Journal of KIISE:Information Networking (한국정보과학회논문지:정보통신)

Korean Institute of Information Scientists and Engineers (한국정보과학회)
권호 표지

Automated Signature Sharing to Enhance the Coverage of Zero-day Attacks

제로데이 공격 대응력 향상을 위한 시그니처 자동 공유 방안

  • Received : 2010.01.12
  • Accepted : 2010.03.23
  • Published : 2010.08.15
Download PDF
⟨ Previous Next ⟩

Abstract

Recently, automated signature generation systems(ASGSs) have been developed in order to cope with zero-day attacks with malicious codes exploiting vulnerabilities which are not yet publically noticed. To enhance the usefulness of the signatures generated by (ASGSs) it is essential to identify signatures only with the high accuracy of intrusion detection among a number of generated signatures and to provide them to target security systems in a timely manner. This automated signature exchange, distribution, and update operations have to be performed in a secure and universal manner beyond the border of network administrations, and also should be able to eliminate the noise in a signature set which causes performance degradation of the security systems. In this paper, we present a system architecture to support the identification of high quality signatures and to share them among security systems through a scheme which can evaluate the detection accuracy of individual signatures, and also propose a set of algorithms dealing with exchanging, distributing and updating signatures. Though the experiment on a test-bed, we have confirmed that the high quality signatures are automatically saved at the level that the noise rate of a signature set is reduced. The system architecture and the algorithm proposed in the paper can be adopted to a automated signature sharing framework.

공표되지 않은 취약성을 이용하는 악성코드에 의한 제로데이 공격에 대응하기 위한 목적으로 최근 시그니처 자동생성 시스템이 개발되었다. 자동 생성된 시그니처의 효용성을 높이기 위해서는 탐지 정확도가 우수한 고품질 시그니처를 식별하여 보안시스템에 적시에 공급할 수 있어야 한다. 이러한 자동화된 시그니처 교환 및 분배, 갱신 작업은 네트워크의 관리 경계를 넘어 보안상 안전한 방법으로 범용성 있게 이루어져야 하며, 보안시스템의 성능저하를 초래하는 시그니처 집합의 노이즈를 제거할 수 있어야 한다. 본 논문은 시그니처 재평가를 통해 고품질 시그니처의 식별과 공유를 지원하는 시스템 구조를 제시하고 시그니처의 교환 및 분배, 갱신을 다루는 알고리즘을 제시한다. 제시한 시스템과 알고리즘을 테스트베드로 구현 실험한 결과, 보안시스템에서 시그니처 집합의 노이즈를 줄이면서 제로데이 공격 대응력을 향상시키는 시그니처의 축적이 자동화됨을 확인하였다. 본 논문에서 제안한 시스템 구조와 알고리즘은 제로데이 공격 대응력을 향상시키는 시그니처 자동 공유 프레임워크로 활용할 수 있으리라 기대한다.

Keywords

References

  1. C. Kreibich and J Crowcroft, "Honeycomb - Creating Intresion Detection Signatures Using Honeypots," Workshop on Hot Topics in Networks, 2003.
  2. H.A. Kim and B. Karp, "Autograph: Toward Automated, Distributed, Worm Signature Detection," 13th Usenix Security Symposium, 2004.
  3. S. Sinh, et. al., "Automated Worm Fingerprinting," 6th Symposium on Operating System Design and Implementation, 2004.
  4. 오진태, 김익균, 장종수, 전용희, "제로데이 웜 공격 대 응을 위한 ZASMIN 시스템 구조", 한국정보보호학회, 제18권 제1호, 2008. 2.
  5. Eric Frimpong, M.H.MacGregor, "A Performance Study of the Snort IDS," TR08-04, Department of Computing Science, University of Alberta, Feb, 2008.
  6. L. Perrochon. Using context-based correlation in network operations management. Technical report, Stanford University Department of Computer Science, 1999. http://pavg.stanford.edu/cep/ cidf.ps.gz.
  7. Eugene H. Spafford and Diego Zamboni, Intrusion detection using autonomous agents, Elsevier, Computer Networks, 34(4):547-570, October 2000. https://doi.org/10.1016/S1389-1286(00)00136-5
  8. Eugene H. Spafford and Diego Zamboni, Intrusion detection using autonomous agents, Elsevier, Computer Networks, 34(4):547-570, October 2000. https://doi.org/10.1016/S1389-1286(00)00136-5
  9. Philip A Porras and Peter G Neumann. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In Proceedings of the 20th National Information SystXMs Security Conference, pages 353.365, Baltimore, Maryland, USA, 7.10 October 1997. NIST, National Institute of Standards and Technology/National Computer Security Center.
  10. Undercoer, J.L., Perich, F., Nicholas, C.: SHOMAR: An Open Architecture for Distributed Intrusion Detection Services. Technical report, University of Maryland, Baltimore County (2002).
  11. Julia Allen, Alan Christie,William Fithen, John McHugh, Jed Pickel, and Ed Stoner. State of the Practice of Intrusion Detection Technologies. Technical Report 99tr028, Carnegie Mellon - Software Engineering Institute, 2000.
  12. Adriano M. Cansian, Artur R. A. da Silva, Marcelo de Souza : An Attack Signature Model To Computer Security Intrusion Detection. IEEE 2002.
  13. Internet Engineering Task Force - Common Intrusion Detection Signature Standard. http://tools.ietf.org/html/draft-wierzbicki-cidss-05. SeptXMber 4, .
  14. Common Vulnerability Exposure, http://cve.mitre.org/
  15. BugtraqID, http://www.securityfocus.com
  16. http://xforce.iss.net/xforce/xfdb/2019
  17. http://www.metasploit.com
  18. http://www.remote-exploit.org
  19. http://www.emergingthreats.net
  20. http://www.colasoft.com