The traditional worms such as Blaster, Code Red, Slammer and Sasser, are still infecting vulnerable machines on the cyberspace. They will stay as important menaces due to their fast spreading nature on the cyberspace. Assorted traditional worms onslaught form has been analyzed from assorted logs at different OSI beds such as victim logs, aggressor logs and IDS alert log. These worms attack form can be abstracted to organize worms ‘ onslaught theoretical account which describes the procedure of worms ‘ infection. For the intent of this paper, merely Blaster discrepancies were used during the experiment. This paper proposes a multi-step worm onslaught theoretical account which can be extended into research countries in watchful correlativity and computing machine forensic probe.
THE traditional worms such as Blaster, Code Red, Slammer and Sasser, are the major menaces to the security of the cyberspace. Their fast spreading nature in working the exposure of the operating system has threatened the services offered on-line. In order to safeguard against the onslaught of the hereafter worms, it is of import to understand on how the current worms ‘ infection propagate dynamically. This can be done by look intoing the hint leave by the aggressor which is considered as the onslaught form.
There is a demand to happen a solution to observe and foretell the extension of the worm from one machine to another machine. For that ground this paper propose the multi-step onslaught theoretical account for observing and foretelling the traditional worm by analyzing the assorted OSI bed ‘s log from the worm beginning and the other machine that are infected with it.
For the intent of this paper, the research workers merely used Blaster discrepancies during the experiment and this theoretical account is based on the fingerprint of Blaster onslaught on victim ‘s logs, aggressor ‘s logs and IDS qui vive ‘s log.
Blaster worms spreads by working DCOM RPC exposure in Microsoft Windows as described in Microsoft Security Bulletin MS03-026. The worms scan the local category C subnet, or other random subnets, on port 135 and the discovered systems are the mark. The exploit codification opens a back door on TCP port 4444 and teaching them to download and put to death the file MSBLAST.EXE from a distant system via Trivial File Transfer Protocol ( TFTP ) on UDP port 69 to the % WinDir % system32 directory of the septic system and put to death it.
Normally an feat would merely aim a individual operating system for illustration ; Windows XP or Windows 2000, due to the location of certain files in the memory on each platform is normally different. These Blaster worms will semi-randomly attempts and infect machine with 20 % chance on Windows 2000 and 80 % chance on Windows XP as in [ 1 ] .
The Blaster worm ‘s impact was non limited to a short period in August 2003. Harmonizing to [ 2 ] , a published study of 19 research universities showed that each spent an norm of US $ 299,579 during a five-week period to retrieve from the Blaster worms and its discrepancies. In add-on the chargeman worms have the possible to bring forth the multi-step onslaught which can increase the recovery cost of the septic system and would originate serious cyber offenses.
2.1 What is Multi-step Attack?
A multi-step onslaught is a sequence of onslaught stairss that an aggressor has performed, where each measure of the onslaught is dependent on the successful completion of the old measure. These attack stairss are the scan followed by the housebreaking to the host and the tool-installation, and eventually an internal scan arising from the compromised host [ 3 ] . Therefore, the research workers intended to make multi-step onslaught theoretical account upon this peculiar Blaster onslaught so that it can be used for farther research in watchful correlativity and computing machine forensic probe.
2.2 What is Attack Model?
Harmonizing to [ 4 ] , the intent of the onslaught theoretical accounts is to place on how the onslaughts are detected and reported. They have developed methods and linguistic communication for patterning multi-step onslaught scenarios, undertaking called Correlated Attack Modeling. This theoretical account based on typical stray qui vives about onslaught stairss to enable the development of abstract onslaught theoretical accounts that can be shared among developer groups and used by different watchful correlativity engines.
Liu, Wang and Chen [ 5 ] has proposed a general onslaught form utilizing traffic informations which consists of investigation, scan, invasion, end and can be mapped to multi-step onslaught theoretical account. This theoretical account is further used to correlate multi-step onslaughts and build the onslaught scenario. The proposed theoretical account usage DARPA IDS dataset to verify their algorithm.
Both multi-step onslaught theoretical accounts proposed by [ 4 ] and [ 5 ] are utilizing merely alerts from IDSs and web traffics as the input for their theoretical account. In this research, the research worker are utilizing alert from assorted logs with diverse devices. The research on multi-step onslaught theoretical accounts which trades with qui vives from assorted logs are needed to supply more complete coverage of the onslaught infinite [ 6 ] . Therefore, in this research, a new multi-step worm onslaught theoretical accounts that can be suited to the qui vives generated from assorted logs with diverse devices is proposed. This research applies assorted logs in different OSI beds that focus on application bed and web bed. The logs involved are IDS watchful log, victim logs and aggressor logs.
3 Experiment Approach
The model of this experiment consists of four stages: Network Environment Setup, Multi-step Attack Activation, Multi-step Log Collection and Multi-step Log Analysis as depicted in Fig. 1. The inside informations of the stages are discussed in the undermentioned sub-section.
Fig. 1. Multi-step Worm Attack Model Experimental Approach Framework
3.1 Network Environment Setup
The web environment apparatus consists of nucleus constituents of multi-step onslaught theoretical account proposed by [ 7 ] . The stairss involved are shown in Fig. 2: Attacker Goal Identification, Network Configuration, Privilege Profile and Trust Setting, and Vulnerability and Exploit Permission. The inside informations of the stairss are discussed as follows.
Fig. 2. Stairss involved in web environment apparatus
3.1.1 Attacker Goal Identification
Information on aggressor behaviour is analyzed by mentioning to several surveies done by [ 1 ] , [ 8 ] , [ 9 ] . From this analysis, the Blaster worms scanning method is in consecutive and the exposure ports are 135 TCP, 4444 TCP and 69 UDP. The end of the aggressor is to do the system unstable by ending the RPC services and causes the system to bring up.
3.1.2 Network Configuration
The web constellation usage in this experiment refer to the web simulation apparatus done by the MIT Lincoln Lab [ 10 ] and it has been somewhat modified utilizing merely Centos and Windows XP to accommodate our experiment ‘s environment. The web design is shown in Fig. 3.
Fig. 3. Network Setup Environment for Blaster Multi-step onslaught
This web design consists of two switches, one router, two waiters for Intrusion Detection System ( IDS Arowana and IDS Sepat ) and one waiter for Network Time Protocol ( NTP ) runs on Centos 4.0, seven victims and one aggressor run on Windows XP. In this experiment, selected host 192.168.2.10 ( Tarmizi ) is Attacker and host 192.168.2.2 ( Mohd ) , 192.168.4.20 ( Sahib ) , 192.168.10.4 ( Roslan ) are the Victims and subsequently on become Attackers to hosts 192.168.12.3 ( Selamat ) , 192.168.11.20 ( Yusof ) , 192.168.13.15 ( Ramly ) severally.
The log files that expected to be analyzed are personal firewall log, security log, system log and application log that are generated by host degree device and one log file generated by web degree device ( watchful log by IDS ) . Wireshark are installed in each host and tcpdump book is activated in IDS to capture the whole web traffic. The Wireshark and tcpdump book are used to verify the traffic between peculiar host and other device.
3.1.3 Privilege Profile and Trust Setting
A web privilege profile consists of the privilege set of each web device and host, whereas, trust is a transitive relationship between each host. In this experiment, trust relationship and privilege profile has been set for each host.
Vulnerability and Exploit Permission
All exposure ports: 135 TCP, 4444 TCP and 69 UDP are permitted in victim host to let the development done by aggressor host.
3.2 Multi-step Attack Activation
Blaster discrepancy is installed and activated on the aggressor machine: 192.168.2.10 ( Tarmizi ) . This experiment runs for one hr without any human break in order to obtain the multi-step onslaught logs.
3.3 Multi-step Log Collection
Log is collected at each victim and aggressor machine. Each machine generates personal firewall log, security log, application log, system log and wireshark log. The IDS machine generates watchful log and tcpdump log. Wireshark and tcpdump files are used to verify the traffic between peculiar host and other device.
3.4 Multi-step Log Analysis
In this multi-step log analysis procedure the research workers has implement the media imaging duplicate utilizing IDS and imaged media analysis by analysing logs generated by the aggressor and victim machine.
The aim of the multi-step log analysis is to place the multi-step Blaster onslaught by detecting the specific onslaught form of the Blaster onslaught that exists in victim logs and aggressor logs.
This multi-step log analysis is an input towards the development of the proposed Multi-step Attack Model in subdivision 5.
4 Analysis And Finding
Based on the multi-step onslaught scenario, assorted logs from hosts and web are analyzed in order to execute the onslaught form analysis. Hence, the onslaught form for aggressor, victim and multi-step onslaught are constructed from the determination. The inside informations of the analysis and determination will be elaborated in the following sub-section.
4.1 Multi-step Attack Scenario
From the multi-step worm onslaught theoretical account experimental attack model in subdivision III, the multi-step onslaught scenario is attained through thorough log analysis.
The analysis shows that the worms onslaught is activated in Tarmizi and this host has successfully exploited all hosts except for hosts Yusof and Selamat. Subsequently, hosts Roslan, Sahib and Mohd which has been antecedently exploited by Tarmizi has organized onslaught on host Ramly, Yusof and Selamat severally which called multi-step onslaught. The scenario is every bit illustrated in Fig. 4.
Fig. 4. Blaster onslaught scenario which consists of first measure of onslaught and multi-step of onslaught.
In this onslaught scenario, those host that grade with 135, 4444 and 69 is indicated as successfully exploited by the aggressor and this host has been infected. On the other manus, those Markss with 135 and 4444 shows the aggressor has already open the back door but has non successful reassign the exploit codification through port 69.
4.2 Attack Pattern Analysis
Attack form analysis is required to plan the worm onslaught theoretical account. Using the multi-step onslaught scenario in subdivision 4.1, the logs are farther analyzed to pull out the onslaught form generated by aggressor, victim and multi-step onslaught ( attacker/victim ) hosts. For the intent of this paper, the logs are merely extracted from selected hosts: Tarmizi, Sahib and Yusof. The research workers need to place the hint leave by aggressor, victim and multi-step aggressor by following their features in the selected logs which are host logs: personal firewall log, security log, system log, application log and web log: watchful log by IDS. The sum-up of the onslaught form for aggressor, victim and multi-step onslaught ( attacker/victim ) are shown in Fig. 5, Fig. 6 and Fig. 7 severally.
In Fig. 5, the aggressor form of worms scanning and working activities on host degree can be gathered from Tarmizi ‘s or aggressor ‘s personal firewall log. It consists of activities such as unfastened port 135 TCP, unfastened port 4444 TCP and open-inbound on port 69 UDP between Tarmizi and Sahib. Meanwhile, for symptom caused by the aggressor can be found inside aggressor ‘s security log that is event Idaho 592 and image file name ~laster.exe.
At web degree, the aggressor form can be divided into two subcategories which are activity and dismay. In the activity subcategory, ( Portscan ) TCP Portsweep activity occurred inside the IDS qui vive log and the dismay generated shows the beginning IP reference of the possible aggressor. This aggressor form is derived from the extracted information from aggressor ‘s and IDS ‘s logs as highlighted in Figure 5.
Fig. 5. Blaster aggressor form. The left column indicated the overall form of aggressor and the right column shows the extracted information from aggressor logs ( Tarmizi ‘s logs ) and web logs.
Fig. 6. Blaster victim form. The left column indicated the overall form of victim and the right column shows the extracted information from victim logs ( Sahib ‘s logs ) and web logs.
From the victim position in Fig. 6, the form can be trace from the host log and web log. The victim form is derived from the extracted information from victim ‘s and IDS ‘s logs as highlighted in the right column. In the host log, the scanning and working activities can be traced on port 135 TCP, 4444 TCP and 69 UDP, whereas the impact can be found inside security and system log.
At the web degree, the form can be assessed utilizing activity and dismay indoors IDS qui vive log that shows the TFTP Get activity and, the dismay generated which are the beginning IP reference and finish IP reference as the possible victim and aggressor severally.
Fig. 7. Blaster multi-step onslaught form. The left column indicated the form of victim/attacker and the right column shows the extracted information from a victim/attacker logs ( Sahib ‘s logs ) and web logs.
Fig. 7 shows the multi-step onslaught form. At the host degree, extracted from Sahib ‘s logs and web degree, the findings from the extracted informations indicate that Sahib is a victim of Tarmizi and besides the aggressor of Yusof.
From the analysis, the research workers have constructed three classs of onslaught forms: victim, aggressor and multi-step onslaught form. All of these forms are used to plan worm onslaught theoretical account. The victim and aggressor form are used for developing a basic worm onslaught theoretical account, while the multi-step onslaught form is used to develop multi-step worm onslaught theoretical account.
5 Proposed Worm Attack Model
The worm onslaught theoretical account is designed based on the determination from the onslaught form analysis. The undermentioned subdivision describes the inside informations.
5.1 Basic Worm Attack Model
From the determination, the aggressor and victim forms are the primary input for planing the basic worm onslaught theoretical account. Both forms consist of several onslaught stairss which are scan, exploit and impact/effect.
These onslaught forms are so mapped to basic worm onslaught theoretical account as motivated by [ 5 ] . They have model onslaughts to a general form which consists of Probe, Scan, Intrusion and Goal. However this onslaught theoretical account is non suited for this research which involves diverse logs and hints leave by aggressor and victim. Therefore, we have proposed a basic worm onslaught theoretical account which consists of Scan, Exploitation and impact/effect as illustrated in Fig. 8.
Fig. 8. Basic Worm Attack Model
Scan – the worms scan in sequence or random IP reference utilizing specific port.
Exploiting – the worms attempts to download the malicious codification when exploited host opens a back door on specific port.
Impact/Effect – the worms leave fingerprint on selected logs.
5.2 Multi-step Worm Attack Model
A multi-step onslaught is a series of attack stairss that an aggressor has performed, where each measure of the onslaught is dependent on the successful completion of the old measure as shown in the multi-step onslaught form in Fig. 7.
The onslaught stairss found in the proposed basic worm onslaught theoretical account that consists of scan, exploit and impact/effect are besides found in multi-step onslaught form. Hence, this multi-step onslaught form is used to develop a new multi-step worm onslaught theoretical account as shown in Fig. 9 and the basic worm onslaught theoretical account shall be one of the chief elements for multi-step worm onslaught theoretical account.
Fig. 9. Multi-step Worm Attack Model
The proposed multi-step worm onslaught theoretical account consists of three chief constituents: victim, aggressor and multi-step onslaught ( attacker/victim ) . Each constituent comprise of three elements in basic worm onslaught theoretical account: scan, exploit and impact/effect.
6 Conclusion and Future Directions
In this paper, the research workers have analyzed diverse logs in order to place onslaught form from aggressor and victim position in an onslaught scenario. The end product of the analysis is used to develop the basic worm onslaught theoretical account which is so extended to cover the multi-step onslaught. The determination is indispensable for farther research in watchful correlativity and computing machine forensic probe.
We thank to Universiti Teknikal Malaysia Melaka for the Short Grant support ( PJP/2009/FTMK ( 8D ) S557 ) for this research undertaking.