網路蠕蟲近年來已成為網際網路上一個重要的安全議題，網路蠕蟲不僅是對終端主機造成實質上的資訊安全危害，其在進行攻擊時所產生的大量封包以及連線，連帶的降低整個網際網路運作的效能。此外，在管理大型網路時需要監測此類問題乃必須要有一有效的機制，由於傳統使用封包擷取之方式，難以有效處理大型網路上的流量，而若以SNMP監測流量異常，又失之細節，需要網路管理者進一步分析，耗力費時。有鑑於此，本文提出一使用NetFlow作為分析資料來源之網路蠕蟲偵測系統，協助大型網路之網路管理者監測可疑之網路蠕蟲活動，並協助網路管理者辨識網路蠕蟲之種類，有效瞭解實際問題，加速網路管理者處理異常之速度。我們亦根據該方法實作一套雛形系統 – FloWorM，並使用實際中山大校園網路以及高屏澎區網流量之 NetFlow 資料進行測試，該實驗結果初步顯示本雛形系統得以提供低誤判率以及良好的偵測率。

Internet-worms are a major threat to the security of today’s Internet and cause significant worldwide disruptions, a huge number of infected hosts generating overwhelming traffic will impact the performance of the Internet. Network managers have the duty to mitigate this issue . In this paper we propose an automated method for detecting Internet-worm in large network based on NetFlow. We also implement a prototype system – FloWorM which can help network managers to monitor suspect Internet-worms activities and identify their species in their managed networks. Our evaluation of the prototype system on real large and campus networks validates that it achieves pretty low false positive rate and good detecting rate.

第1章 緒論 8
第1-1節 研究背景 8
第1-2節 研究動機及目標 8
第1-3節 章節導讀 11
第2章 相關研究 12
第2-1節 NETFLOW 簡介 12
第2-2節 著名網路蠕蟲簡介 14
第2-3節 網路蠕蟲相關研究 16
第2-4節 網路蠕蟲偵測方法相關之研究 17
2-4-1 封包導向(packet-oriented)偵測方法 17
2-4-2 連線導向(connection-oriented)偵測方法 18
2-4-3 誘捕導向(trap-oriented)偵測方法 19
第3章 系統架構與實作 21
第3-1節 FLOWORM系統架構 21
第3-2節 FLOWORM系統實作 24
3-2-1 Spreading and Scanning Tracker 26
3-2-2 Repetitious Pattern Tracker 32
3-2-3 Analyzer 35
3-2-4 Reporter 40
第4章 驗證與量測數據 41
第4-1節 警訊結果分析 41
4-1-1 False positive 41
4-1-2 False negative 44
第4-2節 與其他系統之比較 44
第5章 結語與未來工作 46
第6章 參考文獻 48

1 Computer Security Institute, “CSI/FBI 2004 Computer Crime and Security Survey”, http://www.gocsi.com/

2 SNMP, http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/snmp.htm

3 MRTG, http://people.ee.ethz.ch/~oetiker/webtools/mrtg/

4 Cisco, “NetFlow”, http://www.cisco.com/warp/public/732/Tech/nmp/netflow/index.shtml

5 CAIDA, “Analysis of Code-Red”, http://www.caida.org/analysis/security/code-red/

6 CERT, “CERT® Advisory CA-2001-26 Nimda Worm”, http://www.cert.org/advisories/CA-2001-26.html

7 CERT, “CERT® Advisory CA-2002-27 Apache/mod_ssl Worm”, http://www.cert.org/advisories/CA-2002-27.html

8 CAIDA, “Analysis of the Sapphire Worm”, http://www.caida.org/analysis/security/sapphire/

9 CERT, “CERT® Advisory CA-2003-20 W32/Blaster Worm”, http://www.cert.org/advisories/CA-2003-20.html

10 Symantec, “Symantec Security Response - W32.Welchia.Worm”, http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

11 CAIDA, “The Spread of the Witty Worm”, http://www.caida.org/analysis/security/witty/

12 The Honeynet Porject, “Know your Enemy: Tracking Botnets”, http://www.honeynet.org/papers/bots/

13 Stuart Staniford , Vern Paxson , Nicholas Weaver, “How to Own the Internet in Your Spare Time”, Proceedings of the 11th USENIX Security Symposium, 2002

14 Nicholas Weaver , Vern Paxson , Stuart Staniford , Robert Cunningham, “A taxonomy of computer worms”, Proceedings of the 2003 ACM workshop on Rapid Malcode, 2003

15 Snort - the de facto standard for intrusion detection/prevention, http://www.snort.org/

16 Bro, http://bro-ids.org/

17 Vern Paxson, “Bro: A System for Detecting Network Intruders in Real-Time”, Proceedings of the 7th USENIX Security Symposium, 1998

18 Ke Wang, Salvatore J. Stolfo, “Anomalous Payload-based Network Intrusion
Detection”, 7th International Symposium on Recent Advances in
Intrusion Detection (RAID), 2004

19 Masaki Ishiguro, Hironobu Suzuki, Ichiro Murase, Hiroyuki, “Internet Threat Detection System Using Bayesian Estimation,” 16th Annul FIRST Conference on Computer Security Incident Handling, 2004.

20 Sumeet Singh, Cristian Estanm, George Varghese, Stefan Savage, “Automated Worm Fingerprinting”, 6th Symposium on Operating Systems Design and Implementation, 2004

21 Stuart Schechter, Jaeyeon Jung, Arthur W. Berger, “Fast Detection of Scanning Worm Infections”, 7th International Symposium on Recent Advances in
Intrusion Detection (RAID), September 2004.

22 Shou-Chuan Lai, Wen-Chu Kuo, Mu-Cheng Hsie, “Defending against Internet Worm-like Infestations”, the 18th International Conference on Advanced Information Networking and Applications, 2004

23 Wikipedia, the free encyclopedia, “Honeypot”, http://en.wikipedia.org/wiki/Honeypot

24 Niels Provos , “Honeyd: A Virtual Honeypot Framework”, Proceedings of the 13th USENIX Security Symposium, 2004

25 Christian Kreibich, Jon Crowcroft, “Automated NIDS Signature Creation using Honeypots”, Poster paper, SIGCOMM, 2003

26 David Moore. “Network telescopes: Observing small or distant security events”, Invited Presentation at the 11th USENIX Security Symposium, 2002

27 Judy Array, http://judy.sourceforge.net/

28 Flow-tools, http://www.splintered.net/sw/flow-tools/