蠕虫预警及非线性传播模型优化

目前已有一些蠕虫检测系统利用蠕虫传播特性进行检测,误报率高,不能对大范围网络进行检测。为此,首先对蠕虫传播模型进行了分析和优化,提出了新蠕虫分布式传播模型。针对该模型提出了分布式蠕虫检测技术,亦即采用基于规则的检测方法监控网络蠕虫,控制台管理和协调多个检测端的工作。实验结果表明,该方法能够很好地预警蠕虫的传播行为并进行监控和报警,具有高检测率和低误报率。     

基于传播模式的本地网络蠕虫检测模型*

针对传统的蠕虫检测方法对未知蠕虫检测效率较低的问题,提出了一种基于蠕虫传播行为的优化解决方案。通过自定义二元模式向量准确描述网络蠕虫的传播行为,并构造三层安全过滤结构优化未知蠕虫检测。对比研究表明,上述方案对传播行为的改进显著提高了对未知蠕虫传播行为描述的完备性,给出了运用传播模式对感染特定蠕虫进行传播行为检测的结果。实验结果表明,方案显著提高了对未知蠕虫传播行为的准确性,可以快速地检测出入侵本地网络的扫描蠕虫。     

基于有向图分析的蠕虫早期检测方法

网络蠕虫给互联网带来了巨大的损失,实践证明,越早发现蠕虫的传播行为,就越有利于对蠕虫的遏制。首先分析了网络蠕虫早期传播的特征,然后借鉴GrIDS入侵检测系统的图分析思想,提出了一种利用有向图对网络蠕虫早期传播行为进行检测的蠕虫早期检测方法,并设计了有向图分析算法,对网络蠕虫与P2P应用、网络扫描以及突发访问等类网络蠕虫行为进行了准确识别。实验证明,可以准确检测网络蠕虫的早期传播行为,并定位蠕虫源主机。     

一种基于传播特征的蠕虫检测方法

随着计算机网络技术的飞速发展,网络蠕虫攻击成为目前影响网络安全的一个重要问题。实时监视网络蠕虫攻击,特别是在蠕虫传播早期检测到蠕虫,以采取相应的防御措施,减少蠕虫传播和攻击造成的损失变得尤为重要。通过分析网络蠕虫在传播过程中具有扩散性、链型以及传输数据相似等特征,提出了一种基于蠕虫传播特征的检测方法。实验结果表明:该检测方法在一定程度上降低了蠕虫检测的漏报率和错误率,对未知蠕虫具有较好的检测能力。     

基于传播特性的蠕虫检测方法

随着计算机网络技术的飞速发展,网络蠕虫攻击成为目前影响网络安全的一个重要问题。实时监视网络蠕虫攻击,特别是在蠕虫传播早期检测到蠕虫,以采取相应的防御措施,减少蠕虫传播和攻击造成的损失变得尤为重要。通过分析网络蠕虫在传播过程中具有扩散性、链型以及传输数据相似等特征,提出了一种基于蠕虫传播特征的检测方法。实验结果表明:该检测方法在一定程度上降低了蠕虫检测的漏报率和错误率,对未知蠕虫具有较好的检测能力。     

基于电子邮件蠕虫传播行为仿真研究

研究电子邮件蠕虫传播行为真实仿真问题.电子邮件蠕虫是造成电子邮件垃圾邮件泛滥的最主要的原因之一,使得计算机网络效率急剧下降,系统资源遭到严重破坏.为了能更好的对电子邮件蠕虫行为进行仿真,提出了一种基于用户行为和电子邮件网络拓扑结构相结合的电子邮件蠕虫传播模型方法,通过用户打开和检查邮件的概率来描述电子邮件用户的行为.方法能准确仿真蠕虫在网络拓扑中的传播.仿真结果表明,提出的新的蠕虫传播行为仿真方法能更加有效检测蠕虫传播特性,并对比分析了几组因素对蠕虫传播的影响,对进一步研究蠕虫的防御具有重要的意义.     

基于蠕虫传播特性的蠕虫检测系统设计

蠕虫病毒对当前Internet造成的威胁日益严峻。因此,必须在蠕虫的早期阶段检测出它的传播,并有效地进行抑制和隔离。蠕虫传播基本采用随机扫描方式．在网络中产生了异常的数据流。利用了蠕虫传播的这些共同特性,提出了一种新颖的蠕虫检测机制,有效降低了计算复杂度,并且具有较低的误警率和检测实时性。     

网络蠕虫防御和清除方法

当前网络蠕虫对Internet构成重要威胁,如何防范蠕虫已经成为网络安全的重要课题。由于蠕虫传播速度快、规模大,因此必须在蠕虫传播初期就能发现并采取相应措施进行隔离。本文首先介绍了蠕虫的相关概念,然后详细介绍了当前蠕虫的防御和清除方法。     

Internet蠕虫传播模型研究

本文就Internet蠕虫的传播模型进行了研究,分析了各种传播模型的特点和适用环境,在此基础上结合良性蠕虫的特点提出了良性蠕虫对抗恶性蠕虫的传播模型。经过比较和分析,理论上证明了蠕虫对抗蠕虫传播模型,有效地补充和改进了传统的Internet蠕虫传播模型,使其更符合Internet蠕虫传播的实际,为进一步研究蠕虫的检测与预防提供了有力的研究方法。与现有模型相比,其降低了对抗蠕虫给网络造成的冲击、可控,并降低了模型的复杂度。     

蠕虫攻击的分析与即时检测方法研究

对蠕虫的基本程序结构进行分析并对蠕虫的传播步骤进行阐述,根据蠕虫攻击的特点,提出一个即时检测蠕虫攻击的方案,该方案将实际主机间的通信情况映射为通信图,通过对通信图的处理达到准确、快速检测蠕虫攻击的目的.     

基于生物免疫原理的网络蠕虫免疫模型

提出一种新的网络蠕虫传播模型,并基于生物免疫原理提出了成熟良性蠕虫、记忆良性蠕虫和疫苗良性蠕虫新概念,建立了新的主机状态转移关系,运用系统动力学理论和方法,建立了一种新的网络蠕虫免疫模型,它能够从定性和定量两方面分析和预测网络蠕虫免疫过程,并能够深入刻画恶性蠕虫和良性蠕虫交互过程中的网络特性,为动态防治网络蠕虫提供了新的理论依据。模拟实验结果表明,引入的三种良性蠕虫是动态防御恶性网络蠕虫传播的重要因素。     

网络蠕虫研究与进展

随着网络系统应用及复杂性的增加,网络蠕虫成为网络系统安全的重要威胁.在网络环境下,多样化的传播途径和复杂的应用环境使网络蠕虫的发生频率增高、潜伏性变强、覆盖面更广,网络蠕虫成为恶意代码研究中的首要课题.首先综合论述网络蠕虫的研究概况,然后剖析网络蠕虫的基本定义、功能结构和工作原理,讨论网络蠕虫的扫描策略和传播模型,归纳总结目前防范网络蠕虫的最新技术.最后给出网络蠕虫研究的若干热点问题与展望.     

基于AOI方法的未知蠕虫特征自动发现算法研究

近年来频繁爆发的大规模网络蠕虫对Internet的整体安全构成了巨大的威胁，新的变种仍在不断出现。由于无法事先得到未知蠕虫的特征，传统的基于特征的入侵检测机制已经失效。目前蠕虫监测的一般做法是在侦测到网络异常后由人工捕获并进行特征的分析，再将特征加入高速检测引擎进行监测。本文提出了一种新的基于面向属性归纳（AOI）方法的未知蠕虫特征自动提取方法。该算法在可疑蠕虫源定位的基础上进行频繁特征的自动提取，能够在爆发的早期检测到蠕虫的特征，进而通过控制台特征关联监测未知蠕虫的发展趋势。实验证明该方法是可行而且有效的。     

网络蠕虫的扫描策略分析

网络蠕虫已经严重威胁了网络的安全.为了有效防治网络蠕虫,首要任务必须清楚有什么扫描方法,以及这些扫描方法对蠕虫传播的影响.为此,本文构建了一个基于离散时间的简单蠕虫传播模型,通过对Code Red蠕虫传播的真实数据比较,验证了此模型的有效性.以此模型为基础,详细分析了蠕虫的不同扫描策略,如均匀扫描、目标列表扫描、路由扫描、分治扫描、本地子网、顺序扫描、置换扫描,并给出了相应的模型.     

Contagion蠕虫传播仿真分析

Contagion 蠕虫利用正常业务流量进行传播,不会引起网络流量异常,具有较高的隐蔽性,逐渐成为网络安全的一个重要潜在威胁.为了能够了解Contagion蠕虫传播特性,需要构建一个合适的仿真模型.已有的仿真模型主要面向主动蠕虫,无法对Contagion蠕虫传播所依赖的业务流量进行动态模拟.因此,提出了一个适用于Contagion蠕虫仿真的Web和P2P业务流量动态仿真模型,并通过选择性抽象,克服了数据包级蠕虫仿真的规模限制瓶颈,在通用网络仿真平台上,实现了一个完整的Contagion蠕虫仿真系统.利用该系统,对Contagion蠕虫传播特性进行了仿真分析.结果显示:该仿真系统能够有效地用于Contagion蠕虫传播分析.     

A spatial stochastic model for worm propagation: scale effects

Realistic models for worm propagation in the Internet have become one of the major topics in the academic literature concerning network security. In this paper, we propose an evolution equation for worm propagation in a very small number of Internet hosts, hereinafter called a subnet and introduce a generalization of the classical epidemic model by including a second order spatial term which models subnet interactions. The corresponding gradient coefficient is a measure of the characteristic scale of interactions and as a result a novel scale approach for understanding the evolution of worm population in different scales, is considered. Results concerning random scan strategies and local preference scan worms are presented. A comparison of the proposed model with simulation results is also presented. Based on our model, more efficient monitoring strategies could be deployed.     

DAW: A Distributed Antiworm System

A worm automatically replicates itself across networks and may infect millions of servers in a short period of time. It is conceivable that the cyberterrorists may use a widespread worm to cause major disruption to the Internet economy. Much recent research concentrates on propagation models and early warning, but the defense against worms is largely an open problem. We propose a distributed antiworm architecture (DAW) that automatically slows down or even halts the worm propagation within an Internet service provider (ISP) network. New defense techniques are developed based on the behavioral difference between normal hosts and worm-infected hosts. Particularly, a worm-infected host has a much higher connection-failure rate when it randomly scans the Internet. This property allows DAW to set the worms apart from the normal hosts. We propose a temporal rate-limit algorithm and a spatial rate-limit algorithm, which makes the speed of worm propagation configurable by the parameters of the defense system. The effectiveness of the new techniques is evaluated analytically and by simulations.     

Modeling and Simulation Study of the Propagation and Defense of Internet E-mail Worms

As many people rely on e-mail communications for business and everyday life, Internet e-mail worms constitute one of the major security threats for our society. Unlike scanning worms such as Code Red or Slammer, e-mail worms spread over a logical network defined by e-mail address relationships, making traditional epidemic models invalid for modeling the propagation of e-mail worms. In addition, we show that the topological epidemic models presented by M. Boguna, et al. (2000) largely overestimate epidemic spreading speed in topological networks due to their implicit homogeneous mixing assumption. For this reason, we rely on simulations to study e-mail worm propagation in this paper. We present an e-mail worm simulation model that accounts for the behaviors of e-mail users, including e-mail checking time and the probability of opening an e-mail attachment. Our observations of e-mail lists suggest that an Internet e-mail network follows a heavy-tailed distribution in terms of node degrees, and we model it as a power-law network. To study the topological impact, we compare e-mail worm propagation on power-law topology with worm propagation on two other topologies: small-world topology and random-graph topology. The impact of the power-law topology on the spread of e-mail worms is mixed: E-mail worms spread more quickly on a power-law topology than on a small-world topology or a random-graph topology, but immunization defense is more effective on a power-law topology.     

Modeling and Automated Containment of Worms

Self-propagating codes, called worms, such as Code Red, Nimda, and Slammer, have drawn significant attention due to their enormously adverse impact on the Internet. Thus, there is great interest in the research community in modeling the spread of worms and in providing adequate defense mechanisms against them. In this paper, we present a (stochastic) branching process model for characterizing the propagation of Internet worms. The model is developed for uniform scanning worms and then extended to preference scanning worms. This model leads to the development of an automatic worm containment strategy that prevents the spread of a worm beyond its early stage. Specifically, for uniform scanning worms, we are able to 1) provide a precise condition that determines whether the worm spread will eventually stop and 2) obtain the distribution of the total number of hosts that the worm infects. We then extend our results to contain preference scanning worms. Our strategy is based on limiting the number of scans to dark-address space. The limiting value is determined by our analysis. Our automatic worm containment schemes effectively contain both uniform scanning worms and local preference scanning worms, and it is validated through simulations and real trace data to be nonintrusive. We also show that our worm strategy, when used with traditional firewalls, can be deployed incrementally to provide worm containment for the local network and benefit the Internet.     

Characterizing and defending against divide-conquer-scanning worms

Internet worms are a significant security threat. Divide-conquer scanning is a simple yet effective technique that can potentially be exploited for future Internet epidemics. Therefore, it is imperative that defenders understand the characteristics of divide-conquer-scanning worms and study the effective countermeasures. In this work, we first examine the divide-conquer-scanning worm and its potential to spread faster and stealthier than a traditional random-scanning worm. We then characterize the relationship between the propagation speed of divide-conquer-scanning worms and the distribution of vulnerable hosts through mathematical analysis and simulations. Specifically, we find that if vulnerable hosts follow a non-uniform distribution such as the Witty-worm victim distribution, divide-conquer scanning can spread a worm much faster than random scanning. We also empirically study the effect of important parameters on the spread of divide-conquer-scanning worms and a worm variant that can potentially enhance the infection ability at the late stage of worm propagation. Furthermore, to counteract such attacks, we discuss the weaknesses of divide-conquer scanning and study two defense mechanisms: infected-host removal and active honeynets. We find that although the infected-host removal strategy can greatly reduce the number of final infected hosts, active honeynets (especially uniformly distributed active honeynets) are more practical and effective to defend against divide-conquer-scanning worms.