Improvising Intrusion Detection for Malware Activities on Dual-Stack Network Environment
Malware is software which was invented and meant for doing harms on computers. Malware is becoming a significant threat in computer network nowadays. Malware attack is not just only involving financial lost but it can also cause fatal errors which may cost lives in some cases. As new Internet Protocol version 6 (IPv6) emerged, many people believe this protocol could solve most malware propagation issues due to its broader addressing scheme. As IPv6 is still new compares to native IPv4, some transition mechanisms have been introduced to promote smoother migration. Unfortunately, these transition mechanisms allow some malwares to propagate its attack from IPv4 to IPv6 network environment. In this paper, a proof of concept shall be presented in order to show that some existing IPv4 malware detection technique need to be improvised in order to detect malware attack in dual-stack network more efficiently. A testbed of dual-stack network environment has been deployed and some genuine malware have been released to observe their behaviors. The results between these different scenarios will be analyzed and discussed further in term of their behaviors and propagation methods. The results show that malware behave differently on IPv6 from the IPv4 network protocol on the dual-stack network environment. A new detection technique is called for in order to cater this problem in the near future.
[1] Cheng, M. Research on network security based on IPv6 architecture. in
Electronics and Optoelectronics (ICEOE), 2011 International
Conference on. 2011.
[2] Waddington, D.G. and F. Chang, Realizing the transition to IPv6. IEEE
Communications Magazine, 2002. 40(6): p. 138-147.
[3] Badamchizadeh, M.A. and A.A. Chianeh. Security in IPv6. Proceedings of
the 5th WSEAS International Conference on Signal Processing. 2006.
Istanbul, Turkey.
[4] Zheng, Q., T. Liu, X. Guan, Y. Qu, and N. Wang, A new worm exploiting
IPv4-IPv6 dual-stack networks, in Proceedings of the 2007 ACM
workshop on Recurring malcode. 2007, ACM: Alexandria, Virginia,
USA.
[5] Kamra, A., H. Feng, V. Misra, and A.D. Keromytis. The effect of DNS
delays on worm propagation in an IPv6 Internet. in INFOCOM 2005.
24th Annual Joint Conference of the IEEE Computer and
Communications Societies. Proceedings IEEE. 2005.
[6] Bellovin, S.M., B. Cheswick, and A.D. Keromytis, Worm propagation
strategies in an IPv6 Internet. LOGIN: The USENIX Magazine, 2006.
31(1): p. 70-76.
[7] Computer Economics, Annual Worldwide Economic Damages from
Malware Exceed $13 Billion. 2007.
[8] Bellovin, S.M., Perceptions and Reality. Security & Privacy, IEEE, 2010.
8(5): p. 88-88.
[9] Stewart, J., Behavioural malware analysis using sandnets. Computer
Fraud & Security, 2006. 2006(12): p. 4-6.
[10] Jiann-Liang, C., C. Yao-Chung, and L. Chien-Hsiu. Performance
investigation of IPv4/IPv6 transition mechanisms. in Advanced
Communication Technology, 2004. The 6th International Conference on.
2004.
[11] Karresand, M., A proposed taxonomy of software weapons. No. FOI,
2002.
[12] Robiah, Y., S.S. Rahayu, M.M. Zaki, S. Shahrin, M.A. Faizal, and R.
Marliza, A New Generic Taxonomy on Hybrid Malware Detection
Technique. Arxiv preprint arXiv:0909.4860, 2009.
[13] Zulkiflee, M., M.A. Faizal, I.O. Mohd Fairuz, A. Nur Azman, and S.
Shahrin, Behavioral Analysis on IPv4 Malware in both IPv4 and IPv6
Network Environment. International Journal of Computer Science and
Information Security (IJCSIS), 2011. 9(2).
[14] Chen, Z. and C. Ji, An information-theoretic view of network-aware
malware attacks. 2008.
[15] Cliff, C.Z., T. Don, G. Weibo, and C. Songlin, Advanced Routing Worm
and Its Security Challenges. Simulation, 2006. 82(1): p. 75-85.
[16] Zesheng, C. and J. Chuanyi, Optimal worm scanning method using
vulnerable host distributions. International Journal Security Network,
2007. 2(1/2): p. 71-80.
[17] McHugh, J., Intrusion and intrusion detection. International Journal of
Information Security, 2001. 1(1): p. 14-35.
[18] Sangkatsanee, P., N. Wattanapongsakorn, and C. Charnsripinyo, Practical
real-time intrusion detection using machine learning approaches.
Computer Communications, 2011. 34(18): p. 2227-2235.
[19] Antonis, P., P. Michalis, and P.M. Evangelos, Improving the accuracy of
network intrusion detection systems under load using selective packet
discarding, in Proceedings of the Third European Workshop on System
Security. 2010, ACM: Paris, France.
[20] Li, Z., Y. Gao, and Y. Chen, HiFIND: A high-speed flow-level intrusion
detection approach with DoS resiliency. Computer Networks, 2009.
54(8): p. 1282-1299.
[21] Mohd Faizal, A., Enhanced Fast Attack Detection Technique For
Network Intrusion Detection System. 2009, Phd Thesis at Universiti
Teknikal Malaysia Melaka (UTeM).
[22] Labib, K. and R. Vemuri, NSOM: A Real-Time Network-Based Intrusion
Detection System Using Self-Organizing Maps. Networks and Security,
2002.
[23] Su, F., Z.-w. Lin, and Y. Ma, Modeling and analysis of Internet worm
propagation. The Journal of China Universities of Posts and
Telecommunications, 2010. 17(4): p. 63-68.
[24] Okamura, H., H. Kobayashi, and T. Dohi. Markovian modeling and
analysis of Internet worm propagation. in Software Reliability
Engineering, 2005. ISSRE 2005. 16th IEEE International Symposium
on. 2005.
[25] Ting, L., G. Xiaohong, Z. Qinghua, and Q. Yu, A new worm exploiting
IPv6 and IPv4-IPv6 dual-stack networks: experiment, modeling,
simulation, and defense. Network, IEEE, 2009. 23(5): p. 22-29.
[26] Zagar, D., K.i. Grgic, and S. Rimac-Drlje, Security aspects in IPv6
networks implementation and testing. Computers & Electrical
Engineering, 2007. 33(5-6): p. 425-437.
[27] Bruce J, N., An introduction to investigating IPv6 networks. Digital
Investigation, 2007. 4(2): p. 59-67.
[28] Qiao, P. and P. Changxing, Distributed sampling measurement method of
network traffic in high-speed IPv6 networks. Journal of Systems
Engineering and Electronics, 2007. 18(4): p. 835-840.
[29] Caida. Anonymized 2011 IPv6 Day Internet Traces. 2011 [cited;
Available from: https://data.caida.org/datasets/passive-2011-ipv6day/.
[30] Zolkipli, M.F. and A. Jantan. Malware Behavior Analysis: Learning and
Understanding Current Malware Threats. in Network Applications
Protocols and Services (NETAPPS), 2010 Second International
Conference on. 2010.
[31] Rahayu, S.S., Y. Robiah, S. Shahrin, M.M. Zaki, M.A. Faizal, and Z.A.
Zaheera, Advanced Trace Pattern For Computer Intrusion Discovery.
Arxiv preprint arXiv:1006.4569, 2010.
[32] Robiah, Y., S.S. Rahayu, S. Sahib, M.M. Zaki, M.A. Faizal, and R.
Marliza. An improved traditional worm attack pattern. in Information
Technology (ITSim), 2010 International Symposium in. 2010.
[33] Liu, T., X. Guan, Q. Zheng, and Y. Qu, A New Worm Exploiting IPv6
and IPv4-IPv6 Dual-Stack Networks: Experiment, Modeling, Simulation
and Defense. 2009, IEEE Network.
[1] Cheng, M. Research on network security based on IPv6 architecture. in
Electronics and Optoelectronics (ICEOE), 2011 International
Conference on. 2011.
[2] Waddington, D.G. and F. Chang, Realizing the transition to IPv6. IEEE
Communications Magazine, 2002. 40(6): p. 138-147.
[3] Badamchizadeh, M.A. and A.A. Chianeh. Security in IPv6. Proceedings of
the 5th WSEAS International Conference on Signal Processing. 2006.
Istanbul, Turkey.
[4] Zheng, Q., T. Liu, X. Guan, Y. Qu, and N. Wang, A new worm exploiting
IPv4-IPv6 dual-stack networks, in Proceedings of the 2007 ACM
workshop on Recurring malcode. 2007, ACM: Alexandria, Virginia,
USA.
[5] Kamra, A., H. Feng, V. Misra, and A.D. Keromytis. The effect of DNS
delays on worm propagation in an IPv6 Internet. in INFOCOM 2005.
24th Annual Joint Conference of the IEEE Computer and
Communications Societies. Proceedings IEEE. 2005.
[6] Bellovin, S.M., B. Cheswick, and A.D. Keromytis, Worm propagation
strategies in an IPv6 Internet. LOGIN: The USENIX Magazine, 2006.
31(1): p. 70-76.
[7] Computer Economics, Annual Worldwide Economic Damages from
Malware Exceed $13 Billion. 2007.
[8] Bellovin, S.M., Perceptions and Reality. Security & Privacy, IEEE, 2010.
8(5): p. 88-88.
[9] Stewart, J., Behavioural malware analysis using sandnets. Computer
Fraud & Security, 2006. 2006(12): p. 4-6.
[10] Jiann-Liang, C., C. Yao-Chung, and L. Chien-Hsiu. Performance
investigation of IPv4/IPv6 transition mechanisms. in Advanced
Communication Technology, 2004. The 6th International Conference on.
2004.
[11] Karresand, M., A proposed taxonomy of software weapons. No. FOI,
2002.
[12] Robiah, Y., S.S. Rahayu, M.M. Zaki, S. Shahrin, M.A. Faizal, and R.
Marliza, A New Generic Taxonomy on Hybrid Malware Detection
Technique. Arxiv preprint arXiv:0909.4860, 2009.
[13] Zulkiflee, M., M.A. Faizal, I.O. Mohd Fairuz, A. Nur Azman, and S.
Shahrin, Behavioral Analysis on IPv4 Malware in both IPv4 and IPv6
Network Environment. International Journal of Computer Science and
Information Security (IJCSIS), 2011. 9(2).
[14] Chen, Z. and C. Ji, An information-theoretic view of network-aware
malware attacks. 2008.
[15] Cliff, C.Z., T. Don, G. Weibo, and C. Songlin, Advanced Routing Worm
and Its Security Challenges. Simulation, 2006. 82(1): p. 75-85.
[16] Zesheng, C. and J. Chuanyi, Optimal worm scanning method using
vulnerable host distributions. International Journal Security Network,
2007. 2(1/2): p. 71-80.
[17] McHugh, J., Intrusion and intrusion detection. International Journal of
Information Security, 2001. 1(1): p. 14-35.
[18] Sangkatsanee, P., N. Wattanapongsakorn, and C. Charnsripinyo, Practical
real-time intrusion detection using machine learning approaches.
Computer Communications, 2011. 34(18): p. 2227-2235.
[19] Antonis, P., P. Michalis, and P.M. Evangelos, Improving the accuracy of
network intrusion detection systems under load using selective packet
discarding, in Proceedings of the Third European Workshop on System
Security. 2010, ACM: Paris, France.
[20] Li, Z., Y. Gao, and Y. Chen, HiFIND: A high-speed flow-level intrusion
detection approach with DoS resiliency. Computer Networks, 2009.
54(8): p. 1282-1299.
[21] Mohd Faizal, A., Enhanced Fast Attack Detection Technique For
Network Intrusion Detection System. 2009, Phd Thesis at Universiti
Teknikal Malaysia Melaka (UTeM).
[22] Labib, K. and R. Vemuri, NSOM: A Real-Time Network-Based Intrusion
Detection System Using Self-Organizing Maps. Networks and Security,
2002.
[23] Su, F., Z.-w. Lin, and Y. Ma, Modeling and analysis of Internet worm
propagation. The Journal of China Universities of Posts and
Telecommunications, 2010. 17(4): p. 63-68.
[24] Okamura, H., H. Kobayashi, and T. Dohi. Markovian modeling and
analysis of Internet worm propagation. in Software Reliability
Engineering, 2005. ISSRE 2005. 16th IEEE International Symposium
on. 2005.
[25] Ting, L., G. Xiaohong, Z. Qinghua, and Q. Yu, A new worm exploiting
IPv6 and IPv4-IPv6 dual-stack networks: experiment, modeling,
simulation, and defense. Network, IEEE, 2009. 23(5): p. 22-29.
[26] Zagar, D., K.i. Grgic, and S. Rimac-Drlje, Security aspects in IPv6
networks implementation and testing. Computers & Electrical
Engineering, 2007. 33(5-6): p. 425-437.
[27] Bruce J, N., An introduction to investigating IPv6 networks. Digital
Investigation, 2007. 4(2): p. 59-67.
[28] Qiao, P. and P. Changxing, Distributed sampling measurement method of
network traffic in high-speed IPv6 networks. Journal of Systems
Engineering and Electronics, 2007. 18(4): p. 835-840.
[29] Caida. Anonymized 2011 IPv6 Day Internet Traces. 2011 [cited;
Available from: https://data.caida.org/datasets/passive-2011-ipv6day/.
[30] Zolkipli, M.F. and A. Jantan. Malware Behavior Analysis: Learning and
Understanding Current Malware Threats. in Network Applications
Protocols and Services (NETAPPS), 2010 Second International
Conference on. 2010.
[31] Rahayu, S.S., Y. Robiah, S. Shahrin, M.M. Zaki, M.A. Faizal, and Z.A.
Zaheera, Advanced Trace Pattern For Computer Intrusion Discovery.
Arxiv preprint arXiv:1006.4569, 2010.
[32] Robiah, Y., S.S. Rahayu, S. Sahib, M.M. Zaki, M.A. Faizal, and R.
Marliza. An improved traditional worm attack pattern. in Information
Technology (ITSim), 2010 International Symposium in. 2010.
[33] Liu, T., X. Guan, Q. Zheng, and Y. Qu, A New Worm Exploiting IPv6
and IPv4-IPv6 Dual-Stack Networks: Experiment, Modeling, Simulation
and Defense. 2009, IEEE Network.
@article{"International Journal of Electrical, Electronic and Communication Sciences:52447", author = "Zulkiflee M. and Robiah Y. and Nur Azman Abu and Shahrin S.", title = "Improvising Intrusion Detection for Malware Activities on Dual-Stack Network Environment", abstract = "Malware is software which was invented and meant for doing harms on computers. Malware is becoming a significant threat in computer network nowadays. Malware attack is not just only involving financial lost but it can also cause fatal errors which may cost lives in some cases. As new Internet Protocol version 6 (IPv6) emerged, many people believe this protocol could solve most malware propagation issues due to its broader addressing scheme. As IPv6 is still new compares to native IPv4, some transition mechanisms have been introduced to promote smoother migration. Unfortunately, these transition mechanisms allow some malwares to propagate its attack from IPv4 to IPv6 network environment. In this paper, a proof of concept shall be presented in order to show that some existing IPv4 malware detection technique need to be improvised in order to detect malware attack in dual-stack network more efficiently. A testbed of dual-stack network environment has been deployed and some genuine malware have been released to observe their behaviors. The results between these different scenarios will be analyzed and discussed further in term of their behaviors and propagation methods. The results show that malware behave differently on IPv6 from the IPv4 network protocol on the dual-stack network environment. A new detection technique is called for in order to cater this problem in the near future.
", keywords = "Dual-Stack, Malware, Worm, IPv6;IDS", volume = "6", number = "7", pages = "638-8", }
