基于本地主机传播行为的蠕虫预警新方法

对于利用漏洞扫描技术传播的蠕虫进行预警，传统方法存在着诸如无法区分P2P数据流，无法检测利用多个端口传播蠕虫等问题。针对这些问题，结合对网络蠕虫行为模式的分析，提出了一种改进的算法，并建立了基于该算法的预警模型。最后对该方法的可行性和各项性能进行了分析，发现新方法能更有效的预警未知的网络蠕虫。     

网络蠕虫大规模爆发的早期检测技术研究

网络蠕虫因其强大的传播能力而给互联网的安全造成了极大威胁。本文针对网络蠕虫的早期检测和防御技术提出了一种新方法,包括基于端口/目标地址关系的检测算法,以及借鉴页面调度算法的失效算法。在一个改进的NS2平台上所做的仿真实验表明该方法是高效而实用的。     

网络蠕虫病毒防御方法研究

网络蠕虫通过自我复制,破坏目标系统,拥塞网络,对互联网络安全构成巨大威胁。本文通过对蠕虫病毒程序的传播流程及行为特征的分析,提出一种基于实时监测检测机制的防御网络蠕虫攻击的新方法。这种方法在操作系统底层函数被调用的时候就能及时地发现网络蠕虫攻击并阻止网络蠕虫的进一步扩散。     

网络蠕虫预警与隔离控制方法研究

随着互联网的迅速发展,蠕虫对于网络安全的威胁日益严重。本文介绍了蠕虫的相关概念、传播方法、特点及其危害,分析了当前针对网络蠕虫的主要预警检测方法,探讨了网络蠕虫的隔离控制方法。     

网络蠕虫的扫描方法分析

对网络上计算机系统的扫描是网络蠕虫传播的第一步,网络蠕虫扫描算法是研究蠕虫传播特性的一个基础环节。通过对常见的网络蠕虫扫描算法的研究,将其进行了分类,并对每一种扫描方法的基本原理及特点进行了分析。     

网络蠕虫的检测技术研究

网络蠕虫的检测是防范网络蠕虫的第一步,对防范的成功实现起着非常重要的作用。通过常见的网络蠕虫检测算法的研究,将其进行了分类,并对每一种检测方法的基本原理进行了分析。     

基于潜伏期的网络蠕虫传播模型及其仿真分析

随着Internet的迅速发展，网络蠕虫已严重威胁着网络信息安全。现有的网络蠕虫传播模型仅仅考虑了网络蠕虫传播的初始阶段和达到稳定状态时的网络特性．不能刻画网络蠕虫快速传播阶段的网络特性。文章运用系统动力学的理论和方法．建立一种基于潜伏期的网络蠕虫传播模型，能够从定性和定量两方面分析和预测网络蠕虫传播趋势。模拟结果表明网络蠕虫潜伏期与免疫措施强度是影响网络蠕虫传播过程的重要因素。     

基于Honeypot的网络蠕虫联动对抗技术

网络蠕虫能利用系统漏洞自动传播,造成网络拥塞,具有极大的破坏性。利用Honeypot来对抗网络蠕虫是目前的一种有效技术,但是现有技术主要还局限于只采用Honeypot,检测效率较低。论文在基于Honeypot对抗网络蠕虫的基础上,结合NIDS和防火墙技术,提出了一种对抗网络蠕虫的集成联动方案。针对典型网络蠕虫的实验表明,基于该方案的网络蠕虫联动对抗技术可以更有效地对付网络蠕虫的攻击。     

分布式蠕虫流量检测技术

分析了网络蠕虫病毒的传播特点和已有的检测方法,针对慢速传播蠕虫病毒,提出了基于流量异常传播序列的检测算法,并通过分布式系统结构,综合多个子网的检测结果,进一步提高检测准确率。模拟实验证明：该算法可以根据流量特征,在蠕虫病毒慢速传播的早期检测到该病毒的传播行为,并获得传播所用网络协议和目标端口。     

基于失败连接分析的网络蠕虫检测系统研究

根据网络蠕虫攻击的特点，提出一种基于失败连接分析的网络蠕虫早期检测系统。该系统通过实时分析失败连接流量分布和正常状态的偏离度来检测蠕虫，通过分析失败连接集的自相似度进一步降低蠕虫检测的误报率。基于原型系统的实验结果显示，该系统能够实时检测未知类型的网络蠕虫攻击，分析蠕虫扫描的网络传输特征和网络内可能感染的主机列表。和已有方法相比，该系统对蠕虫的早期扫描行为更加敏感，并具有更低的误报率。     

A stochastic worm model

Internet worm infection continues to be one of top security threats and has been widely used by botnets to recruit newbots. In order to defend against future worms, it is important to understand how worms propagate and how different scanning strategies affect worm propagation dynamics. In our study, we present a (stochastic) continuous-time Markov chain model for characterizing the propagation of Internet worms. The model is developed for uniform scanning worms, and further for local preference scanning worms and flash worms. Specifically, for uniform and local preference scanning worms, we are able to (1) provide a precise condition that determines whether the worm spread would eventually stop and (2) obtain the distribution of the total number of infected hosts. By using the same modeling approach, we reveal the underlying similarity and relationship between uniform scanning and local preference scanning worms. Finally, we validate the model by simulating the propagation of worms.     

A survey of internet worm detection and containment

Self-duplicating, self-propagating malicious codes known as computer worms spread themselves without any human interaction and launch the most destructive attacks against computer networks. At the same time, being fully automated makes their behavior repetitious and predictable. This article presents a survey and comparison of Internet worm detection and containment schemes. We first identify worm characteristics through their behavior, and then classify worm detection algorithms based on the parameters used in the algorithms. Furthermore, we analyze and compare different detection algorithms with reference to the worm characteristics by identifying the type of worms that can and cannot be detected by these schemes. After detecting the existence of worms, the next step is to contain them. This article explores the current methods used to slow down or stop the spread of worms. The locations to implement detection and containment, as well as the scope of each of these systems/methods, are also explored in depth. Finally, this article points out the remaining challenges of worm detection and future research directions.     

The monitoring and early detection of Internet worms

After many Internet-scale worm incidents in recent years, it is clear that a simple self-propagating worm can quickly spread across the Internet and cause severe damage to our society. Facing this great security threat, we need to build an early detection system that can detect the presence of a worm in the Internet as quickly as possible in order to give people accurate early warning information and possible reaction time for counteractions. This paper first presents an Internet worm monitoring system. Then, based on the idea of "detecting the trend, not the burst" of monitored illegitimate traffic, we present a "trend detection" methodology to detect a worm at its early propagation stage by using Kalman filter estimation, which is robust to background noise in the monitored data. In addition, for uniform-scan worms such as Code Red, we can effectively predict the overall vulnerable population size, and estimate accurately how many computers are really infected in the global Internet based on the biased monitored data. For monitoring a nonuniform scan worm, especially a sequential-scan worm such as Blaster, we show that it is crucial for the address space covered by the worm monitoring system to be as distributed as possible.     

面向异构网络环境的蠕虫传播模型Enhanced-AAWP

合理地建立蠕虫传播模型将有助于更准确地分析蠕虫在网络中的传播过程。首先通过对分层的异构网络环境进行抽象,在感染时间将影响到蠕虫传播速度的前提下使用时间离散的确定性建模分析方法,推导出面向异构网络环境的蠕虫传播模型Enhanced-AAWP。进而基于Enhanced-AAWP模型分别对本地优先扫描蠕虫和随机扫描蠕虫进行深入分析。模拟结果表明,NAT子网的数量、脆弱性主机在NAT子网内的密度以及本地优先扫描概率等因素都将对蠕虫在异构网络环境中的传播过程产生重要的影响。     

Optimal Internet Worm Treatment Strategy Based on the Two‐Factor Model

The security threat posed by worms has steadily increased in recent years. This paper discusses the application of the optimal and sub‐optimal Internet worm control via Pontryagin's maximum principle. To this end, a control variable representing the optimal treatment strategy for infectious hosts is introduced into the two‐factor worm model. The numerical optimal control laws are implemented by the multiple shooting method and the sub‐optimal solution is computed using genetic algorithms. Simulation results demonstrate the effectiveness of the proposed optimal and sub‐optimal strategies. It also provides a theoretical interpretation of the practical experience that the maximum implementation of treatment in the early stage is critically important in controlling outbreaks of Internet worms. Furthermore, our results show that the proposed sub‐optimal control can lead to performance close to the optimal control, but with much simpler strategies for long periods of time in practical use.     

Internet worm early detection and response mechanism

In recent years, fast spreading worm has become one of the major threats to the security of the Internet and has an increasingly fierce tendency.In view of the insufficiency that based on Kalman filter worm detection algorithm is sensitive to interval, this article presents a new data collection plan and an improved worm early detection method which has some deferent intervals according to the epidemic worm propagation model, then proposes a worm response mechanism for slowing the wide and fast worm propagation effectively.Simulation results show that our methods are able to detect worms accurately and early.     

A computational model for C. elegans locomotory behavior: application to multiworm tracking.

A computational approach is presented for modeling and quantifying the structure and dynamics of the nematode C. elegans observed by time-lapse microscopy. Worm shape and conformations are expressed in a decoupled manner. Complex worm movements are expressed in terms of three primitive patterns--peristaltic progression, deformation, and translation. The model has been incorporated into algorithms for segmentation and simultaneous tracking of multiple worms in a field, some of which may be interacting in complex ways. A recursive Bayesian filter is used for tracking. Unpredictable behaviors associated with interactions are resolved by multiple-hypothesis tracking. Our algorithm can track worms of diverse sizes and conformations (coiled/uncoiled) in the presence of imaging artifacts and clutter, even when worms are overlapping with others. A two-observer performance assessment was conducted over 16 image sequences representing wild-type and uncoordinated mutants as a function of worm size, conformation, presence of clutter, and worm entanglement. Overall detected tracking failures were 1.41%, undetected tracking failures were 0.41%, and segmentation errors were 1.11% of worm length. When worms overlap, our method reduced undetected failures from 12% to 1.75%, and segmentation error from 11% to 5%. Our method provides the basis for reliable morphometric and locomotory analysis of freely behaving worm populations.     

A Computational Model for C. elegans Locomotory Behavior: Application to Multiworm Tracking

A computational approach is presented for modeling and quantifying the structure and dynamics of the nematode C. elegans observed by time-lapse microscopy. Worm shape and conformations are expressed in a decoupled manner. Complex worm movements are expressed in terms of three primitive patterns-peristaltic progression, deformation, and translation. The model has been incorporated into algorithms for segmentation and simultaneous tracking of multiple worms in a field, some of which may be interacting in complex ways. A recursive Bayesian filter is used for tracking. Unpredictable behaviors associated with interactions are resolved by multiple-hypothesis tracking. Our algorithm can track worms of diverse sizes and conformations (coiled/uncoiled) in the presence of imaging artifacts and clutter, even when worms are overlapping with others. A two-observer performance assessment was conducted over 16 image sequences representing wild-type and uncoordinated mutants as a function of worm size, conformation, presence of clutter, and worm entanglement. Overall detected tracking failures were 1.41%, undetected tracking failures were 0.41%, and segmentation errors were 1.11% of worm length. When worms overlap, our method reduced undetected failures from 12% to 1.75%, and segmentation error from 11% to 5%. Our method provides the basis for reliable morphometric and locomotory analysis of freely behaving worm populations.     

A new worm propagation threat in BitTorrent: modeling and analysis

Peer-to-peer (P2P) networking technology has gained popularity as an efficient mechanism for users to obtain free services without the need for centralized servers. Protecting these networks from intruders and attackers is a real challenge. One of the constant threats on P2P networks is the propagation of active worms. Recent events show that active worms can spread automatically and flood the Internet in a very short period of time. Therefore, P2P systems can be a potential vehicle for active worms to achieve fast worm propagation in the Internet. Nowadays, BitTorrent is becoming more and more popular, mainly due its fair load distribution mechanism. Unfortunately, BitTorrent is particularly vulnerable to topology aware active worms. In this paper we analyze the impact of a new worm propagation threat on BitTorrent. We identify the BitTorrent vulnerabilities it exploits, the characteristics that accelerate and decelerate its propagation, and develop a mathematical model of their propagation. We also provide numerical analysis results. This will help the design of efficient detection and containment systems.