Escolar Documentos
Profissional Documentos
Cultura Documentos
RESEARCH ARTICLE
ABSTRACT
In this paper, we propose an automatic defense system, called Serum System, against scanning worms. The homeland
security department of a country can use Serum System to protect its Internet infrastructure. When an infecting host is
infecting a Serum System host, called Serum System Server (SSS), the SSS automatically replaces the shellcode inside the
infecting string with its code (called serum code) and then uses the modified string (called serum string) to counterattack
the infecting host and takes control of it. The serum code transforms the infecting host into a Serum System Client (SSC)
that has the same functions as the SSS and is immune to the same worm. Therefore, infecting hosts attacking SSSs or
SSCs will transform themselves into SSCs. We implemented Serum System on Linux and also built a mathematical model
for Serum System to analyze its effectiveness and bandwidth savings. Our analyses show that with only a small number
of SSSs and through chain counterattacks, Serum System can automatically and rapidly defeat related infected hosts.
Compared with white worms whose spread cannot be controlled, Serum System only spreads on infected hosts. The amount
of accumulative traffic saved by Serum System at time tick 450 reached 90%. Copyright © 2014 John Wiley & Sons, Ltd.
KEYWORDS
computer crime; network security; system security; worm
*Correspondence
Li-Han Chen, Department of Computer Science and Information Engineering, National Central University, No.300, Jhongda Rd.,
Jhongli City, Taoyuan County 32001, Taiwan.
E-mail: lhchen@adl.csie.ncu.edu.tw
Name Congestion Continuous attack First scanning strategy Second scanning strategy
uously attack hosts. Serum System provides the homeland 2. RELATED WORK
security department of a country a reliable tool to pro-
tect her Internet infrastructure against scanning worms. There has been much work on the automatic generation of
Serum System can handle unprotected hosts and requires worm signatures. Polygraph [11] generates a worm signa-
only small number of initial deployment of Serum System ture based on the invariant parts of various network traffic
Servers (SSSs). Serum System precisely defeats a scan- associated with the same polymorphic worm; thus, it pro-
ning worm and can solve the traffic congestion caused by vides more robust protection to hosts against polymorphic
worms. And Serum System does not need to apply patches worms. However, this work suffers from non-trivial false
to vulnerable programs. Scanning worms spread through positives and false negatives. Cavallaro et al. proposed an
BOA strings, called infecting strings. For a scanning worm, automated content-based signature generation system for
the same infecting string is used to infect hosts with the polymorphic worms based on invariant byte analysis of
same BO vulnerability. Hence, when an infecting host (i.e., network traffic content [14]. ShieldGen [15] automatically
a worm host) attacks an uninfected host, the attacking generates signatures for a wide range of attacks if a zero-
string is the same string that the other host uses to infect the day attack instance is provided. Even though ShieldGen
infecting host. In other words, if we use the same infecting can effectively reduce the number of false positives, it has
string to attack the infecting host via the same vulnera- non-trivial false negatives.
bility, we are likely able to compromise that host again. There has also been much work discussing, classifying,
When an infecting host is infecting the SSS, the SSS auto- or modeling the behavior of various worms, and illus-
matically replaces the shellcode inside the infecting string trating the connection between worms and cyber warfare
with its code (called serum code) and then uses the modi- [16]. Ma et al. discussed a new stealthier-type worm—
fied string (called serum string) to cure the infecting host. a self-stopping worm that could coordinate its members
In this paper, the word “cure” means taking control of the to halt infection activity after the vulnerable population
infecting host and transforming the infecting host into a is subverted [17]. According to the Kermack–Mckendrick
Serum System Client (SSC). An SSC has the same func- model, Zou et al. took internet service provider (ISP) coun-
tion as an SSS and is immune to the same worm. Any termeasures and traffic congestion into account to build
infecting host attacking an SSS or SSC will make itself an a two-factor worm model to more accurately describe
SSC instead. worms behavior [18]. Chen et al. presented a mathemati-
We implemented Serum System on a Linux host, cal model, Analytical Active Worm Propagation (AAWP),
and also built mathematical models for the system to to characterize the propagation of worms that uses ran-
analyze its effectiveness and the resulting bandwidth dom scanning [19]. Rajab et al. modified the afore-
savings. Our analyses show that with only a small mentioned models and added a non-uniform scanning
number of SSSs, Serum System can automatically and element [20].
rapidly cure the related infected hosts around the world Except for automatic worm signature generation, con-
through chain counterattacks. And the amount of accu- tainment and auto-patch are two major approaches devel-
mulative traffic saved by Serum System at time tick oped to defend against worms. Zou et al. quarantines a host
450 reaches 90%. Compared with white worms and whenever its behavior looks suspicious by blocking traffic
auto-patch mechanisms, our system is reversible and on its anomaly port [21]. After a short time, the system will
more precise. unlock related ports. The main purpose of this design is
The rest of this paper is organized as follows. Related not to control worm spread but to decrease worm propaga-
work is surveyed in Section 2. Section 3 introduces the tion speed so that users can have more time to implement a
architecture and discusses some critical design issues of solution. Vigilante [12], an end-to-end approach to contain
Serum System. Section 4 evaluates the effectiveness and worms automatically, utilizes dynamic dataflow analysis
performance overhead of Serum System. This section also to capture various worms. After creating a worm signa-
builds some mathematical models to analyze the effec- ture, an end host broadcasts the signature to its peers.
tiveness and bandwidth saving of the proposed system. Each peer verifies the signature before using it. Through
Section 5 discusses our design issues and the future work. a series of experiments, Moore et al. surveyed how well
Section 6 concludes the paper. any approach could contain a worm epidemic on the
716 Security Comm. Networks 2015; 8:715–726 © 2014 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
F.-H. Hsu, L.-H. Chen and C.-J. Lin Defeat scanning worms in cyber warfare
Table II. The difference between white worm, anti-worm, and Serum System.
Internet [22]. They concluded that the reaction time is a SSC), and the major components of the constituent hosts
critical factor in a successful containment solution. How- as well as their functionality.
ever, current techniques and administration systems may
not be able to contain worm propagation successfully. In
addition, they also found that content filtering is more 3.1. System components
effective than address blocking. ARMORY [23] provided
a kernel solution to automatically detect BO defects from Serum System consists of two host types, SSS and SSC,
application source code. containing the same components: sanitizer, redirector,
PASAN [10] instrumented a network applications downloader, and uploader. However, the functionality of
source code with extra instructions to detect control hijack- each component may vary with the host type. The follow-
ing and to record run-time information from which it ing is a brief description of each component.
can derive an attack signature and patch for the detected
attack. As for research about white worms [24,25], there
were analyses and discussions about them but no practical 3.1.1. Sanitizer.
implementation has been completed. Besides, it is difficult A sanitizer is the core of an SSS and an SSC. It sani-
to control the spread of a white worm. Castaneda et al. tizes infecting string and converts them into serum strings.
proposed a method similar to Serum System to disinfect It takes input strings from a redirector, filters out, and drops
infected hosts by transforming a malicious worm into an input strings, which match the characteristics of an infect-
anti-worm and have implemented some proofs of concept ing string. To find infecting strings, a sanitizer uses the
[26]. They also analyzed the effectiveness of active coun- signatures provided by a collaborative BOA signature gen-
terattack mechanism. In Serum System, disinfection code erator, such as Aurora [9], STRIDE [27], and Sigfree [28],
is dispatched to an infecting host from an SSS or SSC which could locate shellcode inside an infecting strings.
when the infecting host is infecting the SSS or SSC. How- Currently, we use Aurora to implement sanitizers. Aurora
ever, anti-worms need to download disinfection code from uses the invariant properties, such as no-operation (NOP)
specific hosts; hence, these hosts may encounter traffic sled and deviation address, to detect BOAs, so it can also
congestion and launch denial of service/distributed denial detect the variants using the same vulnerability. Then, the
of service attacks against these hosts. Moreover, because sanitizer replaces the shellcode with serum code to gener-
Serum System stores various serum strings in each SSS ate a serum string. If the detected infecting string is from
and SSC, an SSS or SSC may utilize other unpatched vul- an external host, the sanitizer uses the serum string to cure
nerabilities to cure an infecting worm. Active anti-worms the external host. If the detected string is from an internal
can only spread on hosts that are not infected by a patch process, the sanitizer removes the process and the related
worm. Furthermore, while Serum System only counter- program. Besides, the sanitizer drops the string directly
attacks infected hosts, white worms, active anti-worms, to prevent an infecting host from continuously infecting
and intrusion detection system (IDS)-based anti-worms other hosts.
may counterattack hosts that are not infected by a worm.
Hence, Serum System is more accurate than previous solu-
tions. Table II compares Serum System with white worms 3.1.2. Redirector.
and anti-worms. Through adjusting the firewall (such as iptables on a
Linux platform) of the host that executes a piece of serum
code, a redirector redirects input strings that will be sent to
a vulnerable process to a sanitizer for pre-processing. The
3. ARCHITECTURE vulnerable process is the target of the infecting string that
triggers the counterattack procedure. Moreover, the vulner-
In this section, we discuss the architecture of Serum able process could be a local process or a network service
System, the constituent hosts of the System (SSS and in a remote host.
Security Comm. Networks 2015; 8:715–726 © 2014 John Wiley & Sons, Ltd. 717
DOI: 10.1002/sec
Defeat scanning worms in cyber warfare F.-H. Hsu, L.-H. Chen and C.-J. Lin
3.1.3. Downloader and uploader. 3.3. Dataflow of Serum System Client and
A downloader constitutes the major part of serum code. Serum System Server
When being executed in an infecting host, a downloader
will connect to the uploader in the SSS or SSC who After the sanitizer, redirector, downloader, and uploader
sends the serum code to download a sanitizer, redirector, are downloaded to the infecting host, the serum code exe-
uploader, and the source code of the downloader to the cutes the sanitizer and the redirector first. The redirector
infecting host. adjusts the firewall of the infecting host and redirects input
strings toward a vulnerable process to the sanitizer. Then,
the serum code executes the uploader as a network service,
3.2. Workflow of Serum System Server and
in order to prepare for transmitting Serum System to other
Serum System Client
downloaders. Finally, the infecting host is reformed into
a SSC.
In this subsection, we describe how each component of an
The sanitizer of an SSS uses the signatures provided by
SSS or SSC works together to cure an infecting host and
a collaborative BOA signature generator. And the sanitizer
transform it into an SSC.
of SSC uses the signatures forwarded by an SSS or an SSC
Figure 1 illustrates the workflow of an SSS. When
to find infecting strings. If the origination of a detected
an IDS with an automatic signature generator detects an
infecting string is an external host, the sanitizer replaces
infecting string (1), it sends the string and properties of
the shellcode inside the string with serum code to create a
the string, such as the signature, location and length of
serum string and then uses the string to cure the external
the NOP sled, target port, and location of the address
host. If the origination of a detected string is an internal
that will redirect the attacked process execution flow to
process, the sanitizer drops the string directly to stop an
the shellcode, to the sanitizer (2). Based on the infor-
infecting host continuously infecting other hosts. Other-
mation provided by the IDS, the sanitizer replaces the
wise, the sanitizer forwards the sanitized strings to their
shellcode inside the infecting string with serum code to
original destinations. Figure 2 gives an overview of the
create a serum string and then sends the serum string to
aforementioned steps. After these steps, the infecting host
the infecting host (3). The serum string is sent to the vul-
is transformed into an SSC, which not only is immune from
nerable process to take control of the infecting host. The
the same infecting string but also can cure other infect-
vulnerable process is the previous victim of the infect-
ing hosts that were infected by the same infecting string.
ing string. Via the same vulnerability, the serum code
An SSC uses the same approach described in the previous
is executed (4). The major part of the serum code is a
subsection to cure other infecting hosts.
downloader that will connect back to the uploader of the
SSS (5) to download the whole program set of Serum
System (6). 3.4. Merging sanitizers
After downloading the program set, the downloader
will follow the steps described in Section 3.3 to invoke When curing an infecting host compromised by a worm,
related programs inside the set to transform the infect- Serum System will install a sanitizer in the infecting host.
ing host into an SSC. The workflow of an SSC is similar Hence, in principle, each worm has a dedicated sanitizer in
to that of an SSS, but its information about an infect- an infecting host to handle it. If a host is attacked by several
ing string is provided by an SSS or an SSC, instead of worms, several sanitizers against different worms would
an IDS. be installed on the same host. To save system resources,
Figure 1. Workflow of a Serum System Server. Figure 2. Dataflow of an Serum System Client.
718 Security Comm. Networks 2015; 8:715–726 © 2014 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
F.-H. Hsu, L.-H. Chen and C.-J. Lin Defeat scanning worms in cyber warfare
Symbol Quantity
Security Comm. Networks 2015; 8:715–726 © 2014 John Wiley & Sons, Ltd. 719
DOI: 10.1002/sec
Defeat scanning worms in cyber warfare F.-H. Hsu, L.-H. Chen and C.-J. Lin
vulnerable hosts at time tick i is the number of vulnerable ing pattern, the possibility that the infecting host will be
host at time tick i – 1 minus the number of increased curing cured is 1 – (1 – ˛)x . Hence, Ri and Ii are described using
hosts in the previous time tick: Equations (4) and (5), respectively:
5 5
x 10 x 10
7 7
6 6
5 5
host number
host number
4 4
3 3
2 2
1 1
0 0
0 100 200 300 400 500 0 100 200 300 400 500
time tick time tick
(a) (b)
Figure 4. Curing effect of Serum System for Internet worms.
5 5
x 10 x 10
7 7
6 6
5 5
host number
host number
4 4
3 3
2 2
1 1
0 0
0 100 200 300 400 500 0 100 200 300 400 500
time tick time tick
(a) (b)
Figure 5. Curing effect of Serum System for stealthy worms.
720 Security Comm. Networks 2015; 8:715–726 © 2014 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
F.-H. Hsu, L.-H. Chen and C.-J. Lin Defeat scanning worms in cyber warfare
Table IV. The parameters used in the calculation peercast program. The aforementioned measurement
in Section 4.1.3. was made 5000 times for both cases. Experimental results
Symbol Value
show that when host A is a normal host, the average time of
the aforementioned tests is 0.00824 s. And when host A is
Total hosts 224 hosts a curing host, the average time of the aforementioned tests
S 10 or 200 times/time tick is 0.009343 s. Hence, the overhead is 13.3% (0.0011 s).
n0 500 hosts However, because a network service is usually much more
V0 10 216 hosts complicated than a peercast program, 13.3% can be
I0 50 or 500 hosts deemed as an upper bound of the performance overhead
˛ 1
introduced by a curing host.
Security Comm. Networks 2015; 8:715–726 © 2014 John Wiley & Sons, Ltd. 721
DOI: 10.1002/sec
Defeat scanning worms in cyber warfare F.-H. Hsu, L.-H. Chen and C.-J. Lin
Symbol Quantity
Xi Total amount of traffic produced by all infecting hosts at time tick i when a Serum System is used.
Yi Total amount of traffic produced by all curing hosts at time tick i when a Serum System is used.
Wi Total amount of traffic produced by all infecting hosts at time tick i when no Serum System is used.
z Amount of traffic produced by a single infecting host per infection.
0
z Amount of traffic produced by a single curing host per counterattack.
mi The number of infected hosts at time tick i when no Serum System is used.
9 9
x 10 x 10
8 8
7 7
6 6
traffic (unit:KB)
traffic (unit:KB)
5 5
4 4
3 3
2 2
1 1
0 0
0 100 200 300 400 500 0 100 200 300 400 500
time tick time tick
(a) (b)
Figure 6. Amount of traffic produced by infecting hosts and serum hosts when rate is 200 times/time tick.
8 8
x 10 x 10
5 5
4.5 4.5
traffic amount (unit:KB)
4 4
3.5 3.5
3 3
2.5 2.5
2 2
1.5 1.5
1 1
0.5 0.5
0 0
0 100 200 300 400 500 0 100 200 300 400 500
time tick time tick
(a) (b)
Figure 7. Amount of traffic produced by infecting hosts and serum hosts when rate is 10 times/time tick.
the host; this fact will be ignored for simplicity. Hence, hosts and curing hosts during the first 500 time ticks, as
z is equal to 58 KB, and the results in this subsection shown in Figures 6 and 7.
can be deemed as either the minimum traffic amount that At both high (Figure 6) and low (Figure 7) scan rates,
Downadup will create or the minimum traffic amount that the amount of traffic generated by curing hosts is far less
Serum System can save. Besides, according to the previous than that created by infecting hosts. The experiments show
subsection, z is equal to 28 KB. Thus, with the aforemen- that Serum System only need a small amount of traffic to
tioned data and the parameters used in Section 4.1.2, we cure all hosts. The amount of traffic generated by Serum
can obtain the amount of the traffic created by infecting System has little influence on the network traffic.
722 Security Comm. Networks 2015; 8:715–726 © 2014 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
F.-H. Hsu, L.-H. Chen and C.-J. Lin Defeat scanning worms in cyber warfare
100 100
90 90
80 80
70 70
percent (%)
percent (%)
60 60
50 50
40 40
30 30
20 20
10 10
0 0
0 100 200 300 400 500 0 100 200 300 400 500
time tick time tick
(a) 10 times / time kick (b) 200 times / time kick
Figure 8. Percentage of amount of traffic saved by Serum System at various time ticks for different scan rate.
100 100
90 90
80 80
70 70
percent (%)
percent (%)
60 60
50 50
40 40
30 30
20 20
10 10
0 0
0 100 200 300 400 500 0 100 200 300 400 500
time tick time tick
(a) 10 times / time kick (b) 200 times / time kick
Figure 9. Percentage of amount of accumulated traffic saved by Serum System at various time ticks for different scan rate.
We also compare the amount of network traffic with and Figure 8 shows that Serum System can successfully sup-
without Serum System. According to AAWP, mi and Wi press worm traffic. Although Serum System cannot control
can be calculated using the following equations: the network traffic at the beginning of a worm attack,
as the worm attack proceeds, large amount of attack
h smi–1 i traffic is suppressed by Serum System. Because worms
mi = mi–1 + (Vo – mi–1 ) 1 – 1 – 1/232 (8)
usually generate a huge amount of attack traffic, Serum
System can effectively reduce a considerable amount of
attack traffic.
W i = mi S z (9)
Figure 9 shows the percentages of accumulated traf-
Hence, the amount of traffic saved by Serum System at fic saved by Serum System between time tick 0 and time
time tick i is as follows: tick 500. Under both low and high scan rates, the percent-
age is up to 90% at time tick 450. In addition, with the
0 faster scan rate of the worm, the percentage of accumulated
Wi – (Xi + Yi ) = (mi – ni ) S z – (Ii+1 – Ii ) z (10) traffic saved by Serum System also increases at a faster
rate. Hence, Serum System can significantly solve the traf-
And when a worm breaks out, the ratio of the traffic amount fic congestion problem caused by Internet worms. With a
saved by Serum System at time tick i to the traffic amount strong and proper counterattack mechanism, such as Serum
appearing in the Internet when no Serum System is used System, the accumulated traffic generated by worms can
0
at time tick i is ((mi – ni ) S z – (Ii+1 – Ii ) z )/Wi . be greatly reduced.
Security Comm. Networks 2015; 8:715–726 © 2014 John Wiley & Sons, Ltd. 723
DOI: 10.1002/sec
Defeat scanning worms in cyber warfare F.-H. Hsu, L.-H. Chen and C.-J. Lin
724 Security Comm. Networks 2015; 8:715–726 © 2014 John Wiley & Sons, Ltd.
DOI: 10.1002/sec
F.-H. Hsu, L.-H. Chen and C.-J. Lin Defeat scanning worms in cyber warfare
Security Comm. Networks 2015; 8:715–726 © 2014 John Wiley & Sons, Ltd. 725
DOI: 10.1002/sec
Defeat scanning worms in cyber warfare F.-H. Hsu, L.-H. Chen and C.-J. Lin
16. Weaver N, Paxson V, Staniford S, Cunningham R. 23. Chen LH, Hsu FH, Hwang Y, Su MC, Ku WS,
A taxonomy of computer worms. In Proceedings Chang CH. Armory: an automatic security testing tool
of the 2003 ACM Workshop on Rapid Malcode, for buffer overflow defect detection. Computers and
WORM ’03. ACM: New York, NY, USA, 2003; Electrical Engineering 2013; 39(7): 2233–2242, DOI:
11–18. 10.1016/j.compeleceng.2012.07.005.
17. Ma J, Voelker GM, Savage S. Self-stopping worms. 24. Kleiner K. Viral cure could ‘immunise’ the inter-
In Proceedings of the 2005 ACM Workshop on Rapid net. NewScientist Tech, 2005. Available from: http://
Malcode, WORM ’05. ACM: New York, NY, USA, www.newscientist.com/article/dn8403-viral-cure-
2005; 12–21. could-immuni se-the-internet.html. Accessed on 20
18. Zou CC, Gong W, Towsley D. Code red worm prop- May 2012.
agation modeling and analysis. In Proceedings of the 25. Schneier B. Benevolent worms, 2005. Available
9th ACM Conference on Computer and Communica- from: http://www.schneier.com/blog/archives/2005/
tions Security, CCS ’02. ACM: New York, NY, USA, 12/benevolent_worm.html. Accessed on 20 May 2012.
2002; 138–147. 26. Castaneda F, Sezer EC, Xu J. Worm vs. worm: pre-
19. Chen Z, Gao L, Kwiat K. Modeling the spread of active liminary study of an active counter-attack mechanism.
worms, INFOCOM 2003. Twenty-Second Annual Joint In Proceedings of the 2004 ACM Workshop on Rapid
Conference of the IEEE Computer and Communica- Malcode, WORM ’04. ACM: New York, NY, USA,
tions, IEEE Societies, vol. 3, San Francisco, CA, USA, 2004; 83–93.
2003; 1890–1900. 27. Akritidis P, Markatos EP, Polychronakis M,
20. Rajab MA, Monrose F, Terzis A. On the effective- Anagnostakis K. STRIDE: polymorphic sled detection
ness of distributed worm monitoring. In Proceedings through instruction sequence analysis, Proceedings
of the 14th Conference on USENIX Security Sympo- of the 20th IFIP International Information Security
sium - Volume 14, SSYM’05. USENIX Association: Conference (IFIP/SEC), Chiba, Japan, 2005; 375–391.
Berkeley, CA, USA, 2005; 15–15. 28. Wang X, Pan CC, Liu P, Zhu S. Sigfree: a signature-
21. Zou CC, Gong W, Towsley D. Worm propagation free buffer overflow attack blocker. In Proceedings of
modeling and analysis under dynamic quarantine the 15th Conference on USENIX Security Symposium
defense. In Proceedings of the 2003 ACM Workshop - Volume 15, USENIX-SS’06. USENIX Association:
on Rapid Malcode, WORM ’03. ACM: New York, NY, Berkeley, CA, USA, 2006; 225–240.
USA, 2003; 51–60. 29. McAfee. W32/conficker.worm, 2008. Available
22. Moore D, Shannon C, Voelker GM, Savage S. from: http://vil.nai.com/vil/content/v_153464.htm.
Internet quarantine: requirements for containing self- Accessed on 20 May 2012.
propagating code, INFOCOM 2003. Twenty-Second 30. Militan. linux/x86 connect back, download a file and
Annual Joint Conference of the IEEE Computer execute 149 bytes. Exploit-db, 2008. Available from:
and Communications, IEEE Societies, vol. 3, San http://www.exploit-db.com/exploits/13337/. Accessed
Francisco, CA, USA, 2003; 1901–1910. on 20 May 2012.
726 Security Comm. Networks 2015; 8:715–726 © 2014 John Wiley & Sons, Ltd.
DOI: 10.1002/sec