一個基於模擬方法的多型網路蠕蟲偵測系統-以無線區域網路環境為例

Abstract

在本論文中提出一個多型網路蠕蟲的偵測方法，並以無線網路環境為例。蠕蟲攻擊方式與平台密切相關，由於目前實際網路蠕蟲還是以Intel Architecture 32 bit平台為主要攻擊對象平台，為解決實際問題，針對上述平台的多型蠕蟲進行研究。現有作法中基於字串特徵值的偵測速度是所有系統速度最快，但對於多型蠕蟲的誤報率尚有改進空間；靜態分析特徵值系統會有執行期混淆缺陷，以虛擬機器蜜罐誘捕器會有流量導向缺陷。因此，本研究提出一個啟發式演算法以改善字串特徵值系統誤報率過高、且不會有執行期代碼混淆、流量導向等問題。我們藉由判斷Decoder特徵，從而找尋多型網路蠕蟲Decoder進入點，在模擬環境下解開編碼過的payload，並執行解開payload的內容以比對多型網路蠕蟲解碼後的系統呼叫行為，判斷是否為多型網路蠕蟲。在分析無線區域網路環境下實驗模擬結果，得到以下結論：(1)與字串特徵值Polygraph系統比較誤報率降低了約15%；(２)封包掃描長度太短會導致偵測不到Decoder特徵，建議掃描512 bytes以上；(３)針對封包內含有執行檔，有過濾執行檔比沒有過濾執行檔降低約25%左右；(４)在封包切割攻擊下依然能夠正確偵測，實驗證實了本研究提出方法能夠有效降低誤報率。

A polymorphic worm detection approach using WLAN as a case study was proposed in this research. The platform issues profoundly affect worm attack, and nowadays real network worms primary targets at in Intel Architecture 32-bit platforms. To solve real problems, this research mainly concentrates on X86 IA32 platform. In current approaches, the speed of substring-signature-based detection is the fastest, but improvement of the false positive ratio still required. Static analysis signature system has a major problem with run-time code obfuscation, and Virtual machine Honeypot-based detection has traffic redirection problem. Thus, this research proposed novel approach to detect polymorphic network worms for defeating those weaknesses as previously mentioned. The objective of this research is to design an approach as follow: First, checking the signature of polymorphic decoder, find the entry point of decoder. Second, execute decoder and reform original worm attack payload. Third, according to attack payload execution behavior, the system discovered whether exists system call for networking usage. The approach proposed by this research has effectively eliminated high false positive. The conclusion as follows: (1) the false positive ration has reduced about average 15% comparing with existing signature system Polygraph in the best case. (2)Scanning packet for detecting decoder signature is recommended above MTU 512 bytes. (3)Filtering executable file in the network traffic effectively reduce 25% false positive than unfiltered. (4)The proposed system worked properly under packet fragmentation attack.