摘要: | 泛濫式攻擊一直是網路安全中重要的課題。隨著攻擊技巧日新月異,已有許多新型態的攻擊程式可以在極短時間內攻擊整個網際網路,其中以零時差變形蠕蟲的威脅最大。零時差變形蠕蟲不僅利用未知的弱點發動攻擊而且會不斷改變自身的型態以躲避現有的偵察系統。因此,蠕蟲可在極短的時間內大規模地傳播,不但感染了大量的主機,而且造成垃圾流量暴增,使整個網際網路陷入癱瘓。即使網管人員也受網路癱瘓的影響,無法順利進行修護。 傳統的偵防系統著眼於「有效阻擋」。然而,問題的關鍵在於新型態的攻擊永遠無法預測。因此,我們採用另一種方式「入侵容錯」的思維取代傳統強力阻擋的方式。本文提出一種新網路防禦架構,命名為VMITN (Virtual Machine based Intrusion Tolerance Network),可以有效容忍泛濫式攻擊,直到網管人員介入修補系統漏洞。VMITN利用旁波段網路 (Out-of-Band, OOB) 技術和虛擬機器 (Virtual Machine, VM) 技術有效保障管理通道的暢通,以確保修護可以順利進行。我們並提出SRHO (Seamless Rapidly Hand Over) 和 GAPS (GA-based Placement Selection)技術提升VMITN的入侵容錯能力。此外,為了有效減低蠕蟲產生的垃圾流量,我們提出 QWPL (Quick Worm Pattern Learning)和RSWD (Rough Set Worm Detection) 兩種線性演算法,不但可以在蠕蟲傳播初期發出警示,還可以在資訊不完整的條件下迅速學習蠕蟲的特徵。 我們實作了VMITN系統原型並進行一系列實驗。為了評估VMITN的有效性,我們一共使用四種著名的蠕蟲進行模擬攻擊,包括Code Red, Witty, Apache-Knacker 和ATPhttpd。並利用NS-2模擬大規模網路下的攻擊和防禦,實驗結果證明在嚴重的攻擊事件中VMITN具有高度生存力和主控性,有效地避免網際網路陷入癱瘓並協助網管人員快速重整網路系統。 Flooding based attack is always a critical threat to the Internet security. Due to the sophisticated hacking skills, nowadays, a lot of the modern malicious programs could cause global flooding attack in short period time. The zero-day polymorphic worms are the most pressing threat. The zero-day polymorphic worms not only exploit unknown vulnerabilities but also change their own representations on each new infection to evade detection. Therefore, the worms have the ability to rapidly infect a tremendous numbers of hosts and cause massive denial of service around the Internet. Even the network administrators could not remotely reconfigure the devices to recover services manually. These kinds of global flooding attacks are hard to be stopped by traditional security mechanisms which build single barrier system. Therefore, instead of trying to prevent the intrusion of every such a threat, we proposes a new system architecture, named VMITN (Virtual Machine based Intrusion Tolerance Network), which adopts the techniques of OOB (Out-of-Band) network and virtual machine to provide the global intrusion tolerance capabilities. The VMITN will tolerate the worm based flooding attacks until the administrator remove the vulnerability leveraged by the worm. We propose Seamless Rapidly Hand Over (SRHO) technique and GA-based Placement Selection (GAPS) technique to enhance the VMITN toleratance capability. To filter the zero day worms in early stage, two linear time detection algorithms, Quick Worm Pattern Learning (QWPL) and Rough Set Worm Detection (RSWD), are proposed and evaluated. We have implemented a concept proof prototype system and present the design and practical issues. Totally four famous worms attack events, including Code Red, Witty, Apache-Knacker and ATPhttpd, are tested in our experiments to evaluate the VMITN performance against various catastrophes. To prove the usefulness of VMITN, we not only emulate the real worm attack event in emulation network but also simulate a large scale network by NS-2 simulations. The results showed that our VMITN architecture can provide the reliability and survivability under severe worm attacks. |