet and then downgrades the overall performance of the Internet or makes the Internet not to work. To response this, worm detection and prevention technologies are developed. The worm detection technologies are classified into two categories, host based detection and network based detection. Host based detection methods are a method which checks the files that worms make, a method which checks the integrity of the file systems and so on. Network based detection methods are a misuse detection method which compares traffic payloads with worm signatures and anomaly detection methods which check inbound/outbound scan rates, ICMP host/port unreachable message rates, and TCP RST packet rates. However, single detection methods like the aforementioned can't response worms' attacks effectively because worms attack the Internet in the distributed fashion. In this paper, we propose a design of distributed worm detection system to overcome the inefficiency. Existing distributed network intrusion detection systems cooperate with each other only with their own information. Unlike this, in our proposed system, a worm detection system on a network in which worms select targets and a worm detection system on a network in which worms propagate themselves cooperate with each other with the direction-aware information in terms of worm's lifecycle. The direction-aware information includes the moving direction of worms and the service port attacked by worms. In this way, we can not only reduce false positive rate of the system but also prevent worms from propagating themselves across the Internet through dispersing the confirmed worm signature.

  • PDF

Dynamic Control of Random Constant Spreading Worm using Depth Distribution Characteristics

  • No, Byung-Gyu;Park, Doo-Soon;Hong, Min;Lee, Hwa-Min;Park, Yoon-Sok
    • Journal of Information Processing Systems
    • /
    • v.5 no.1
    • /
    • pp.33-40
    • /
    • 2009
  • Ever since the network-based malicious code commonly known as a 'worm' surfaced in the early part of the 1980's, its prevalence has grown more and more. The RCS (Random Constant Spreading) worm has become a dominant, malicious virus in recent computer networking circles. The worm retards the availability of an overall network by exhausting resources such as CPU capacity, network peripherals and transfer bandwidth, causing damage to an uninfected system as well as an infected system. The generation and spreading cycle of these worms progress rapidly. The existing studies to counter malicious code have studied the Microscopic Model for detecting worm generation based on some specific pattern or sign of attack, thus preventing its spread by countering the worm directly on detection. However, due to zero-day threat actualization, rapid spreading of the RCS worm and reduction of survival time, securing a security model to ensure the survivability of the network became an urgent problem that the existing solution-oriented security measures did not address. This paper analyzes the recently studied efficient dynamic network. Essentially, this paper suggests a model that dynamically controls the RCS worm using the characteristics of Power-Law and depth distribution of the delivery node, which is commonly seen in preferential growth networks. Moreover, we suggest a model that dynamically controls the spread of the worm using information about the depth distribution of delivery. We also verified via simulation that the load for each node was minimized at an optimal depth to effectively restrain the spread of the worm.

Simulation-based Worm Damage Assessment on ATCIS (시뮬레이션 기반 육군전술지휘정보체계에 대한 웜 피해평가)

  • Kim, Gi-Hwan;Kim, Wan-Joo;Lee, Soo-Jin
    • Journal of the military operations research society of Korea
    • /
    • v.33 no.2
    • /
    • pp.115-127
    • /
    • 2007
  • The army developed the ATCIS(Army Tactical Command Information System) for the battlefield information system with share the command control information through the realtime. The using the public key and the encryption equipment in the ATCIS is enough to the confidentiality, integrity. but, it is vulnerable about the availability with the zero day attack. In this paper, we implement the worm propagation simulation on the ATCIS infrastructure through the modelling on the ATCIS operation environment. We propose the countermeasures based on the results from the simulation.