【作者】 耿中华；

【导师】 胡亮； 李强；

【作者基本信息】 吉林大学 ， 软件工程， 2008， 硕士

【摘要】 网络蠕虫已经对互联网的安全造成严重威胁。追踪蠕虫传播的路径可以全面认知其攻击传播的构架。对网络蠕虫开展防御和响应可提高网络的抗打击能力。为检测和防御大规模Internet蠕虫的爆发,建立能够运行真实蠕虫的安全方便的实验环境成为我们观察大规模蠕虫感染、破坏和传播的重要工作。提出了一个用于大规模蠕虫传播的实验环境ZE,能够进行相关实验的隔离环境,实验环境使用虚拟机技术,虚拟大量主机和网络设备参加,尽量符合网络实际。根据实际的蠕虫,在人们可控的范围内,引发大规模蠕虫的爆发,观测蠕虫的传播过程,实验检测和防御方法。发现蠕虫的传播特性,如扫描,传染过程,能实时收集网络流量数据和传染过程。对网络流量开展调查。可以获取真实的蠕虫传播过程,用于和算法实验结果进行比较。为了降低ZE的重用成本,使用脚本进行ZE的重建。更多还原

【Abstract】 Network worms have been a serious security threat on the Internet. Tracing worm propagation path can identify the overall structure of a worm attack’s propagation. To detect and defense large scale Internet worms, setting up a convenient and safe experimental environment that capable of running and observing real world worm become an important work, it can be a large scale worm test bed for forensic evidence.Large scale network worm tracing research needs a reliable algorithm experimental environment. First, real time tracing algorithm needs to carry out theoretical analysis, and prove the correctness of tracing algorithm under some assumptions and prerequisite conditions. Second, different tracing model with different parameters in the algorithm are established. But theoretical deduce can not reflect the real execution of algorithm. Many researchers use some network simulation platform like ns2 [22] or parallel-ns2 to establish the tracing simulation testing environment, simulate running thousands of nodes in different network topology and bandwidth. But simulation is more applicable to modeling, not real worm spread. Simulation process is too idealistic, not a true reflect of the operating system and demand high performance experimental host. Using physical host for large-scale network worm tracing experiment is also unfeasible. First thousands of physical hosts can not be guaranteed. Second, because of worms destructive, the large number of physical host unable to quickly reuse, management and configuration workload is huge.In recent years, virtual machine technology’s development promoted its application in the field of network security research. Researchers have begun network worm detection and defense experiments using virtual machine technology [23, 24, 25]. One physical host can run a number of virtual machine installed real operating system, and connected to the network. External visitors perceived no internal differences except for a little performance odds. So they can use the virtual machine technology to establish a high realistically, control flexibility, encapsulate and reusable virtual experimental environment. After optimize virtual machine and the installed operating system, the performance requirements of physical host can be reduced. Optimal use of virtual machine technology can simulate thousands of virtual operating system nodes in nearly dozens of physical host, more clearly discover propagation process of network worm in the operating system and network, further observe invaders motivation, tools and methods.UML[8] is a lightweight virtual machine system on Linux. It can run numerous instances on physical host, with the various versions of Linux operation systems. It can customize operation system of the virtual machine according to the requirement; only need install the necessary system software and system services. Therefore it has a higher performance and occupy fewer resources of the physical host.Each host installs a UML system in the experimental environment, running advance customized client operating system image, serve as various experimental roles according to the pre-configuration. After environment launched, several virtual machines in a physical host form a virtual local network (VN), and connected via UML virtual switch. Each physical host, as a gateway of its own local network, connects other VNs on other host. Extending like this, a basic multi-VN experimental environment can be setup.Using UML virtual machine technology, we establish an experimental environment include 1000 virtual nodes base on 25 PCs. Virtual clients running Redhat Linux 6.1 operation system with BIND security holes. Physical hosts running Redhat Linux 9.0 operating system. Several virtual clients in a physical host form a VN, virtual clients in different host communicate with each other using gateway in every physical host.Manually launch a worm propagation break source in one of the twenty LANs, startup Lion worm attack [9], then running tracing algorithm to analyze the final result and true infections. The continuous real time collection network flows include not only worm flows, but also pre-installed normal background flows.We provide a systemic analysis of large-scale worm propagation tracing experiment strategy which is based on virtual machine technology by setting up an experimental environment called zooecium (ZE). First, the framework of ZE is addressed. Then, the design and control of ZE is given. Finally, ZE is analyzed with experiments. Experimental results show that ZE can trigger large-scale worm outbreaks within the controllable scope of human, observe propagation process of the worm, experiment detection and defense techniques, discover worm propagation characteristic such as scanning method and propagation process, real-time collect network traffic and propagation process, investigate network traffic, dynamically throw out the result, launch speculate algorithm for reconstructing out propagation path of the worm. Then actual worm propagation process can be captured and compared with the results using tracing algorithm.更多还原