基于随机实验的蠕虫传播预测研究

蠕虫传播预测是蠕虫防御的基础之一，但随着蠕虫扫描策略日趋多样和互联网结构逐步复杂，在蠕虫爆发初期及时建立精确的蠕虫传播模型变得越来越困难。利用随机仿真实验来模拟蠕虫在网络中的传播行为，通过统计分析仿真实验结果，发现蠕虫传播实验结果是一个随机过程，而实验结果间存在很高的线性相关性。由此提出一种基于仿真实验统计结果的蠕虫传播趋势预测方法，该方法可以利用0．1％存在漏洞主机的感染信息精确的预测蠕虫传播趋势。     

A stochastic worm model

Internet worm infection continues to be one of top security threats and has been widely used by botnets to recruit newbots. In order to defend against future worms, it is important to understand how worms propagate and how different scanning strategies affect worm propagation dynamics. In our study, we present a (stochastic) continuous-time Markov chain model for characterizing the propagation of Internet worms. The model is developed for uniform scanning worms, and further for local preference scanning worms and flash worms. Specifically, for uniform and local preference scanning worms, we are able to (1) provide a precise condition that determines whether the worm spread would eventually stop and (2) obtain the distribution of the total number of infected hosts. By using the same modeling approach, we reveal the underlying similarity and relationship between uniform scanning and local preference scanning worms. Finally, we validate the model by simulating the propagation of worms.     

基于潜伏期的网络蠕虫传播模型及其仿真分析

随着Internet的迅速发展，网络蠕虫已严重威胁着网络信息安全。现有的网络蠕虫传播模型仅仅考虑了网络蠕虫传播的初始阶段和达到稳定状态时的网络特性．不能刻画网络蠕虫快速传播阶段的网络特性。文章运用系统动力学的理论和方法．建立一种基于潜伏期的网络蠕虫传播模型，能够从定性和定量两方面分析和预测网络蠕虫传播趋势。模拟结果表明网络蠕虫潜伏期与免疫措施强度是影响网络蠕虫传播过程的重要因素。     

蠕虫正则表达式特征自动提取技术研究

提出一种实用的蠕虫正则表达式特征自动提取方法,该方法由蠕虫传播网络流样本获取、特征树生成、高假阳性特征剔除、特征融合这4步组成。该方法的优点是可输出具有强描述能力的包含“.*”、“.{k}”、“|”、“(c){k}”等元字符的正则表达式特征。基于蜜罐系统Honeybow实现了该方法,并针对互联网上数种真实蠕虫进行了实验。实验结果表明,该方法可以准确地提取真实蠕虫的正则表达式特征,可以在蜜罐、蠕虫及恶意代码分析等系统中应用。     

Cost Optimization in SIS Model of Worm Infection

Recently, there has been a constant barrage of worms over the Internet. Besides threatening network security, these worms create an enormous economic burden in terms of loss of productivity not only for the victim hosts, but also for other hosts, as these worms create unnecessary network traffic. Further, measures taken to filter these worms at the router level incur additional network delays because of the extra burden placed on the routers. To develop appropriate tools for thwarting the quick spread of worms, researchers are trying to understand the behavior of worm propagation with the aid of epidemiological models. In this study, we present an optimization model that takes into account infection and treatment costs. Using this model we can determine the level of treatment to be applied for a given rate of infection spread.     

面向异构网络环境的蠕虫传播模型Enhanced-AAWP

合理地建立蠕虫传播模型将有助于更准确地分析蠕虫在网络中的传播过程。首先通过对分层的异构网络环境进行抽象,在感染时间将影响到蠕虫传播速度的前提下使用时间离散的确定性建模分析方法,推导出面向异构网络环境的蠕虫传播模型Enhanced-AAWP。进而基于Enhanced-AAWP模型分别对本地优先扫描蠕虫和随机扫描蠕虫进行深入分析。模拟结果表明,NAT子网的数量、脆弱性主机在NAT子网内的密度以及本地优先扫描概率等因素都将对蠕虫在异构网络环境中的传播过程产生重要的影响。     

Internet worm early detection and response mechanism

In recent years, fast spreading worm has become one of the major threats to the security of the Internet and has an increasingly fierce tendency.In view of the insufficiency that based on Kalman filter worm detection algorithm is sensitive to interval, this article presents a new data collection plan and an improved worm early detection method which has some deferent intervals according to the epidemic worm propagation model, then proposes a worm response mechanism for slowing the wide and fast worm propagation effectively.Simulation results show that our methods are able to detect worms accurately and early.     

一种基于网状关联分析的网络蠕虫预警新方法

通过对网络蠕虫行为模式的分析,提出一种基于网状关联分析的网络蠕虫预警的新方法,并设计了预警算法,建立了网络蠕虫预警模型和基于预警算法的原型系统,最后给出相关实验数据和分析结果。与现有的网络蠕虫检测方法相比校,新方法更加有效,而且能够预警未知的网络蠕虫。     

A new worm exploiting IPv6 and IPv4-IPv6 dual-stack networks: experiment, modeling, simulation, and defense

It is commonly believed that the IPv6 protocol can provide good protection against network worms that try to find victims through random address scanning due to its huge address space. However, we discover that there is serious vulnerability in terms of worm propagation in IPv6 and IPv4-IPv6 dual-stack networks. It is shown in this article that a new worm can collect the IPv6 addresses of all running hosts in a local subnet very quickly, leading to accelerated worm propagation. Similar to modeling the self-replicating behaviors of biological viruses, a Species-Patch model and a discrete-time simulator are developed to study how the dual-stack worm spreads in networks with various topologies. It is shown that the worm could propagate in the IPv6 and IPv4-IPv6 dual-stack networks much faster than in the current IPv4 Internet. Several effective defense strategies focusing on network deployment are proposed.     

基于马尔可夫链的网络蠕虫传播模型

提出了网络蠕虫的随机传播模型。首先,基于马尔可夫链对于网络蠕虫进行了建模,并且讨论了模型的极限分布以及平稳分布的存在性。然后,讨论了网络蠕虫在传播初期灭绝的充要条件以及在传播后期灭绝的必要条件。最后,讨论了网络蠕虫的传播规模。仿真实验对于模型进行了验证,讨论了模型中传播参数,时间参数以及漏洞主机数等相关参数对于网络蠕虫传播的影响,并且与G-W模型进行了数据对比,说明了本模型的优势。     

Multi-agent system for Worm Detection and Containment in Metropolitan Area Networks

Active worms can cause widespread damages at so high a speed that effectively precludes humandirected reaction, and patches for the worms are always available after the damages have been caused, which has elevated them self to a first-class security threat to Metropolitan Area Networks （MAN）. Multi-agent system for Worm Detection and Containment in MAN （MWDCM） is presented to provide a first-class automatic reaction mechanism that automatically applies containment strategies to block the propagation of the worms and to protect MAN against worm scan that wastes a lot of network bandwidth and crashes the routers. Its user agent is used to detect the known worms. Worm detection agent and worm detection correlation agent use two-stage based decision method to detect unknown worms. They adaptively study the accessing in the whole network and dynamically change the working parameters to detect the unknown worms. MWDCM confines worm infection within a macro-cell or a micro-cell of the metropolitan area networks, the rest of the accesses and hosts continue functioning without disruption. MWDCM integrates Worm Detection System （WDS） and network management system. Reaction measures can be taken by using Simple Network Management Protocol （SNMP） interface to control broadband access server as soon as the WDS detect the active worm. MWDCM is very effective in blocking random scanning worms. Simulation results indicate that high worm infection rate of epidemics can be avoided to a degree by MWDCM blocking the propagation of the worms.     

Peer to Peer Networks for Defense Against Internet Worms

Internet worms, which spread in computer networks without human mediation, pose a severe threat to computer systems today. The rate of propagation of worms has been measured to be extremely high and they can infect a large fraction of their potential hosts in a short time. We study two different methods of patch dissemination to combat the spread of worms. We first show that using a fixed number of patch servers performs inadequately against Internet worms. We then show that by exploiting the exponential data dissemination capability of P2P systems, the spread of worms can be halted effectively. We compare the two methods by using fluid models to compute two quantities of interest: the time taken to effectively combat the progress of the worm, and the maximum number of infected hosts. We validate our models using simulations.     

基于云安全环境的蠕虫传播模型

云安全体系的出现标志着病毒检测和防御的重心从用户端向网络和后台服务器群转变,针对云安全体系环境,基于经典SIR模型提出了一种新的病毒传播模型(SIR_C)。SIR_C在考虑传统防御措施以及蠕虫造成的网络拥塞流量对自身传播遏制作用的基础上,重点分析了网络中云安全的部署程度和信息收集能力对蠕虫传播模型的影响。实验证明SIR_C模型是蠕虫传播研究在云安全环境下有意义的尝试。     

基于随机进程代数的P2P网络蠕虫对抗传播特性分析

 研究P2P网络中良性蠕虫和恶意蠕虫在对抗传播过程中的特性,可为制定合理的蠕虫对抗策略提供科学依据.提出一种基于随机进程代数的P2P网络蠕虫对抗传播的建模与分析方法.首先,分析了传播过程中蠕虫之间的对抗交互行为以及网络节点的状态转换过程;然后,利用PEPA语法建立了恶意蠕虫初始传播阶段与蠕虫对抗阶段的随机进程代数模型;最后,采用随机进程代数的流近似方法,推导得到能够描述蠕虫传播特性的微分方程组,通过求解该方程组,分析得到P2P蠕虫的对抗传播特性.试验结果表明,良性蠕虫可以有效遏制P2P网络中的恶意蠕虫传播,但需要根据当前的网络条件制定科学的传播策略,以减少良性蠕虫自身的传播对网络性能的影响.     

Detecting Internet worms at early stage

Managing the security of enterprise networks has emerged to be a critical problem in the era of Internet economy. Arising as a leading threat, worms repetitively caused enormous damage to the Internet community during the past years. A new security service that monitors the ongoing worm activities on the Internet will greatly contribute to the security management of modern enterprise networks. This paper proposes an Internet-worm early warning system that automatically detects concerted scan activities and derives possible signatures of worm attacks. Its goal is to issue warning at the early stage of worm propagation and to provide necessary information for security analysts to control the damage. It reduces false positives by filtering out false scan sources. The system is locally deployable or can be codeployed amongst a group of enterprise networks. We provide both analytical and simulation studies on the responsiveness of this early warning system.     

A new worm propagation threat in BitTorrent: modeling and analysis

Peer-to-peer (P2P) networking technology has gained popularity as an efficient mechanism for users to obtain free services without the need for centralized servers. Protecting these networks from intruders and attackers is a real challenge. One of the constant threats on P2P networks is the propagation of active worms. Recent events show that active worms can spread automatically and flood the Internet in a very short period of time. Therefore, P2P systems can be a potential vehicle for active worms to achieve fast worm propagation in the Internet. Nowadays, BitTorrent is becoming more and more popular, mainly due its fair load distribution mechanism. Unfortunately, BitTorrent is particularly vulnerable to topology aware active worms. In this paper we analyze the impact of a new worm propagation threat on BitTorrent. We identify the BitTorrent vulnerabilities it exploits, the characteristics that accelerate and decelerate its propagation, and develop a mathematical model of their propagation. We also provide numerical analysis results. This will help the design of efficient detection and containment systems.     

Further results on local stability of REM algorithm with time-varying delays

This letter presents some further results on the local stability in equilibrium for Internet congestion control algorithm proposed by Low et al., (IEEE/ACM Transactions on Networking, 1999). The propagation delay d(t) is assumed to be time-varying and have maximum and minimum delay bounds (i.e., d/sub m//spl les/d(t)/spl les/d/sub M/), which is more general than the assumption (0相似文献   

The monitoring and early detection of Internet worms

After many Internet-scale worm incidents in recent years, it is clear that a simple self-propagating worm can quickly spread across the Internet and cause severe damage to our society. Facing this great security threat, we need to build an early detection system that can detect the presence of a worm in the Internet as quickly as possible in order to give people accurate early warning information and possible reaction time for counteractions. This paper first presents an Internet worm monitoring system. Then, based on the idea of "detecting the trend, not the burst" of monitored illegitimate traffic, we present a "trend detection" methodology to detect a worm at its early propagation stage by using Kalman filter estimation, which is robust to background noise in the monitored data. In addition, for uniform-scan worms such as Code Red, we can effectively predict the overall vulnerable population size, and estimate accurately how many computers are really infected in the global Internet based on the biased monitored data. For monitoring a nonuniform scan worm, especially a sequential-scan worm such as Blaster, we show that it is crucial for the address space covered by the worm monitoring system to be as distributed as possible.     

Improving wireless sensor networks performance through epidemic model

Wireless sensor networks (WSNs) encounter a critical challenge of ‘Network Security’ due to extreme operational constraints. The origin of the challenge begins with the entry of worms in the wireless network. Just one infected node is enough to spread the worms across the entire network. The infected node rapidly infects the neighbouring nodes in an unstoppable manner. In this paper, a mathematical model is proposed based on epidemic theory. It is an improvement of the Susceptible-Infectious-Recovered-Susceptible (SIRS) and Susceptible-Exposed-Infectious-Susceptible (SEIS) model. We propose Susceptible-Exposed-Infectious-Recovered-Susceptible (SEIRS) model that overcomes the drawbacks of existing models. The proposed ameliorated model includes a finite communication radius and the associated node density. We obtain basic reproduction number which determines the local and global propagation dynamics of worm in the WSNs. Also, we deduce expression for threshold for node density and communication radius. We investigated the control mechanism against worm propagation. We compare the proposed model with various existing models and evaluate its performance on the basis of various performance metrics. The study confirms melioration in the vital aspects (security, network reliability, transmission efficiency, energy efficiency) for WSNs. The proposed SEIRS model provides an improved technique to restraint worms’ transmission in comparison to the existing models.     

A survey of internet worm detection and containment

Self-duplicating, self-propagating malicious codes known as computer worms spread themselves without any human interaction and launch the most destructive attacks against computer networks. At the same time, being fully automated makes their behavior repetitious and predictable. This article presents a survey and comparison of Internet worm detection and containment schemes. We first identify worm characteristics through their behavior, and then classify worm detection algorithms based on the parameters used in the algorithms. Furthermore, we analyze and compare different detection algorithms with reference to the worm characteristics by identifying the type of worms that can and cannot be detected by these schemes. After detecting the existence of worms, the next step is to contain them. This article explores the current methods used to slow down or stop the spread of worms. The locations to implement detection and containment, as well as the scope of each of these systems/methods, are also explored in depth. Finally, this article points out the remaining challenges of worm detection and future research directions.