Modeling and analysis of Internet worm propagation

Although the frequency of Intemet worm's outbreak is decreased during the past ten years,the impact of worm on people's privacy security and enterprise's efficiency is still a severe problem,especially the emergence of botnet.It is urgent to do more research about worm's propagation model and security defense.The well-known worm models,such as simple epidemic model (SEM) and two-factor model (TFM),take all the computers on the internet as the same,which is not accurate because of the existence of network address translation (NAT).In this paper,we first analyze the worm's functional structure,and then we propose a three layer worm model named three layres worm model (TLWM),which is an extension of SEM and TFM under NAT environment.We model the TLWM by using deterministic method as it is used in the TFM.The simulation results show that the number of NAT used on the Intemet has effects on worm propagation,and the more the NAT used,the slower the worm spreads.So,the extensive use of NAT on the Internet can restrain the worm spread to some extent.     

Research on the Propagation Models and Defense Techniques of Internet Worms

Internet worm is harmful to network security,and it has become a research hotspot in recent years.A thorough survey on the propagation models and defense techniques of Internet worm is made in this paper.We first give its strict definition and discuss the working mechanism.We then analyze and compare some repre-sentative worm propagation models proposed in recent years,such as K-M model,two-factor model,worm-anti-worm model（WAW）,firewall-based model,quarantine-based model and hybrid benign worm-based model,etc.Some typical defense techniques such as virtual honeypot,active worm prevention and agent-oriented worm defense,etc.,are also discussed.The future direction of the worm defense system is pointed out.     

物联网恶意代码传播模型研究

Nowadays, the main communication object of Internet is human-human. But it is foreseeable that in the near future any object will have a unique identification and can be addressed and connected. The Internet will expand to the Internet of Things. IPv6 is the cornerstone of the Internet of Things. In this paper, we investigate a fast active worm, referred to as topological worm, which can propagate twice to more than three times faster than a traditional scan-based worm. Topological worm spreads over AS-level network topology, making traditional epidemic models invalid for modeling the propagation of it. For this reason, we study topological worm propagation relying on simulations. First, we propose a new complex weighted network model, which represents the real IPv6 AS-level network topology. And then, a new worm propagation model based on the weighted network model is constructed, which describes the topological worm propagation over AS-level network topology. The simulation results verify the topological worm model and demonstrate the effect of parameters on the propagation.     

基于潜伏期的网络蠕虫传播模型及其仿真分析

随着Internet的迅速发展，网络蠕虫已严重威胁着网络信息安全。现有的网络蠕虫传播模型仅仅考虑了网络蠕虫传播的初始阶段和达到稳定状态时的网络特性．不能刻画网络蠕虫快速传播阶段的网络特性。文章运用系统动力学的理论和方法．建立一种基于潜伏期的网络蠕虫传播模型，能够从定性和定量两方面分析和预测网络蠕虫传播趋势。模拟结果表明网络蠕虫潜伏期与免疫措施强度是影响网络蠕虫传播过程的重要因素。     

A stochastic worm model

Internet worm infection continues to be one of top security threats and has been widely used by botnets to recruit newbots. In order to defend against future worms, it is important to understand how worms propagate and how different scanning strategies affect worm propagation dynamics. In our study, we present a (stochastic) continuous-time Markov chain model for characterizing the propagation of Internet worms. The model is developed for uniform scanning worms, and further for local preference scanning worms and flash worms. Specifically, for uniform and local preference scanning worms, we are able to (1) provide a precise condition that determines whether the worm spread would eventually stop and (2) obtain the distribution of the total number of infected hosts. By using the same modeling approach, we reveal the underlying similarity and relationship between uniform scanning and local preference scanning worms. Finally, we validate the model by simulating the propagation of worms.     

基于混合对抗技术的对抗性蠕虫

作为对抗网络蠕虫的一种技术手段,对抗性蠕虫正在引起恶意代码研究领域的关注。然而当前对抗性蠕虫所采用的主动对抗技术和被动对抗技术存在若干缺陷,无法全面有效抑制网络蠕虫的传播。为此提出一种改进的基于混合对抗技术的对抗性蠕虫,通过构建蠕虫对抗模型以及仿真实验对其进行分析,并表明其能够在有效抑制网络蠕虫传播的同时降低对网络资源的恶意消耗。     

面向分层网络的社交蠕虫仿真建模研究

随着社交网络的普及,社交蠕虫已经成为了威胁社会的主要隐患之一.这类蠕虫基于拓扑信息和社会工程学在因特网中快速传播.先前的学者们对社交蠕虫的传播建模与分析主要存在两个问题：网络拓扑的不完整性和传播建模的片面性;因而导致对社交蠕虫感染规模的低估和人类行为的单一化建模.为了解决上述问题,本文提出了社交蠕虫传播仿真模型,该模型使用分层网络能更准确地抽象社交逻辑层与实际物理层之间的关系,以及利用人类移动的时间特性能更全面地刻画社交蠕虫的传播行为.实验结果表明,该仿真模型揭示了用户行为、网络拓扑参数以及不同的修复过程对社交蠕虫传播造成的影响.同时,文中对社交蠕虫的传播能力做出了定性分析,为网络防御提供了重要的理论支持.     

Detecting Internet worms at early stage

Managing the security of enterprise networks has emerged to be a critical problem in the era of Internet economy. Arising as a leading threat, worms repetitively caused enormous damage to the Internet community during the past years. A new security service that monitors the ongoing worm activities on the Internet will greatly contribute to the security management of modern enterprise networks. This paper proposes an Internet-worm early warning system that automatically detects concerted scan activities and derives possible signatures of worm attacks. Its goal is to issue warning at the early stage of worm propagation and to provide necessary information for security analysts to control the damage. It reduces false positives by filtering out false scan sources. The system is locally deployable or can be codeployed amongst a group of enterprise networks. We provide both analytical and simulation studies on the responsiveness of this early warning system.     

Internet worm early detection and response mechanism

In recent years, fast spreading worm has become one of the major threats to the security of the Internet and has an increasingly fierce tendency.In view of the insufficiency that based on Kalman filter worm detection algorithm is sensitive to interval, this article presents a new data collection plan and an improved worm early detection method which has some deferent intervals according to the epidemic worm propagation model, then proposes a worm response mechanism for slowing the wide and fast worm propagation effectively.Simulation results show that our methods are able to detect worms accurately and early.     

基于云安全环境的蠕虫传播模型

云安全体系的出现标志着病毒检测和防御的重心从用户端向网络和后台服务器群转变,针对云安全体系环境,基于经典SIR模型提出了一种新的病毒传播模型(SIR_C)。SIR_C在考虑传统防御措施以及蠕虫造成的网络拥塞流量对自身传播遏制作用的基础上,重点分析了网络中云安全的部署程度和信息收集能力对蠕虫传播模型的影响。实验证明SIR_C模型是蠕虫传播研究在云安全环境下有意义的尝试。     

The monitoring and early detection of Internet worms

After many Internet-scale worm incidents in recent years, it is clear that a simple self-propagating worm can quickly spread across the Internet and cause severe damage to our society. Facing this great security threat, we need to build an early detection system that can detect the presence of a worm in the Internet as quickly as possible in order to give people accurate early warning information and possible reaction time for counteractions. This paper first presents an Internet worm monitoring system. Then, based on the idea of "detecting the trend, not the burst" of monitored illegitimate traffic, we present a "trend detection" methodology to detect a worm at its early propagation stage by using Kalman filter estimation, which is robust to background noise in the monitored data. In addition, for uniform-scan worms such as Code Red, we can effectively predict the overall vulnerable population size, and estimate accurately how many computers are really infected in the global Internet based on the biased monitored data. For monitoring a nonuniform scan worm, especially a sequential-scan worm such as Blaster, we show that it is crucial for the address space covered by the worm monitoring system to be as distributed as possible.     

A new worm propagation threat in BitTorrent: modeling and analysis

Peer-to-peer (P2P) networking technology has gained popularity as an efficient mechanism for users to obtain free services without the need for centralized servers. Protecting these networks from intruders and attackers is a real challenge. One of the constant threats on P2P networks is the propagation of active worms. Recent events show that active worms can spread automatically and flood the Internet in a very short period of time. Therefore, P2P systems can be a potential vehicle for active worms to achieve fast worm propagation in the Internet. Nowadays, BitTorrent is becoming more and more popular, mainly due its fair load distribution mechanism. Unfortunately, BitTorrent is particularly vulnerable to topology aware active worms. In this paper we analyze the impact of a new worm propagation threat on BitTorrent. We identify the BitTorrent vulnerabilities it exploits, the characteristics that accelerate and decelerate its propagation, and develop a mathematical model of their propagation. We also provide numerical analysis results. This will help the design of efficient detection and containment systems.     

基于随机实验的蠕虫传播预测研究

蠕虫传播预测是蠕虫防御的基础之一，但随着蠕虫扫描策略日趋多样和互联网结构逐步复杂，在蠕虫爆发初期及时建立精确的蠕虫传播模型变得越来越困难。利用随机仿真实验来模拟蠕虫在网络中的传播行为，通过统计分析仿真实验结果，发现蠕虫传播实验结果是一个随机过程，而实验结果间存在很高的线性相关性。由此提出一种基于仿真实验统计结果的蠕虫传播趋势预测方法，该方法可以利用0．1％存在漏洞主机的感染信息精确的预测蠕虫传播趋势。     

基于马尔可夫链的网络蠕虫传播模型

提出了网络蠕虫的随机传播模型。首先,基于马尔可夫链对于网络蠕虫进行了建模,并且讨论了模型的极限分布以及平稳分布的存在性。然后,讨论了网络蠕虫在传播初期灭绝的充要条件以及在传播后期灭绝的必要条件。最后,讨论了网络蠕虫的传播规模。仿真实验对于模型进行了验证,讨论了模型中传播参数,时间参数以及漏洞主机数等相关参数对于网络蠕虫传播的影响,并且与G-W模型进行了数据对比,说明了本模型的优势。     

Optimal Internet Worm Treatment Strategy Based on the Two‐Factor Model

The security threat posed by worms has steadily increased in recent years. This paper discusses the application of the optimal and sub‐optimal Internet worm control via Pontryagin's maximum principle. To this end, a control variable representing the optimal treatment strategy for infectious hosts is introduced into the two‐factor worm model. The numerical optimal control laws are implemented by the multiple shooting method and the sub‐optimal solution is computed using genetic algorithms. Simulation results demonstrate the effectiveness of the proposed optimal and sub‐optimal strategies. It also provides a theoretical interpretation of the practical experience that the maximum implementation of treatment in the early stage is critically important in controlling outbreaks of Internet worms. Furthermore, our results show that the proposed sub‐optimal control can lead to performance close to the optimal control, but with much simpler strategies for long periods of time in practical use.     

面向异构网络环境的蠕虫传播模型Enhanced-AAWP

合理地建立蠕虫传播模型将有助于更准确地分析蠕虫在网络中的传播过程。首先通过对分层的异构网络环境进行抽象,在感染时间将影响到蠕虫传播速度的前提下使用时间离散的确定性建模分析方法,推导出面向异构网络环境的蠕虫传播模型Enhanced-AAWP。进而基于Enhanced-AAWP模型分别对本地优先扫描蠕虫和随机扫描蠕虫进行深入分析。模拟结果表明,NAT子网的数量、脆弱性主机在NAT子网内的密度以及本地优先扫描概率等因素都将对蠕虫在异构网络环境中的传播过程产生重要的影响。     

集中受控式蠕虫有限繁殖算法

蠕虫有限繁殖技术在分布式计算应用和对抗蠕虫研究中具有重要的意义。文章在分析现有的有限繁殖算法研究基础上,提出集中受控式蠕虫有限繁殖算法,建立蠕虫有限繁殖的数学模型,并通过基于无尺度网络模型的蠕虫繁殖仿真验证了算法的正确性,最后进行了算法的性能比较。该算法提高了蠕虫有限繁殖的准确性,减小了蠕虫有限繁殖对网络的影响。     

Security of the Internet of Things: perspectives and challenges

Internet of Things (IoT) is playing a more and more important role after its showing up, it covers from traditional equipment to general household objects such as WSNs and RFID. With the great potential of IoT, there come all kinds of challenges. This paper focuses on the security problems among all other challenges. As IoT is built on the basis of the Internet, security problems of the Internet will also show up in IoT. And as IoT contains three layers: perception layer, transportation layer and application layer, this paper will analyze the security problems of each layer separately and try to find new problems and solutions. This paper also analyzes the cross-layer heterogeneous integration issues and security issues in detail and discusses the security issues of IoT as a whole and tries to find solutions to them. In the end, this paper compares security issues between IoT and traditional network, and discusses opening security issues of IoT.     

IPv6的安全机制及其对现有网络安全体系的影响

IPv6不但解决了当今IP地址匮乏的问题,并且由于它引入了加密和认证机制,实现了基于网络层的身份认证,确保了数据包的完整性和机密性,因此,可以说IPv6实现了网络层安全。但是,这种安全不是绝对的。并且由于IPv6的安全机制,给当前的网络安全体系带来了新的挑战,致使许多在现有的网络中对保护网络安全中起着重要作用的工具受到巨大的冲击,急需安全专家进一步研究和积累经验,尽快找出合适的解决方法。     

IPSec与NAT之间的兼容性分析和解决方案

网络安全协议(IPSec)和网络地址转换(NAT)是当前的热点技术,在因特网上都得到广泛应用,但两者在协议设计时存在的兼容性问题成为阻碍这两种技术得到进一步应用的关键问题。本文分别介绍了NAT和IPSec两种协议的基本原理,并对两者存在的不兼容性进行了详细的分析,最后给出了利用UDP封装ESP数据包的解决方案。