Professional Documents
Culture Documents
110
International Journal of Digital Content Technology and its Applications
Volume 3, Number 1, March 2009
can spread the biological viruses [9]. As the Based on those researches, there are some isolation
conjunction at that time is simple, the physical techniques. For the fault detection and isolation of
isolation is intuitive feasible. However the theory did specific network, in recent years, there come logical
not foresee nowadays the Internet contains so many isolation techniques which use software to realize the
dynamic, logical and abstract connections. Recently, isolation and assure the transmission of not isolated
network isolation attracts many attentions. Kwo-Jean nodes in the network [15, 16, 17]. There are also some
Farn makes a comprehensive study on the requirement other studies proposing hybrid isolation of physical and
of network isolation for information security [10]. Farn, logical methods in the purpose of protect certain node
K.-J. takes the first step in definition of segregation of in sub-network from unauthorized access and attacks
security objects [11]. Wenyuan Kuang presents a new from the Internet [18, 19, 20]. Table1 lists the main
one-way for isolating file access [12]. Yeu-Pong Lai techniques in network isolation.
provides the implementation guidance of network Due to the different social environment, the
isolation with some logical isolation techniques and government of China raises higher security
management polices [13]. Zhi Yu, Ramani requirement for the communication network, so there
Subramanian, and Surjit Ahluwalia of the Intel even are more researches on the network isolation in China
discuss the manufacturing methodology for network in recent years [21-30].
isolation [14].
1.3 Dilemma of the current isolation in against
Table 1. Main techniques on the network isolation network virus
Programmable disrupt of multicast USA Patents
packets for secure networks 5539373 1.3.1 Summary of the current research on the isola-
Hub-embedded system for automated USA patents tion
network fault detection and isolation 6079034
Data processing system and method Sum all those isolation researches and techniques,
USA patents
including a network access connector either logical or physical isolation, they focus on
6754826
for limiting access to the network access control of the protected sub-network, which is
USA Patent effective when the isolated IP address is fixed. To some
Interface device with network isolation
7016358 extent the paper names them IPBI(IP-based isolation).
Network abstraction and isolation layer By the different scope of this isolation they can be
USA patent:
for masquerading machine identity of a sorted to two categories: One is called EIPBI
20050108407
computer (exclusive IP-based isolation) whose main idea is that
China Pattern: except some specified nodes is configured safe, all
The secure isolation gap CN2588677 other nodes are considered unsafe and be excluded
from accessing the sub-network. Some systems with
The network security control device higher security requirements or internal network in a
China Pattern:
based on monitoring data exchange for unit use this isolation. The other is called SIPBI
CN1421794
the physical isolation (selective IP-Based isolation) whose main idea is that
The physical isolation switches: China Pattern: all the other nodes are considered safe only some
introduction and practice CN1464403 unsafe nodes are isolated denying of access the sub-net.
SIPBI is often used in some systems with not too high
111
Sub-connection Based Isolation Against Network Virus
Lansheng Han, Ming Liu, Qiwen Liu, Mengsong Zou
to vi in network on time t ;
112
International Journal of Digital Content Technology and its Applications
Volume 3, Number 1, March 2009
we will get the Y of bi . However, if the characteristic of connection of the network are C
1
, C 2 ,, C 3 ,then
of the virus can’t be extracted on time, which is the
the virus spreads from vi to v j , if and only if there
common situation in the early stage of the virus
113
Sub-connection Based Isolation Against Network Virus
Lansheng Han, Ming Liu, Qiwen Liu, Mengsong Zou
are nodes
3.2 Determination of the susceptible areas
vi1 , vi 2 ,, vin −1 meet (vi , vi1 ) ∈ C 1 , (vi1 , vi 2 ) ∈ C 2 ,
Susceptible area denoted as S is the set of nodes
, (vin −1 , v j ) ∈ C n (proof omitted).
suspected to be infected by infected nodes which is the
object of the protection. As the isolation is symmetric,
With the theorem above, when a node v i is found
that is, isolating the infected nodes will protect the
uninfected nodes, which has the same consequence as
be infected by bi on t 0 , then collect connection
isolating the uninfected nodes from being infected.
With respect to the concrete realization of EIPBI and
information C i (i > t 0 , i ∈ N ) of the network and
SIPBI and also to comparing SBI with the both, the
select sub connections that meet the virus’ spreading paper presents three definitions for the susceptible
imposed on
Definition 3 S1 = N − Y − C , where N denotes
1 2 n
C [T (bi )] , C [T (bi )],, C [T (bi )] , the set of
all the nodes in a network; Y denotes the set of
all infected node can be get in infected nodes; C is the set of few nodes that are
being considered absolutely safe and important for the
vi C 1[T (bi )] ⋅ C 2 [T (bi )] ⋅ C n [T (bi )] .
network. By the definition, nodes outsides infected
areas are all regarded as susceptible nodes except
3.1.2 Source tracing of virus for C . As C is very small compared with Y
and S1 , S1 ≈ N − Y . EIPBI strategy is similar to S1 .
Assume node v i was infected by virus bi on
Obviously, definition 3 of susceptible area enlarges
the isolation scope in the network. For example,
time t0 , first get the set Cvi , determine the sub
node vi ∈ N − Y , but ∀v j ∉ Cvi , v j ∈ Y , however
connection of virus T (bi ) , and then get set
by the EIPBI, the communications between node v i and
all the infected nodes in the sub-net is completely cut
C[T (bi )]vi from Cvi , if the set is not null, then
off, to keep so mach uninfected nodes isolated from the
detect each node in the set which are the spreading infected area will take up much resources of the
network and thus block the flow of network very much,
sources of virus in v i , and then source tracing method
in order to reduce the blockage upon the flow of
network, we present definition 4.
can be utilized upon the source of node v i , until to
Definition 4 the susceptible area is set as
the root of the virus in the sub-network. By the above
S 2 = {v j | (vi , v j ) ∈ C , and vi ∈ Y , v j ∉ Y } , that
two steps the infected area Y of the bi can be
is the uninfected nodes having connection to the
determined. infected node is defined as the susceptible node.
114
International Journal of Digital Content Technology and its Applications
Volume 3, Number 1, March 2009
115
Sub-connection Based Isolation Against Network Virus
Lansheng Han, Ming Liu, Qiwen Liu, Mengsong Zou
IW _ SIPBI = {(vi , v j ) | vi ∈ Y , v j ∈ S 2 } , and the implies that although vi connect to v j but the
isolation wall of SBI in this paper is connection does not spread the virus, so
say there is sub connection meets the virus, but this sub
connection is not on the isolation wall, then only can
Figure 2: Sub-connection based isolation
deduce the result below: vi , v j ∈ Y or vi , v j ∉ Y the
Isolation wall of SBI is not only a subset of
current connection C but also a subset of C[T (bi )] , former means vi , v j are both infected nodes, the
that either (vi , v j ) ∉ C , that is vi did not connect (vi , v j ) ∈ IW _ SBI , vi ∈ S3 , the virus spreading
116
International Journal of Digital Content Technology and its Applications
Volume 3, Number 1, March 2009
virus. It should consider both the protocol of the special from the discussion above, even if
application and the convenience to insert the isolating
(vi , v j ) ∈ IW _ SBI , it doesn’t mean that (vi , v j )
module. For example, the virus’ spreading sub
is completely isolated, only the sub connection which
connection is T (bi ) = QQ , only add the forbidden No.
meet the virus spreading is cut off. Assume that cij
of the infected nodes can realize the isolation. If
117
Sub-connection Based Isolation Against Network Virus
Lansheng Han, Ming Liu, Qiwen Liu, Mengsong Zou
where Tn represents a sub connection in cij , where | * | denotes the cardinality of *. Even
wij (Tn ) denotes its’ weight in cij , then the though | SIPBI |=| SBI | , as the isolation objects of
network is wij (Tn ) × wij . Therefore the percent of IW _ SIPBI % = wij + wst + wim + wnk .While
IW _ SBI in the whole network is IW _ SBI % = wij × wij (TEmail ) + wst × wst (TEmail )
IW _ SBI % = ∑ (w (T ) × w )
( vi ,v j )
ij n ij . For
+ wim × wim (TEmail ) + wnk × wnk (TEmail ) .
example: It is obvious that IW_SBI cause less blockage on
network than IW_SIPBI. The simulation test will prove
IW = {(v i , v j , wij ), (v s , v t , w st ), (v i , v m , wim ),
it.
118
International Journal of Digital Content Technology and its Applications
Volume 3, Number 1, March 2009
In this term, three kinds of viruses are selected, isolation is. On the contrary, the later the worse is.
spreading by Email, by Ftp and by QQ respectively. However, it must be pointed out that the omitted virus
For each virus, two tests are carried out respectively by is not the leakage of the isolation wall but the leak of
rd th
the time when the isolation is begin on 3 and 5 days tracing virus.
after the virus is planted in the network. The following 5.2 Blockage of three isolation wall on the flow
two tables present the process and the effective of the of the network
isolation.
For convenience, we use the following notation: T The test in this term is set to measure and compare
denotes the sub-connection. C[T]% denotes the percent the blockage of the three isolations, the initial number of
of the T connection among all the connections. |Y| infected nodes is set the same for the three: |Y| =10, 20,
denotes the number of infected nodes. |S| denotes the 30, 40, 50, 60, 70, 80,
number of the suspected nodes |SBI| denotes the
number isolation tuples.
Email Ftp QQ
C[T%] 21 20 35
|Y| 15 12 32
90.
|S| 43 132 108
|SBI| 87 201 168 Figure 3: The isolation scale with the number of
SBI% 1.8 4.02 5.88 infected nodes
Result Completed Completed Omit 1
Email Ftp QQ
C[T%] 21 20 35
|Y| 32 56 65
|S| 67 162 212
|SBI| 172 301 436
SBI% 5.3 7.2 12.5 Figure 4: The blockages on the network flow of the
Result Omit 1 Omit 2 Omit 3 three isolations
From the test result, it can be seen that the earlier For the EIPBI, every infected user selects the most
the isolation begins, the better the effective of the impossible nodes to be infected to form set C, and the
119
Sub-connection Based Isolation Against Network Virus
Lansheng Han, Ming Liu, Qiwen Liu, Mengsong Zou
other of 300- Y- C is to be isolated. For the SIPBI and 6.1 Summary the paper
SBI, every user selects the possible nodes to form S 2
and S 3 according to their connection history. The two Unlike the isolation object and method in other
figure1 and figure 2 illustrate the difference of the three papers, the paper subdivides network connection into
isolations’ blockage on the flow of the network. The sub connections of different application layers by which
number of all connection tuples is C = 1000 and the viruses spread in the network, and proposes the SBI
connection weight of each tuple is the time duration of (Sub-connection based isolation) to prevent network
the connection. virus from spreading. Based on a lot of samples and
From the two figures, it can be seen that the scales statistics of network virus, the paper presents definition
of the three isolation walls increase in direct proportion and division for network connection that suitable for
to the increase of the initial infected nodes, but for the specific virus. Then the infected area and susceptible
blockage of the isolation wall on the flow of the network, area were defined by the paper. The determination
the SBI is the smallest no more than 10 percent of the methods of the both areas were also presented in the
sum connection. actual network environment. Based on those concepts
the paper presents the definition of isolation wall and
5.3 The effects of three ways isolation the establishment methods. Lastly the paper discusses
the blockage of the isolation wall on the flow of
In this term, Email connection is selected network. Simulation test are carried out for the isolation
sub-connection to be isolated. Receiver end isolation is wall, the experimental results verified the valid of the
easier. By the SBI methods above, for each uninfected SBI.
nodes, only add their infected friends to the black list.
The test result similar to the predicate of our theory, all 6.2 Further study on the isolation
viruses are isolated. In the Sender end isolation, we
insert our module of isolation ”SBI connect isolation”, As the representative of operation system, Microsoft
the idea is to detect the socket of SMTP connection in manufacturing industries has published a white paper
the windows environment, then judge whether the for a security strategy for manufacturing operations, in
package heads (IP1; IP2) belongs to IW_ SBI, if it does, the part of securing the network, they provide network
then deny the connection, else permit to connect. The isolation with application gateways. In the part of
test result is also valid. For the test of midway isolation, secure connectivity for management of the firewall,
we use the open codes ”GetEthernetData.rar” and make they provide network isolation with virtualization.
program with Sniffer C++, the isolation is stored in a Considering the simulation test of our theory and the
database, by insert our controlling module in the Email white paper of Microsoft, we plan to focus on the
server, the isolation is also realized. But as there are so following two researches. The first is the design of
many dynamic factors in the network, it is rather isolation as general middle layer software plugged into
difficult to compare the results of the three isolation different network application of viruses. For the
ways. Considering the implement convenience, the algorithm and the strategy proposed in the paper is finite,
paper prefers the receiver end isolation. the second research will focus on the partition of the
network with respect to different network viruses.
6 Summary and the Further Research
6.3 Acknowledgement
120
International Journal of Digital Content Technology and its Applications
Volume 3, Number 1, March 2009
121
Sub-connection Based Isolation Against Network Virus
Lansheng Han, Ming Liu, Qiwen Liu, Mengsong Zou
[20] http://shop.symantecstore.com Block virus and spyware [30] Chen Youping , Yin Yong , Li Fangmin , Zhou
with advanced protection Networking and Access controlling Zude,Design and realization of security physical isolation
system, Journal of Southeast University(English Edition)
[21] Jia Cheng-qiang , Sun Mei-xiao , Zhu Jiansheng, Janury,2005
Discussion on technology of network isolation, Railway
Computer Application, May,11, 2006 [31] Lansheng Han, Hui Liu and Asiedu Baffour Kojo.
Analytic Model for Network Viruses. In Proceedings of the
[22] Yongsong Liao, Discussion on network isolation scheme ICNC2005, LNCS3612, Springer-Verlag, Berlin Heidelberg,
of Intranet,Wuhan Iron and Steel Corporation Technology, page903-910
June, 2006
122