Paper 10-Defending Polymorphic Worms in Computer Network Using Honeypot

|
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
 11 views
of 3

Please download to get full document.

View again

Description
(IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 3, No. 10, 2012 Defending Polymorphic Worms in Computer Network using Honeypot R. T. Goswamia, Avijit Mondalb Department of Computer Science, Birla Institute of Technology Extension Centre, Kolkata, India–700107 a,b a,b Bimal Kumar mishrac1, N.C. Mahantid Department of Applied Mathematics, Birla Institute of Technology, Mesra, Ranchi, Indian-835 Abstract— Polymorphic worms are a major threat to internet infrast
Share
Tags
Transcript
  (IJACSA) International Journal of Advanced Computer Science and Applications,Vol. 3, No. 10, 2012 63 |Page www.ijacsa.thesai.org Defending Polymorphic Worms in Computer  Network using Honeypot R. T. Goswami a , Avijit Mondal  b   a,b Department of Computer Science, Birla Institute of Technology Extension Centre, Kolkata, India  –  700107 Bimal Kumar mishra c1 , N.C. Mahanti d   a,b Department of Applied Mathematics, Birla Institute of Technology, Mesra, Ranchi, Indian-835 Abstract   —  Polymorphic worms are a major threat to internetinfrastructure security. In this mechanism we are using gate-translator, double honeypot, sticky honeypot, internal translatorand antivirus of Cloud AV,which attracts polymorphic worms.We are proposing an algorithm to detect and removepolymorphic worms and innocuous traffic related packets. Keywords- Polymorphic worm; Honeypot; Honeynet; Sticky honeypot; Cloud computing. I.   I  NTRODUCTION Worms are computer programs that self replicate withoutrequiring any human intervention, by sending copies of their code in network packets and ensuring the code is executed bythe computers that receive it. When computers are infected,they spread copies of themselves and perform other maliciousactivities. A polymorphic worm is a worm that changes itsappearance with every instance [1]. There are two basic typesof intrusion detection: host-based and network-based. Host- based IDSs examine data held on individual computers thatserve as hosts, while network-based IDSs examine dataexchanged between computers [3, 4].Security experts manually generate the IDS signatures bystudying the network traces after a new worm has beenreleased. Our research is based on Honeypot technique.Developed in recent years, honeypot is a monitored system onthe Internet serving the purpose of attracting and trappingattackers who attempt to penetrate the protected servers on anetwork. Honeypots fall into two categories. A high-interaction honeypot such as (Honeynet) operates a realoperating system and one or multiple applications. A low-interaction honeypot such as (Honyed) simulates one or multiple real systems. In general, any network activitiesobserved at honeypots are considered suspicious [1, 2].Security experts need a great deal of information to perform signature generation. Such information can becaptured by tools such as honeynet. Honeynet is a network of standard production systems that are built together and are put behind some type of access control device (such as a firewall)to watch what happens to the traffic [1]. We assume the trafficcaptured by honeynet is suspicious. Our system reduces therate of false alarms by using honeynet to capture trafficdestined to a certain network.The attackers will try every possible way to extend the lifetime of Internet worms. In order to evade the signature-basedsystem, a polymorphic worm appears differently each time itreplicates itself. This subsection discusses the polymorphismof Internet worms. There are many ways to make polymorphicworms [2]. One technique relies on self encryption with avariable key. It encrypts the body of a worm that erases bothsignatures and statistical characteristics of the worm bytestring. A copy of the worm, the decryption routine, and thekey are sent to a victim machine, where the encrypted text isturned into a regular worm program by the decryption routine.The program is then executed to infect other victims and possibly damage the local system. If the same decryptionroutine is always used, the byte sequence in the decryptionroutine can serve as the worm signature. A more sophisticatedmethod of polymorphism is to change the decryption routineeach time a copy of the worm is sent to another victim host.This can be achieved by keeping several decryption routines ina worm. When the worm tries to make a copy, one routine israndomly selected and other routines are encrypted together with the worm body.The number of different decryption routines is limited bythe total length of the worm. Given a limited number of decryption routines, it is possible to identify all of them asattack signatures after enough samples of the worm have beenobtained. Another polymorphism technique is called garbage-code insertion. It inserts garbage instructions into the copies of a worm. For example, a number of nop (i.e., no operation)instructions can be inserted into different places of the worm body, thus making it more difficult to compare the bytesequences of two instances of the same worm. However, fromthe statistics point of view, the frequencies of the garbageinstructions in a worm can differ greatly from those in normaltraffic. If that is the case, anomaly-detection systems can beused to detect the worm. Furthermore, some garbageinstructions such as nop can be easily identified and removed.A Cloud AV: N-version antivirus identifies malicioussoftware by multiple, heterogeneous engine in parallel to provide N-version protection. Cloud AV includes a lightweight, cross platform host agent, with ten antivirus engineand two behavioral detection engines [5].The attacker sends one instance of a polymorphic worm toa network, and this worm in every infection automaticallyattempts to change its payload to generate other instances. So,if we need to capture all polymorphic worm instances, weneed to give a polymorphic worm chance to interact with hostswithout affecting their performance. So, we propose newdetection meth od “Double - honeynet” to interact with  polymorphic worms and collect all their instances. The  (IJACSA) International Journal of Advanced Computer Science and Applications,Vol. 3, No. 10, 2012 64 |Page www.ijacsa.thesai.org proposed method makes it possible to capture all worminstances and then forward these instances to the SignatureGenerator which generates signature.II.   S YSTEM A RCHITECTURE  In this architecture we used a double honeypot system todetect new worms. Following figure 1 shows the systemarchitecture of the system. Firstly, the incoming traffic goesthrough the Gate Translator which samples the unwantedinbound connections and redirects the samples connections toHoneynet1. The gate translator is configured with publicly-accessible addresses, which represent wanted services.Connections made to other addresses are considered unwantedand redirected to Honeynet 1 by the Gate Translator.Secondly, once Honeynet 1 is compromised, the worm willattempt to make outbound connections. Each honeynet isassociated with an Internal Translator implemented in router that separates the honeynet from the rest of the network. TheInternal Translator 1 intercepts all outbound connections fromhoneynet 1 and redirects them to honeynet 2 which does thesame forming a loop. Only packets that make outboundconnections are considered malicious, and hence the Double-honeynet forwards only packets that make outboundconnections.This policy is due to the fact that benign users do not try tomake outbound connections if they are faced with non-existingaddresses. Lastly, when enough instances of worm payloadsare collected by Honeynet 1 and Honeynet 2, they areforwarded to the Signature Generator component whichgenerates Signature. Signature generator consists of twohoneypots, one high interaction, one low interaction and aCloud AV which consist of ten antivirus engine and two behavioral detection engine. Here we are using stickyhoneypot in between honeynet 1,2 and honeynet 3 tominimize instance of worm propagation and to generateeffective signature for the worm using CloudAV. If cloudAVunable to detect worms then unused IP address system isautomatically quarantined [6-7].Since honeypot 3 has set of  blocks of antivirus to remove future polymorphic worms,which are developed with the help of behavioral detectionengine which is deployed on unused system continuously tillthe removal of polymorphic worms.III.   A LGORITHM  a.   Gate-translator collects incoming traffic and redirectsthem towards honeynet-1. b.   Internal translator implemented in router thatseparates honeynet from rest of the network.c.   Internal translator 1 intercepts all outboundconnections from honeynet 1 and redirects them tohoneynet 2.d.   When enough instances of worm payloads arecollected by honeynet 1 and honeynet 2, they areforwarded to the signature generator.e.   Signature generator consist of two honeypots(onehigh interaction and one low interaction).Whencollected payloads are transferred to the Honeypot 3,we used sticky honeypot in between them that willminimize the worm propagation and signature will be generated at Honeypot 3.f.   Honeypot 3 has CloudAV antivirus which consist of ten antivirus engines and two behavioral detectionengines which continuously run at Honeypot 3.g.   All the signatures are transferred to the storagesystem through low interaction honeypot. Then IDScan get all information about that payload.h.   If Cloud AV at Honeynet 3 unable to remove thoseworms then unused IP address system isautomatically quarantined.i.   On quarantined unused system, blocks of future worm‟s removal capabilities antivirus is run continuously till it is removed. j.   After removal of polymorphic worm unused IPaddress system is again connected to the network.IV.   C ONCLUSION  We have defined an algorithm to detect and defend newlydetected polymorphic worms. The framework is designedusing double honeynet and sticky honeypot. To detect newly polymorphic worms, we have used CloudAV antivirus whichconsist of ten antivirus engine and two behavioral detectionengine, that continuously run at Honeynet 3.The undetectedworms will be automatically quarantined at unused IP addresssystem. In future we want to propose an automated signaturegeneration system for polymorphic worms. We have proposed new detection method “Double -Honeypot ” to detect new worms that have not been seen before. The proposed systemwill be based on Principal Component Analysis that willdetermine the most significant data that are shared between all „polymorphic worms‟ instances and use them as signatures.  R  EFERENCE   [1]   L. Spitzner, “Honeypots: Tracking Hackers,” Addison Wesley Pearson Education: Boston, 2002.[2]   Yong Tang, Shigang Chen, An Automated Signature-Based Approachagainst Polymorphic Internet Worms, IEEE Transaction on Parallel andDistributed Systems, pp. 879-892 July 2007.[3]   Snort  –  The de facto Standard for Intrusion Detection/Prevention,Available:http://www.snort.org, 14 February 2011.[4]   Bio Intrusion Detection System. Available: http://www.bro-ids.org/, 14February 2011. International Journal for Information Security Research(IJISR), Volume 1, Issues 1/2, March/June 2011 Copyright  (IJACSA) International Journal of Advanced Computer Science and Applications,Vol. 3, No. 10, 2012 65 |Page www.ijacsa.thesai.org [5]   John Oberheide.,Evan Cooke., Farnam .Jahanian., CloudAV: N VersionAntivirus in the Network cloud, University of Michigan,Ann, Arhor,USENIX pp 1-18,2008.[6]   B.K.Mishra., N.Jha., SEIQRS model for the transmission of themalicious object in computer network, Applied Mathematical Modeling,34, pp.710-715,2010.[7]   D.Moore.,C.Shannon., G.M.Valker., S.Savage., Internet Quarantinerequirement for containing self replicating code ,Proceeding of the 22ndannual joint conference of the IEEE Computer and communicationSocieties, Infocom 2003, San Francisco, California, U.S.A, April, 2003.[8]   Cohen.F., Computer worms theory and experiment, Computer andSecurity, Vol 6,pp. 22-35,1987.[9]   Yong Tang and Shigang Chen., Defending Against Internet Worms: ASignature- Based Approach, Department of Computer & InformationScience & Engineering, University of Florida, Gainesville, FL,USA., pp.32611-6120,2010.[10]   Mohssen M. Z. E. Mohammed, H. Anthony Chan, Neco Ventura. “Honeycyber: Automated signature generation for zero-day polymorphic worms“; Proc.of the IEEE Military Communications Conference,MILCOM, 2008.[11]   Tang,Y.; Chen, S. (2005). Defending Against Internet Worms: ASignature- Based Approach. In Proceedings of IEEE INFOCOM‟2005, Miami, Florida, USA, pp.1-11.  
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks