On the Research of Intrusion Tolerance Network Counter the Internet Flooding Attacks

• Main Authors: Wen-Chen Sun, 孫文駿
• Other Authors: Yi-Ming Chen
• Format: Others
• Language: en_US
• Published: 2009
• Online Access: http://ndltd.ncl.edu.tw/handle/59su3h

博士 === 國立中央大學 === 資訊管理研究所 === 97 === Flooding based attack is always a critical threat to the Internet security. Due to the sophisticated hacking skills, nowadays, a lot of the modern malicious programs could cause global flooding attack in short period time. The zero-day polymorphic worms are the most pressing threat. The zero-day polymorphic worms not only exploit unknown vulnerabilities but also change their own representations on each new infection to evade detection. Therefore, the worms have the ability to rapidly infect a tremendous numbers of hosts and cause massive denial of service around the Internet. Even the network administrators could not remotely reconfigure the devices to recover services manually. These kinds of global flooding attacks are hard to be stopped by traditional security mechanisms which build single barrier system. Therefore, instead of trying to prevent the intrusion of every such a threat, we proposes a new system architecture, named VMITN (Virtual Machine based Intrusion Tolerance Network), which adopts the techniques of OOB (Out-of-Band) network and virtual machine to provide the global intrusion tolerance capabilities. The VMITN will tolerate the worm based flooding attacks until the administrator remove the vulnerability leveraged by the worm. We propose Seamless Rapidly Hand Over (SRHO) technique and GA-based Placement Selection (GAPS) technique to enhance the VMITN toleratance capability. To filter the zero day worms in early stage, two linear time detection algorithms, Quick Worm Pattern Learning (QWPL) and Rough Set Worm Detection (RSWD), are proposed and evaluated. We have implemented a concept proof prototype system and present the design and practical issues. Totally four famous worms attack events, including Code Red, Witty, Apache-Knacker and ATPhttpd, are tested in our experiments to evaluate the VMITN performance against various catastrophes. To prove the usefulness of VMITN, we not only emulate the real worm attack event in emulation network but also simulate a large scale network by NS-2 simulations. The results showed that our VMITN architecture can provide the reliability and survivability under severe worm attacks.