论文信息 - Virtual Playgrounds for Worm Behavior Investigation

Virtual Playgrounds for Worm Behavior Investigation

To detect and defend against Internet worms, researchers have long hoped to have a safe convenient environment to unleash and run real-world worms for close observation of their infection, damage, and propagation. However, major challenges exist in realizing such “worm playgrounds”, including the playgrounds' fidelity, confinement, scalability, as well as convenience in worm experiments. In this paper, we present a virtualization-based platform to create virtual worm playgrounds, called vGrounds, on top of a physical infrastructure. A vGround is an all-software virtual environment dynamically created for a worm attack. It has realistic end-hosts and network entities, all realized as virtual machines (VMs) and confined in a virtual network (VN). The salient features of vGround include: (1) high fidelity supporting real worm codes exploiting real vulnerable services, (2) strict confinement making the real Internet totally invisible and unreachable from inside a vGround, (3) high resource efficiency achieving sufficiently large scale of worm experiments, and (4) flexible and efficient worm experiment control enabling fast (tens of seconds) and automatic generation, re-installation, and final tear-down of vGrounds. Our experiments with real-world worms (including multi-vector worms and polymorphic worms) have successfully exhibited their probing and propagation patterns, exploitation steps, and malicious payloads, demonstrating the value of vGrounds for worm detection and defense research.

[1] Joseph D. Touch,et al. Dynamic Internet overlay deployment and management using the X-Bone , 2000, Proceedings 2000 International Conference on Network Protocols.

[2] Guofei Gu,et al. HoneyStat: Local Worm Detection Using Honeypots , 2004, RAID.

[3] Matthew M. Williamson. Design, implementation and test of an email virus throttle , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[4] Jose Nazario,et al. Defense and Detection Strategies against Internet Worms , 2003 .

[5] Peter A. Dinda,et al. Towards Virtual Networks for Virtual Machine Grid Computing , 2004, Virtual Machine Research and Technology Symposium.

[6] Xuxian Jiang,et al. Protection mechanisms for application service hosting platforms , 2004, IEEE International Symposium on Cluster Computing and the Grid, 2004. CCGrid 2004..

[7] Xuxian Jiang,et al. SODA: a service-on-demand architecture for application service hosting utility platforms , 2003, High Performance Distributed Computing, 2003. Proceedings. 12th IEEE International Symposium on.

[8] Vinod Yegneswaran,et al. On the Design and Use of Internet Sinks for Network Abuse Monitoring , 2004, RAID.

[9] Don Towsley,et al. Routing worm: a fast, selective attack worm based on IP address information , 2005, Workshop on Principles of Advanced and Distributed Simulation (PADS'05).

[10] Matthew M. Williamson,et al. Implementing and Testing a Virus Throttle , 2003, USENIX Security Symposium.

[11] Srikanth Sundaragopalan,et al. High-fidelity modeling of computer network worms , 2004, 20th Annual Computer Security Applications Conference.

[12] Niels Provos,et al. A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[13] Mike Hibler,et al. An integrated experimental environment for distributed systems and networks , 2002, OPSR.

[14] James Newsome,et al. Polygraph: automatically generating signatures for polymorphic worms , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[15] Jeff Dike,et al. User-mode Linux , 2006, Annual Linux Showcase & Conference.

[16] Jon Crowcroft,et al. Honeycomb , 2004, Comput. Commun. Rev..

[17] Marianne Shaw,et al. Scale and performance in the Denali isolation kernel , 2002, OSDI '02.

[18] Stuart Harvey Rubin,et al. Distributed denial of service attacks , 2000, Smc 2000 conference proceedings. 2000 ieee international conference on systems, man and cybernetics. 'cybernetics evolving to systems, humans, organizations, and their complex interactions' (cat. no.0.

[19] Vern Paxson,et al. Proceedings of the 13th USENIX Security Symposium , 2022 .

[20] Karl N. Levitt,et al. A hybrid quarantine defense , 2004, WORM '04.

[21] Farnam Jahanian,et al. The Internet Motion Sensor - A Distributed Blackhole Monitoring System , 2005, NDSS.

[22] Xuxian Jiang,et al. VIOLIN: Virtual Internetworking on Overlay Infrastructure , 2004, ISPA.

[23] Xuxian Jiang,et al. Collapsar: A VM-Based Architecture for Network Attack Detention Center , 2004, USENIX Security Symposium.

[24] B. Karp,et al. Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[25] Dejan Kostic,et al. Scalability and accuracy in a large-scale network emulator , 2002, CCRV.

[26] Peter Szor,et al. Fighting Computer Virus Attacks , 2004, USENIX Security Symposium.

[27] Peter Szor,et al. An Analysis of the Slapper Worm Ex-ploit , 2003 .

[28] Samuel T. King,et al. ReVirt: enabling intrusion analysis through virtual-machine logging and replay , 2002, OPSR.

[29] SpitznerLance. The Honeynet Project , 2003, S&P 2003.

[30] Renato J. O. Figueiredo,et al. A case for grid computing on virtual machines , 2003, 23rd International Conference on Distributed Computing Systems, 2003. Proceedings..

[31] George Varghese,et al. Automated Worm Fingerprinting , 2004, OSDI.

[32] N. Fox,et al. UML extensions for honeypots in the ISTS Distributed Honeypot Project , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..