The monitoring and early detection of Internet worms

After many Internet-scale worm incidents in recent years, it is clear that a simple self-propagating worm can quickly spread across the Internet and cause severe damage to our society. Facing this great security threat, we need to build an early detection system that can detect the presence of a worm in the Internet as quickly as possible in order to give people accurate early warning information and possible reaction time for counteractions. This paper first presents an Internet worm monitoring system. Then, based on the idea of "detecting the trend, not the burst" of monitored illegitimate traffic, we present a "trend detection" methodology to detect a worm at its early propagation stage by using Kalman filter estimation, which is robust to background noise in the monitored data. In addition, for uniform-scan worms such as Code Red, we can effectively predict the overall vulnerable population size, and estimate accurately how many computers are really infected in the global Internet based on the biased monitored data. For monitoring a nonuniform scan worm, especially a sequential-scan worm such as Blaster, we show that it is crucial for the address space covered by the worm monitoring system to be as distributed as possible.     

基于潜伏期的网络蠕虫传播模型及其仿真分析

随着Internet的迅速发展，网络蠕虫已严重威胁着网络信息安全。现有的网络蠕虫传播模型仅仅考虑了网络蠕虫传播的初始阶段和达到稳定状态时的网络特性．不能刻画网络蠕虫快速传播阶段的网络特性。文章运用系统动力学的理论和方法．建立一种基于潜伏期的网络蠕虫传播模型，能够从定性和定量两方面分析和预测网络蠕虫传播趋势。模拟结果表明网络蠕虫潜伏期与免疫措施强度是影响网络蠕虫传播过程的重要因素。     

Adaptive Defense Against Various Network Attacks

In defending against various network attacks, such as distributed denial-of-service (DDoS) attacks or worm attacks, a defense system needs to deal with various network conditions and dynamically changing attacks. Therefore, a good defense system needs to have a built-in “adaptive defense” functionality based on cost minimization—adaptively adjusting its configurations according to the network condition and attack severity in order to minimize the combined cost introduced by false positives (misidentify normal traffic as attack) and false negatives (misidentify attack traffic as normal) at any time. In this way, the adaptive defense system can generate fewer false alarms in normal situations or under light attacks with relaxed defense configurations, while protecting a network or a server more vigorously under severe attacks. In this paper, we present concrete adaptive defense system designs for defending against two major network attacks: SYN flood DDoS attack and Internet worm infection. The adaptive defense is a high-level system design that can be built on various underlying nonadaptive detection and filtering algorithms, which makes it applicable for a wide range of security defenses.     

Internet worm early detection and response mechanism

In recent years, fast spreading worm has become one of the major threats to the security of the Internet and has an increasingly fierce tendency.In view of the insufficiency that based on Kalman filter worm detection algorithm is sensitive to interval, this article presents a new data collection plan and an improved worm early detection method which has some deferent intervals according to the epidemic worm propagation model, then proposes a worm response mechanism for slowing the wide and fast worm propagation effectively.Simulation results show that our methods are able to detect worms accurately and early.     

Security in enterprise networking: A quick tour

Enterprise networks are complex environments that involve the interconnection of a wide variety of computer systems such as portable PCs and personal digital assistants (PDAs), desktop PCs and workstations, servers, and mainframes, with a wide variety of communication channels such as dial-in and mobile access via modems, local area networks (LANs), wide area networks (WANs), and the Internet. The authors provide an overview of the major areas in the security of enterprise networks to show the variety of issues and techniques developed to address them. Our focus is on the ideas behind these techniques, which can be combined in many ways to create solutions that apply to different situations. The following areas are covered: confidentiality, preventing the disclosure of transmitted data to unauthorized parties; integrity, detecting modification, insertion, deletion, or replay of transmitted data; data-origin authentication, demonstrating that the origin of transmitted data is as claimed; nonrepudiation, preventing either the sender or receiver in a communication from denying their participation; user authentication, demonstrating that the identity of a user or system is as claimed; and access control, guarding against unauthorized use of resources, including the use of resources in an improper manner. We also look at some of the considerations that come into play in designing security solutions for the enterprise networking environment     

Multi-agent system for Worm Detection and Containment in Metropolitan Area Networks

Active worms can cause widespread damages at so high a speed that effectively precludes humandirected reaction, and patches for the worms are always available after the damages have been caused, which has elevated them self to a first-class security threat to Metropolitan Area Networks （MAN）. Multi-agent system for Worm Detection and Containment in MAN （MWDCM） is presented to provide a first-class automatic reaction mechanism that automatically applies containment strategies to block the propagation of the worms and to protect MAN against worm scan that wastes a lot of network bandwidth and crashes the routers. Its user agent is used to detect the known worms. Worm detection agent and worm detection correlation agent use two-stage based decision method to detect unknown worms. They adaptively study the accessing in the whole network and dynamically change the working parameters to detect the unknown worms. MWDCM confines worm infection within a macro-cell or a micro-cell of the metropolitan area networks, the rest of the accesses and hosts continue functioning without disruption. MWDCM integrates Worm Detection System （WDS） and network management system. Reaction measures can be taken by using Simple Network Management Protocol （SNMP） interface to control broadband access server as soon as the WDS detect the active worm. MWDCM is very effective in blocking random scanning worms. Simulation results indicate that high worm infection rate of epidemics can be avoided to a degree by MWDCM blocking the propagation of the worms.     

Your 80211 wireless network has no clothes

The explosive growth in wireless networks over the last few years resembles the rapid growth of the Internet within the last decade. To protect internal resources, organizations usually purchased and installed an Internet firewall. We believe that the currently deployed wireless access points present a larger security problem than the early Internet connections. A large number of organizations, based on vendor literature, believe that the security provided by their deployed wireless access points is sufficient to prevent unauthorized access and use. Unfortunately, nothing could be further from the truth. While the current access points provide several security mechanisms, our work combined with the work of others show that all of these mechanisms are completely ineffective. As a result, organizations with deployed wireless networks are vulnerable to unauthorized use of, and access to, their internal infrastructure. We present a novel solution that requires no changes or additions to any deployed wireless equipment, and is easily deployed and transparent to end users.     

A new worm exploiting IPv6 and IPv4-IPv6 dual-stack networks: experiment, modeling, simulation, and defense

It is commonly believed that the IPv6 protocol can provide good protection against network worms that try to find victims through random address scanning due to its huge address space. However, we discover that there is serious vulnerability in terms of worm propagation in IPv6 and IPv4-IPv6 dual-stack networks. It is shown in this article that a new worm can collect the IPv6 addresses of all running hosts in a local subnet very quickly, leading to accelerated worm propagation. Similar to modeling the self-replicating behaviors of biological viruses, a Species-Patch model and a discrete-time simulator are developed to study how the dual-stack worm spreads in networks with various topologies. It is shown that the worm could propagate in the IPv6 and IPv4-IPv6 dual-stack networks much faster than in the current IPv4 Internet. Several effective defense strategies focusing on network deployment are proposed.     

云计算时代的开放安全服务体系分析

针对移动互联网时代日益发展带来的安全性问题,在既要满足服务的多样性,又要满足服务安全性的双重使命下,如何构建移动互联网云计算时代开放安全的云服务,文中提出了一种开放的安全服务体系。同时,基于开发安全服务体系的各种技术特征,设计并构建了一个云服务平台架构,可以提供能力开放应用云、企业安全私有应用云和认证鉴权公共应用云。     

Taxonomy of conflicts in network security policies

Network security polices are essential elements in Internet security devices that provide traffic filtering, integrity, confidentiality, and authentication. Network security perimeter devices such as firewalls, IPSec, and IDS/IPS devices operate based on locally configured policies. However, configuring network security policies remains a complex and error-prone task due to rule dependency semantics and the interaction between policies in the network. This complexity is likely to increase as the network size increases. A successful deployment of a network security system requires global analysis of policy configurations of all network security devices in order to avoid policy conflicts and inconsistency. Policy conflicts may cause serious security breaches and network vulnerability such as blocking legitimate traffic, permitting unwanted traffic, and insecure data transmission. This article presents a comprehensive classification of security policy conflicts that might potentially exist in a single security device (intrapolicy conflicts) or between different network devices (interpolicy conflicts) in enterprise networks. We also show the high probability of creating such conflicts even by expert system administrators and network practitioners.     

红外预警卫星空间虚警源辐射特性分析

针对红外预警卫星的虚警问题,研究了地球同步轨道红外预警卫星的空间辐射环境。在计算卫星探测谱段内的地球背景辐射特性并将其作为衡量基准的基础上,分析了空间环境中可能造成红外预警卫星虚警的辐射源,并对各种空间辐射源在红外预警卫星短波探测谱段2.63~2.83 m和中波探测谱段4.18~4.50 m的辐射特性进行了数值计算。结果表明:太阳直接辐射对卫星探测器的辐照度远大于卫星的背景辐射强度,应采取规避措施;红外预警卫星的主要虚警源为月球辐射和近地轨道航天器辐射;月球辐射的影响主要来自镜头的聚焦作用;近地轨道航天器辐射的影响发生在红外预警卫星的中波探测谱段,研究结果可为研究相应的背景抑制及虚警源识别技术提供参考。     

False alarm, nuclear danger

The radar and satellite networks meant to warn Russia of the imminence of a missile attack are breaking down, heightening the risk of accidental nuclear war. The authors discuss the reasons for the this which include ageing satellites and the floundering Russian economy. The authors discuss a false alarm in 1995 and how it highlighted the deficiencies in Russia's early warning system. The state of the satellites involved in early warning systems, both Russian and American, are discussed. The offer of assistance by the US to Russia with respect to Russia's early warning systems is also discussed     

物联网技术在铁路运输中的应用研究

摘要：随着我国大规模铁路建设和物联网技术的迅猛发展,物联网技术在铁路系统推广必然有广阔的发展前景。结合物联网关键技术分析讨论了物联网技术在铁路系统的自动售检票系统、列车跟踪与定位系统、站车信息共享系统、综合安防预警系统、货物管理系统等方面进行广泛推广和应用的可能性,阐明了铁路交通智能化的发展方向。     

Service management in secure and QoS-aware wireless enterprise networks

Wireless local-area networks (WLANs) based on the IEEE 802.11 technology have been widely adopted for private use over the past few years. However, several issues remain concerns for large-scale deployment in corporate environments. Enforcing security and quality-of-service (QoS) has become a fundamental challenge to managing IEEE 802.11-based enterprise networks. In order to provide corporate networks with a global management solution, we have designed a service-oriented management system that enables user-centric service provisioning, while enforcing security and QoS requirements. As enterprises may be comprised of a number of distinct networks, we have extended our system to support the roaming of users between different enterprise sites. In this paper, we describe the design, implementation, and performance evaluation of our solution.     

Research on the Propagation Models and Defense Techniques of Internet Worms

Internet worm is harmful to network security,and it has become a research hotspot in recent years.A thorough survey on the propagation models and defense techniques of Internet worm is made in this paper.We first give its strict definition and discuss the working mechanism.We then analyze and compare some repre-sentative worm propagation models proposed in recent years,such as K-M model,two-factor model,worm-anti-worm model（WAW）,firewall-based model,quarantine-based model and hybrid benign worm-based model,etc.Some typical defense techniques such as virtual honeypot,active worm prevention and agent-oriented worm defense,etc.,are also discussed.The future direction of the worm defense system is pointed out.     

无线异构网络的关键安全技术

异构网络的融合及协同工作在下一代公众移动网络中将是一个很普遍的问题,无线异构网络融合技术作为改善公众移动网络的覆盖和容量以及提供无处不在的通信能力、接入Internet的能力和无处不在的移动计算能力的有效手段,已引起广泛的关注,有着良好的应用前景。构建无线异构网络的安全防护体系,研究新型的安全模型、关键安全技术和方法,是无线异构网络发展过程中所必须关注的重要问题。无线异构网络中的关键安全技术包括安全路由协议、接入认证技术、入侵检测技术、节点间协作通信等。     

Adaptive traffic sampling for P2P botnet detection

Peer‐to‐peer (P2P) botnets have become one of the major threats to network security. Most existing botnet detection systems detect bots by examining network traffic. Unfortunately, the traffic volumes typical of current high‐speed Internet Service Provider and enterprise networks are challenging for these network‐based systems, which perform computationally complex analyses. In this paper, we propose an adaptive traffic sampling system that aims to effectively reduce the volume of traffic that P2P botnet detectors need to process while not degrading their detection accuracy. Our system first identifies a small number of potential P2P bots in high‐speed networks as soon as possible, and then samples as many botnet‐related packets as possible with a predefined target sampling rate. The sampled traffic then can be delivered to fine‐grained detectors for further in‐depth analysis. We evaluate our system using traffic datasets of real‐world and popular P2P botnets. The experiments demonstrate that our system can identify potential P2P bots quickly and accurately with few false positives and greatly increase the proportion of botnet‐related packets in the sampled packets while maintain the high detection accuracy of the fine‐grained detectors.     

基于用户习惯的蠕虫的早期发现

在蠕虫传播时,由于扫描会产生大量的陌生访问,从而破坏用户的习惯。因而,对用户的习惯进行统计分类,在蠕虫发作时则能及时有效的发现蠕虫。对用户的行为进行了分析,提出了一种对蠕虫进行早期发现的新方法,并且实现了一个基于用户习惯的蠕虫早期发现系统。实验证明该方法能够有效快速的发现蠕虫的传播。由于用户的习惯多种多样,可以衍生出很多应用模型,因此具有很强的指导意义。     

Sidewinder: Defense in depth using type enforcement

Sites use firewalls to defend against external attacks while providing necessary Internet services. Firewalls make a site safer: They present a smaller risk since they provide fewer services. However, most firewalls use standard computer operating systems. This can allow an attacker to overrun the firewall if a known security flaw is present. The Sidewinder(TM) firewall system overcomes this problem using type enforcement. Network server applications operate in independently controlled compartments called domains, each granted specific permission to access particular types of files or communicate with other domains. If a server succumbs to an attack, type enforcement restricts the amount of damage an attacker can do. In particular, Sidewinder prevents an attack on an Internet server from accessing domains serving internal, protected networks. An attacker cannot overrun a Sidewinder because the type enforcement restrictions cannot be disabled while the system is handling network traffic.     

A new worm propagation threat in BitTorrent: modeling and analysis

Peer-to-peer (P2P) networking technology has gained popularity as an efficient mechanism for users to obtain free services without the need for centralized servers. Protecting these networks from intruders and attackers is a real challenge. One of the constant threats on P2P networks is the propagation of active worms. Recent events show that active worms can spread automatically and flood the Internet in a very short period of time. Therefore, P2P systems can be a potential vehicle for active worms to achieve fast worm propagation in the Internet. Nowadays, BitTorrent is becoming more and more popular, mainly due its fair load distribution mechanism. Unfortunately, BitTorrent is particularly vulnerable to topology aware active worms. In this paper we analyze the impact of a new worm propagation threat on BitTorrent. We identify the BitTorrent vulnerabilities it exploits, the characteristics that accelerate and decelerate its propagation, and develop a mathematical model of their propagation. We also provide numerical analysis results. This will help the design of efficient detection and containment systems.