即時血清系統: 具攻性防壁之自動化蠕蟲治癒系統

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：58

、訪客IP：18.116.60.24

姓名

林佳潤(Chia-Jun Lin) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

即時血清系統: 具攻性防壁之自動化蠕蟲治癒系統
(Infectious Real-time Serum System: Automatic worm curing system)

相關論文

★ USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm	★ Discoverer- Rootkit即時偵測系統
★ 一項Android手機上詐騙簡訊的偵測與防禦機制	★ SRA系統防禦ARP欺騙劫持路由器
★ A Solution for Detecting and Defending ARP Spoofing on Virtual Machines	★ 針對遠端緩衝區溢位攻擊之自動化即時反擊系統
★ DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection	★ TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks
★ A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection	★ Shark: Phishing Information Recycling from Spam Mails
★ FFRTD: Beat Fast-Flux by Response Time Differences	★ Antivirus Software Shield against Antivirus Terminators
★ MAC-YURI : My ACcount, YoUr ResponsIbility	★ KKBB: Kernel Keylogger Bye-Bye
★ CIDP Treatment: An Innovative Mobile Botnet Covert Channel based on Caller IDs with P8 Treatment	★ PrivacyGuard：A Kernel-based Solution to Enhance the User Privacy When Using Private Browsing

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 ( 永不開放)

摘要(中)

具自行散播能力的蠕蟲程式，由於能讓攻擊者竊取數量龐大的主機的控制權，因此長期以來一直是網路世界中致命的安全威脅之一。本篇論文提出了一個新的架構與方法，可以以高精準度且自動化的解決與恢復遭受蠕蟲攻擊感染的主機 —「即時蠕蟲恢復系統」(Serum System)。
本系統之基礎架構是以具備攻擊性的防禦為概念，建立攻性防壁，對攻擊來源作出反擊。一旦具備Serum System的主機收到惡意程式之攻擊字串時，首先動態即時修改攻擊字串的payload，之後對攻擊來源主機的相同漏洞進行反擊，再複製Serum System到該主機上並修復漏洞。攻擊來源主機不僅對於該攻擊之蠕蟲免疫，此外更可進一步的以相同的方式反擊任何攻擊此免疫主機的其他惡意主機。借由此種具備正當性之連鎖型式的擴散反擊，可以在signature不精確之情況下，仍能自動精準且受控制地清除散播在 Internet 各處受蠕蟲感染的主機，不論其規模大小。
本論文亦將討論關於蠕蟲感染的模型，分析證明此系統對蠕蟲傳播抑止之有效性。此分析不僅可描述蠕蟲造成的破壞跟時間的關係，同時也可以看出即時反擊主機的佈署對蠕蟲壓制的效果。
論文中也提出了區域型自動化程式漏洞修補之架構，使企業以及各型機構能夠及時修復漏洞。此項成果有助於資安事件研究者未來面對緩衝區溢位型蠕蟲的攻擊時，能夠快速反應並從危害中恢復。

摘要(英)

Although the implementations of ASLR and Non-executable stack decrease the risks of worm spreading via buffer overflow exploits, there are still numerous ways to defeat or circumvent the protections. In this paper we propose a system of automatic worm curing – Infectious Real-time Serum System (IRSS).
Our approach is based on the concept of “attack barrier” which will counter back to the attackers. Once the host with Serum System was attacked by attacker, it will modify the payload of attacking string dynamically, then counter back to the attacking source and setup patches which clone the Serum System entirely to target source. The original attacking host thus not only immune to this kind of the vulnerability, but also has the ability of counter back to any hosts who are trying to attack this host.
By the behavior of infectious counterattack with catenation of Serum System, we can automatically cure the hosts of worm precisely and under control. Otherwise, we can clean the worms all around the world and only a few Serum System Servers are demanded to the entire environment.
The Serum System can deal with whatever attacks of BOA, even if the return into libc attacks, therefore the system is effective in defending the spreading of modern worms. This paper also builds a mathematic model of worm curing behavior to analyze the efficiency of serum system and provide the concept of automatic exploit patching.

關鍵字(中)

★ 攻性防壁
★ 網路安全
★ 傀儡網路
★ 蠕蟲
★ 血清系統
★ 血清
★ 遠端攻擊
★ 緩衝區溢位
★ 蠕蟲清除
★ 蠕蟲治癒

關鍵字(英)

★ attack barrier
★ botnet
★ worm curing
★ buffer overflow
★ worm
★ serum system
★ white worm
★ security
★ remote exploit

論文目次

中文摘要 i
英文摘要 ii
致謝 iii
目錄 iv
表目錄 vi
圖目錄 vii
第一章序論 1
1-1 研究背景 1
1-2 研究動機與目的 1
第二章蠕蟲傳播與攻擊之背景知識 3
2-1 Buffer Overflow Attack 3
2-2 Attacking String 3
2-3 蠕蟲特性 4
第三章相關研究 6
3-1 緩衝區溢位相關研究 6
3-2 蠕蟲相關研究 7
3-2-1 蠕蟲行為之特徵值與偵測 7
3-2-2 蠕蟲傳播數學模型 8
3-2-3 蠕蟲與傀儡網路(Botnets) 8
3-2-4 自動化修補(Auto-Patch) 8
第四章系統設計 9
4-1 系統架構 11
4-1-1 SSS與SSC 12
4-1-2 系統流程 14
4-2 系統功能探討 15
4-2-1 連線過濾與重新導向 15
4-2-2 惡意字串掃描 15
4-2-3 攻擊字串動態修改 16
4-3 免疫與反擊策略 17
4-3-1 反擊成功判定 17
4-3-2 免疫的時間長度 18
4-3-3 Serum System與IDS的結合 18
第五章數學分析 20
5-1 蠕蟲傳播模型 20
5-2 環境中具有Serum System主機之蠕蟲傳播分析 21
5-2-1 反擊成功率為1之情況 21
5-2-2 反擊成功率低於1之情況 23
第六章系統實驗與評估 25
6-1 Serum System造成的負擔與影響 25
6-1-1 網路流量負擔 25
6-1-2 效能影響 26
6-2 Serum System反應時間 28
6-2-1 系統反擊所需時間 28
6-2-2 系統即時架設所需時間 29
6-3 系統壓力測試 30
6-4 可能影響此系統之問題 30
6-4-1 ASLR 30
6-4-2 蠕蟲特殊行為 31
6-4-3 針對Serum System之攻擊 31
6-5 其他評估與討論 31
6-5-1 特徵值之調整 32
6-5-2 跳板主機之追蹤與傀儡網路(botnets) 32
6-5-3 Shellcode的長度 32
6-5-4 Return into libc Attack 33
第七章結論與未來方向 34
附錄一參考文獻 36
附錄二連線基礎架構之shellcode 41

參考文獻

[1] Yong Tang and Shigang Chen, “Defending Against Internet Worms: A Signature-Based Approach “ IEEE INFOCOM, Miami, FL, March, 2005.
[2] Michele Garetto, Weibo Gong, and Don Towsley, “Modeling Malware Spreading Dynamics “ IEEE INFOCOM, San Francisco, CA, USA, April, 2003.
[3] “On the Effectiveness of Distributed Worm Monitoring “USENIX Security Symposium, 2005
[4] “Automatic Generation of Buffer Overflow Attack Signatures: An Approach Based on Program Behavior Models “Annual Computer Security Applications Conference (ACSAC 2005)
[5] Gaurav Kataria,Gaurav Anand, Rudolph Araujo, Ramayya Krishnan,Adrian Perrig "A Distributed Stealthy Coordination Mechanism for Worm Synchronization",IEEE Securecomm & Workshop, 2006.
[6] Zhenkai Liang, R. Sekar"Fast and automated generation of attack signatures: a basis for building self-protecting servers",Conference on Computer and Communications Security,Proceedings of the 12th ACM conference on Computer and communications security
[7] Randy Smith, Cristian Estan, Somesh Jha"Backtracking Algorithmic Complexity Attacks Against a NIDS ",Annual Computer Security Applications Conference (ACSAC 2006)
[8] “2003 CSI/FBI Computer Crime and Security Survey. Security”，http:// www.reddshell.com/docs/csi_fbi_2003.pdf
[9] “Linux Networking Kernel” http://www.ecsl.cs.sunysb.edu/elibrary/linux/network/LinuxKernel.pdf
[10] H. Shacham, M. Page, B. Pfaff, Eu-Jin Goh, N. Modadugu, and Dan Boneh . “On the Effectiveness of Address-Space Randomization ” Proceedings of the 11th ACM conference on Computer and communications security, 2004
[11] T. Bu, A. Chen, S. V. Wiel, and T. Woo “Design And Evaluation of A Fast And Robust Worm Detection Algorithm” INFOCOM 2006. In the Proceedings of 25th IEEE International Conference on Computer Communications.
[12] D. Moore, C. Shannon, G. M. Voelker, and S. Savage “Internet Quarantine: Requirements for Containing Self-Propagating Code” ,2003
[13] Fu-Hau Hsu, Fanglu Guo, and Tzi-cker Chiueh, “Scalable Network-based Buffer Overflow Attack Detection” in Proceedings of ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS 2006), San Jose, California, USA, December, 2006.
[14] S. Staniford, V. Paxson and N. Weaver “The Top Speed of Flash Worms” In the proceedings of the ACM Workshop on Rapid Malcode (WORM ), Fairfax, VA, Oct. 2004
[15] J. Xu, P. Ning, C. Kil, Y. Zhai, C. Bookholt, "Automatic diagnosis and response to memory corruption vulnerabilities" ACM Conference on Computer Communications Security (CCS 2005)
[16] J. Ma, G. M. Voelker, and Stefan Savage “Self-Stopping Worms” In the proceedings of the ACM Workshop on Rapid Malcode (WORM ), Fairfax, VA, Oct. 2005
[17] Zheng, H., & Duan, H. “Active Technologies to Contain Internet Worm.” Worm blog. Retrieved April 1, 2007, from “wiki.ccert.edu.cn/doc/spark/ActiveTechnologiestoContainInternetWorm.pdf”
[18] N. Weaver, V. Paxson, S. Staniford, and R. Cunningham “A Taxonomy of Computer Worms”, Proceedings of the 2003 ACM workshop on Rapid Malcode, 2003
[19] S. Staniford, V. Paxson and N. Weaver “How To Own The Internet In Your Spare Time” In the Proceedings of USENIX Security Symposium, San Francisco, CA, Aug. 2002
[20] Newsome, J. Karp, B. Song, D. “Polygraph: automatically generating signatures for polymorphic worms”, Security and Privacy, IEEE Symposium , 8-11 May 2005
[21] Costa,M. Crowcroft, J. Castro,M. Rowstron,A. Zhou,L. Zhang,L. Barham,P. “Vigilante: end-to-end containment of internet worms”, ACM Symposium on Operating Systems Principles, 2005
[22] O. Kolesnikov and W. Lee. “Advanced polymorphic worms: Evading IDS by blending in with normal traffic”
[23] Lorenzo Cavallaro, Andrea Lanzi, Luca Mayer and Mattia Monga. “Automated Content-Based Signatures Generator for Zero-day Polymorphic Worms”
[24] Aurora
[25] Z. Chen, L. Gao, and K. Kwiat. “Modeling the Spread of Active Worms”. IEEE INFOCOMM, 2003.
[26] C. Zu, W. Gong, and D. Towsley. “Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense”. In Proceedings of the ACM Workshop on Rapid Malcode (WORM), pages 51–60, 2003.
[27] Kelly Jackson Higgins, Senior Editor, Dark Reading. “Botnets Battle Over Turf” ,April 2007
[28] Kelly Jackson Higgins, Senior Editor, Dark Reading. “Black Hat: Botnets Go One-on-One”, Feb 2007.
[29] C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton, “StackGuard: Automatic Adaptive Detection and Prevention of Buffer Overflow Attacks,” USENIX Security Conference, San Antonio, Texas, Jan.1998.
[30] Ali Rahbar , “An analysis of Microsoft Windows Vista’s ASLR”, Oct 2006.
[31] C. Zou, W. Gong, and D. Towsley. Code RedWorm Propagation Modeling and Analysis. In Proceedings of ACM Conference on Computer and Communication Security (CCS), pages 138–147, 2002.
[32] H.W. Hethcote. The Mathematics of Infectious Diseases. In SIAM Reviews, Vol. 42 No. 4, 2000.
[33] G. Gu, M. Sharif, X. Qin, D. Dagon, W. Lee, and G. Riley. Worm Detection, Early Warning and Response Based on Local Victim Information. In Proceedings of 20th Annual Computer Security Applications Conference, December 2004
[34] P. Barford and V. Yegneswaran, “An inside look at botnets,” in Special Workshop on Malware Detection, Advances in Information Security, 2006.
[35] J. Stewart, “Storm worm DDoS attack.” http://www.secureworks.com/research/threats/ view.html?threat=storm-worm, February 2007.
[36] Sumeet Singh, Cristian Estanm, George Varghese, Stefan Savage, “Automated Worm Fingerprinting”, 6th Symposium on Operating Systems Design and Implementation, 2004
[37] Hovav Shacham, "The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)", 14th ACM Conference on Computer and Communications Security (October 2007)
[38] Z. Liang and R. Sekar, ``Fast and Automated Generation of Attack Signatures: A Basis for Building Self-Protecting Servers,’’ In Proceedings of the 12th ACM Conference on Computer and Communications Security, November 2005.
[39] Bulba and Kil3r, “Bypassing StackGuard and StackShield”. http://www.phrack.org/issues.html?issue=56&id=5
[40] S. Bhatkar, D. DuVarney, and R. Sekar “Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits,” Proc. 12th USENIX Sec. Symp, USENIX, Aug. 2003.
[41] StackShield. http://www.angelfire.com/sk/stackshield
[42] H.-A. Kim and B. Karp, ``Autograph: Toward Automated, Distributed Worm Signature Detection,’’ In Proceedings of the 13th USENIX Security Symposium, August 2004.
[43] Zheng H, Duan HX, “Active Defense System to Contain Internet Worm. XCON 2004”, Beijing
[44] Alexey Smirnov, Tzi-cker Chiueh, “Automatic Patch Generation for Buffer Overflow Attacks“, IAS 2007
[45] Weidong Cui, Marcus Peinado, Helen J. Wang, Michael E. Locasto, “ShieldGen Automatic Data Patch Generation for Unknown Vulnerabilities with Informed Probing“, Security and Privacy, 2007. SP '07. IEEE Symposium on

指導教授

許富皓(Fu-Hau Hsu)

審核日期

2008-7-21

推文