Authors: Zulkiflee M., Robiah Y., Nur Azman Abu, Shahrin S.

Abstract:

Malware is software which was invented and meant for doing harms on computers. Malware is becoming a significant threat in computer network nowadays. Malware attack is not just only involving financial lost but it can also cause fatal errors which may cost lives in some cases. As new Internet Protocol version 6 (IPv6) emerged, many people believe this protocol could solve most malware propagation issues due to its broader addressing scheme. As IPv6 is still new compares to native IPv4, some transition mechanisms have been introduced to promote smoother migration. Unfortunately, these transition mechanisms allow some malwares to propagate its attack from IPv4 to IPv6 network environment. In this paper, a proof of concept shall be presented in order to show that some existing IPv4 malware detection technique need to be improvised in order to detect malware attack in dual-stack network more efficiently. A testbed of dual-stack network environment has been deployed and some genuine malware have been released to observe their behaviors. The results between these different scenarios will be analyzed and discussed further in term of their behaviors and propagation methods. The results show that malware behave differently on IPv6 from the IPv4 network protocol on the dual-stack network environment. A new detection technique is called for in order to cater this problem in the near future.

Keywords: Dual-Stack, Malware, Worm, IPv6;IDS

Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1058929

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 1953

References:

[1] Cheng, M. Research on network security based on IPv6 architecture. in Electronics and Optoelectronics (ICEOE), 2011 International Conference on. 2011.
[2] Waddington, D.G. and F. Chang, Realizing the transition to IPv6. IEEE Communications Magazine, 2002. 40(6): p. 138-147.
[3] Badamchizadeh, M.A. and A.A. Chianeh. Security in IPv6. Proceedings of the 5th WSEAS International Conference on Signal Processing. 2006. Istanbul, Turkey.
[4] Zheng, Q., T. Liu, X. Guan, Y. Qu, and N. Wang, A new worm exploiting IPv4-IPv6 dual-stack networks, in Proceedings of the 2007 ACM workshop on Recurring malcode. 2007, ACM: Alexandria, Virginia, USA.
[5] Kamra, A., H. Feng, V. Misra, and A.D. Keromytis. The effect of DNS delays on worm propagation in an IPv6 Internet. in INFOCOM 2005. 24th Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings IEEE. 2005.
[6] Bellovin, S.M., B. Cheswick, and A.D. Keromytis, Worm propagation strategies in an IPv6 Internet. LOGIN: The USENIX Magazine, 2006. 31(1): p. 70-76.
[7] Computer Economics, Annual Worldwide Economic Damages from Malware Exceed $13 Billion. 2007.
[8] Bellovin, S.M., Perceptions and Reality. Security & Privacy, IEEE, 2010. 8(5): p. 88-88.
[9] Stewart, J., Behavioural malware analysis using sandnets. Computer Fraud & Security, 2006. 2006(12): p. 4-6.
[10] Jiann-Liang, C., C. Yao-Chung, and L. Chien-Hsiu. Performance investigation of IPv4/IPv6 transition mechanisms. in Advanced Communication Technology, 2004. The 6th International Conference on. 2004.
[11] Karresand, M., A proposed taxonomy of software weapons. No. FOI, 2002.
[12] Robiah, Y., S.S. Rahayu, M.M. Zaki, S. Shahrin, M.A. Faizal, and R. Marliza, A New Generic Taxonomy on Hybrid Malware Detection Technique. Arxiv preprint arXiv:0909.4860, 2009.
[13] Zulkiflee, M., M.A. Faizal, I.O. Mohd Fairuz, A. Nur Azman, and S. Shahrin, Behavioral Analysis on IPv4 Malware in both IPv4 and IPv6 Network Environment. International Journal of Computer Science and Information Security (IJCSIS), 2011. 9(2).
[14] Chen, Z. and C. Ji, An information-theoretic view of network-aware malware attacks. 2008.
[15] Cliff, C.Z., T. Don, G. Weibo, and C. Songlin, Advanced Routing Worm and Its Security Challenges. Simulation, 2006. 82(1): p. 75-85.
[16] Zesheng, C. and J. Chuanyi, Optimal worm scanning method using vulnerable host distributions. International Journal Security Network, 2007. 2(1/2): p. 71-80.
[17] McHugh, J., Intrusion and intrusion detection. International Journal of Information Security, 2001. 1(1): p. 14-35.
[18] Sangkatsanee, P., N. Wattanapongsakorn, and C. Charnsripinyo, Practical real-time intrusion detection using machine learning approaches. Computer Communications, 2011. 34(18): p. 2227-2235.
[19] Antonis, P., P. Michalis, and P.M. Evangelos, Improving the accuracy of network intrusion detection systems under load using selective packet discarding, in Proceedings of the Third European Workshop on System Security. 2010, ACM: Paris, France.
[20] Li, Z., Y. Gao, and Y. Chen, HiFIND: A high-speed flow-level intrusion detection approach with DoS resiliency. Computer Networks, 2009. 54(8): p. 1282-1299.
[21] Mohd Faizal, A., Enhanced Fast Attack Detection Technique For Network Intrusion Detection System. 2009, Phd Thesis at Universiti Teknikal Malaysia Melaka (UTeM).
[22] Labib, K. and R. Vemuri, NSOM: A Real-Time Network-Based Intrusion Detection System Using Self-Organizing Maps. Networks and Security, 2002.
[23] Su, F., Z.-w. Lin, and Y. Ma, Modeling and analysis of Internet worm propagation. The Journal of China Universities of Posts and Telecommunications, 2010. 17(4): p. 63-68.
[24] Okamura, H., H. Kobayashi, and T. Dohi. Markovian modeling and analysis of Internet worm propagation. in Software Reliability Engineering, 2005. ISSRE 2005. 16th IEEE International Symposium on. 2005.
[25] Ting, L., G. Xiaohong, Z. Qinghua, and Q. Yu, A new worm exploiting IPv6 and IPv4-IPv6 dual-stack networks: experiment, modeling, simulation, and defense. Network, IEEE, 2009. 23(5): p. 22-29.
[26] Zagar, D., K.i. Grgic, and S. Rimac-Drlje, Security aspects in IPv6 networks implementation and testing. Computers & Electrical Engineering, 2007. 33(5-6): p. 425-437.
[27] Bruce J, N., An introduction to investigating IPv6 networks. Digital Investigation, 2007. 4(2): p. 59-67.
[28] Qiao, P. and P. Changxing, Distributed sampling measurement method of network traffic in high-speed IPv6 networks. Journal of Systems Engineering and Electronics, 2007. 18(4): p. 835-840.
[29] Caida. Anonymized 2011 IPv6 Day Internet Traces. 2011
[cited; Available from: https://data.caida.org/datasets/passive-2011-ipv6day/.
[30] Zolkipli, M.F. and A. Jantan. Malware Behavior Analysis: Learning and Understanding Current Malware Threats. in Network Applications Protocols and Services (NETAPPS), 2010 Second International Conference on. 2010.
[31] Rahayu, S.S., Y. Robiah, S. Shahrin, M.M. Zaki, M.A. Faizal, and Z.A. Zaheera, Advanced Trace Pattern For Computer Intrusion Discovery. Arxiv preprint arXiv:1006.4569, 2010.
[32] Robiah, Y., S.S. Rahayu, S. Sahib, M.M. Zaki, M.A. Faizal, and R. Marliza. An improved traditional worm attack pattern. in Information Technology (ITSim), 2010 International Symposium in. 2010.
[33] Liu, T., X. Guan, Q. Zheng, and Y. Qu, A New Worm Exploiting IPv6 and IPv4-IPv6 Dual-Stack Networks: Experiment, Modeling, Simulation and Defense. 2009, IEEE Network.