A new worm propagation threat in BitTorrent: modeling and analysis

Peer-to-peer (P2P) networking technology has gained popularity as an efficient mechanism for users to obtain free services without the need for centralized servers. Protecting these networks from intruders and attackers is a real challenge. One of the constant threats on P2P networks is the propagation of active worms. Recent events show that active worms can spread automatically and flood the Internet in a very short period of time. Therefore, P2P systems can be a potential vehicle for active worms to achieve fast worm propagation in the Internet. Nowadays, BitTorrent is becoming more and more popular, mainly due its fair load distribution mechanism. Unfortunately, BitTorrent is particularly vulnerable to topology aware active worms. In this paper we analyze the impact of a new worm propagation threat on BitTorrent. We identify the BitTorrent vulnerabilities it exploits, the characteristics that accelerate and decelerate its propagation, and develop a mathematical model of their propagation. We also provide numerical analysis results. This will help the design of efficient detection and containment systems.     

一种基于网状关联分析的网络蠕虫预警新方法

通过对网络蠕虫行为模式的分析,提出一种基于网状关联分析的网络蠕虫预警的新方法,并设计了预警算法,建立了网络蠕虫预警模型和基于预警算法的原型系统,最后给出相关实验数据和分析结果。与现有的网络蠕虫检测方法相比校,新方法更加有效,而且能够预警未知的网络蠕虫。     

Peer to Peer Networks for Defense Against Internet Worms

Internet worms, which spread in computer networks without human mediation, pose a severe threat to computer systems today. The rate of propagation of worms has been measured to be extremely high and they can infect a large fraction of their potential hosts in a short time. We study two different methods of patch dissemination to combat the spread of worms. We first show that using a fixed number of patch servers performs inadequately against Internet worms. We then show that by exploiting the exponential data dissemination capability of P2P systems, the spread of worms can be halted effectively. We compare the two methods by using fluid models to compute two quantities of interest: the time taken to effectively combat the progress of the worm, and the maximum number of infected hosts. We validate our models using simulations.     

Multi-agent system for Worm Detection and Containment in Metropolitan Area Networks

Active worms can cause widespread damages at so high a speed that effectively precludes humandirected reaction, and patches for the worms are always available after the damages have been caused, which has elevated them self to a first-class security threat to Metropolitan Area Networks （MAN）. Multi-agent system for Worm Detection and Containment in MAN （MWDCM） is presented to provide a first-class automatic reaction mechanism that automatically applies containment strategies to block the propagation of the worms and to protect MAN against worm scan that wastes a lot of network bandwidth and crashes the routers. Its user agent is used to detect the known worms. Worm detection agent and worm detection correlation agent use two-stage based decision method to detect unknown worms. They adaptively study the accessing in the whole network and dynamically change the working parameters to detect the unknown worms. MWDCM confines worm infection within a macro-cell or a micro-cell of the metropolitan area networks, the rest of the accesses and hosts continue functioning without disruption. MWDCM integrates Worm Detection System （WDS） and network management system. Reaction measures can be taken by using Simple Network Management Protocol （SNMP） interface to control broadband access server as soon as the WDS detect the active worm. MWDCM is very effective in blocking random scanning worms. Simulation results indicate that high worm infection rate of epidemics can be avoided to a degree by MWDCM blocking the propagation of the worms.     

基于通信特征分析的蠕虫检测和特征提取方法的研究

提出了一种基于通信特征分析的蠕虫检测与特征提取技术，在解析蠕虫传播过程中特有的通信模式的基础上，评估通信特征集合问的相似度，通过检测传染性来检测蠕虫，这种方法具有更高的检测精度、通用性和适应性。在此基础上设计了启发式检测体系结构，利用盲目跟踪、意向跟踪和锁定跟踪从通信协议、通信序列和通信内容3个层次逐级排除非蠕虫通信，筛选出蠕虫报文组，提取出蠕虫特征码。这种技术大幅缩减了采集量和分析量，能在高强度背景噪声的干扰快速检测蠕虫并提取出相应的特征。     

How to hook worms [computer network security]

This paper discusses the use of intrusion detection systems to protect against the various threats faced by computer systems by way of worms, viruses and other forms of attacks. Intrusion detection systems attempt to detect things that are wrong in a computer network or system. The main problems of these systems, however, are the many false alarms they produce, their lack of resistance to both malicious attacks and accidental failures, and the constant appearance of new attacks and vulnerabilities. IBM Zurich Research Laboratory has developed a system that specifically targets worms rather than trying to prevent all breaches of computer security. Called Billy Goat, the specialized worm detection system runs on a dedicated machine connected to the network and detects worm-infected machines anywhere in it. Billy Goat has been proven effective at detecting worm-infected machines in a network. It is currently used in several large corporate intranets, and it is normally able to detect infected machines within seconds of their becoming infected. Furthermore, not only is it able to detect the presence of a worm in the network, it can even provide the addresses of the infected machines. This makes it considerably easier to remedy the problem.     

企业内网蠕虫检测和控制研究

目前已有一些全球化的网络蠕虫监测方法,但这些方法并不能很好地适用于局域网.为此,文中提出一种使用本地网协同检测蠕虫的方法,该方法注重分析扫描蠕虫在本地网的行为,通过这些方法给出预警信息,以揭示蠕虫在本地网络中的活动情况。并针对不同的行为特性使用不同的处理方法.结果表明,该方法可以准确、快速地检测出入侵本地网络的扫描蠕虫。     

Cost Optimization in SIS Model of Worm Infection

Recently, there has been a constant barrage of worms over the Internet. Besides threatening network security, these worms create an enormous economic burden in terms of loss of productivity not only for the victim hosts, but also for other hosts, as these worms create unnecessary network traffic. Further, measures taken to filter these worms at the router level incur additional network delays because of the extra burden placed on the routers. To develop appropriate tools for thwarting the quick spread of worms, researchers are trying to understand the behavior of worm propagation with the aid of epidemiological models. In this study, we present an optimization model that takes into account infection and treatment costs. Using this model we can determine the level of treatment to be applied for a given rate of infection spread.     

基于随机进程代数的P2P网络蠕虫对抗传播特性分析

 研究P2P网络中良性蠕虫和恶意蠕虫在对抗传播过程中的特性,可为制定合理的蠕虫对抗策略提供科学依据.提出一种基于随机进程代数的P2P网络蠕虫对抗传播的建模与分析方法.首先,分析了传播过程中蠕虫之间的对抗交互行为以及网络节点的状态转换过程;然后,利用PEPA语法建立了恶意蠕虫初始传播阶段与蠕虫对抗阶段的随机进程代数模型;最后,采用随机进程代数的流近似方法,推导得到能够描述蠕虫传播特性的微分方程组,通过求解该方程组,分析得到P2P蠕虫的对抗传播特性.试验结果表明,良性蠕虫可以有效遏制P2P网络中的恶意蠕虫传播,但需要根据当前的网络条件制定科学的传播策略,以减少良性蠕虫自身的传播对网络性能的影响.     

Internet worm early detection and response mechanism

In recent years, fast spreading worm has become one of the major threats to the security of the Internet and has an increasingly fierce tendency.In view of the insufficiency that based on Kalman filter worm detection algorithm is sensitive to interval, this article presents a new data collection plan and an improved worm early detection method which has some deferent intervals according to the epidemic worm propagation model, then proposes a worm response mechanism for slowing the wide and fast worm propagation effectively.Simulation results show that our methods are able to detect worms accurately and early.     

基于潜伏期的网络蠕虫传播模型及其仿真分析

随着Internet的迅速发展，网络蠕虫已严重威胁着网络信息安全。现有的网络蠕虫传播模型仅仅考虑了网络蠕虫传播的初始阶段和达到稳定状态时的网络特性．不能刻画网络蠕虫快速传播阶段的网络特性。文章运用系统动力学的理论和方法．建立一种基于潜伏期的网络蠕虫传播模型，能够从定性和定量两方面分析和预测网络蠕虫传播趋势。模拟结果表明网络蠕虫潜伏期与免疫措施强度是影响网络蠕虫传播过程的重要因素。     

Is early warning of an imminent worm epidemic possible?

This article introduces a novel anomaly detection method that makes use of only matrix operations and is highly sensitive to randomness in traffic. The sensitivity can be leveraged to detect attacks that exude randomness in traffic characteristics, such as denial-of-service attacks and worms. In particular, we show that the method can be used to alert of the imminent onset of a worm epidemic in a statistically sound manner, irrespective of the worm's scanning strategies.     

The monitoring and early detection of Internet worms

After many Internet-scale worm incidents in recent years, it is clear that a simple self-propagating worm can quickly spread across the Internet and cause severe damage to our society. Facing this great security threat, we need to build an early detection system that can detect the presence of a worm in the Internet as quickly as possible in order to give people accurate early warning information and possible reaction time for counteractions. This paper first presents an Internet worm monitoring system. Then, based on the idea of "detecting the trend, not the burst" of monitored illegitimate traffic, we present a "trend detection" methodology to detect a worm at its early propagation stage by using Kalman filter estimation, which is robust to background noise in the monitored data. In addition, for uniform-scan worms such as Code Red, we can effectively predict the overall vulnerable population size, and estimate accurately how many computers are really infected in the global Internet based on the biased monitored data. For monitoring a nonuniform scan worm, especially a sequential-scan worm such as Blaster, we show that it is crucial for the address space covered by the worm monitoring system to be as distributed as possible.     

基于自动特征提取的大规模网络蠕虫检测

蠕虫由于传播速度很快在网络中造成了严重的危害,对蠕虫进行自动的快速检测成了一项必需的研究。研究了在大规模网络中,利用流量异常发现模块从网络中发现异常数据集,然后自动进行特征提取,进而将特征更新到特征检测的特征库中进行特征检测的方法,实现对未知蠕虫的检测。本系统能够快速地发现新的疫情,作为蠕虫的自动防御的基础。     

P2P网络中被动型蠕虫传播与免疫建模

鉴于被动型蠕虫的危害性,对被动型蠕虫进行了深入分析,进而基于平均场法建立了被动型蠕虫的传播模型和免疫模型.基于传播模型和流行病传播学理论推导出进入无蠕虫平衡状态的充分条件,仿真实验证明了该充分条件的正确性.另外,仿真实验还表明,下载率和恢复率是控制蠕虫传播的两个可控的关键参数.在免疫软件被编制出来前,降低下载率和提高恢复率能有效控制被动型蠕虫的传播.     

自定义蜜罐在抵御蠕虫攻击中的应用研究

全文分析了蠕虫病毒的危害和特征,提出一种自定义蜜罐系统的设计:结合入侵检测、虚拟蜜罐和数据挖掘技术,把自定义蜜罐置于DMZ中,利用欺骗地址空间技术捕获已知蠕虫,延缓未知蠕虫的扫描速度,并对相关日志进行数据挖掘,更新入侵检测系统的规则集,以便在遭受后续攻击时做出响应。探讨了自定义蜜罐系统在抵御蠕虫病毒攻击中的可行性和应用实现。     

A stochastic worm model

Internet worm infection continues to be one of top security threats and has been widely used by botnets to recruit newbots. In order to defend against future worms, it is important to understand how worms propagate and how different scanning strategies affect worm propagation dynamics. In our study, we present a (stochastic) continuous-time Markov chain model for characterizing the propagation of Internet worms. The model is developed for uniform scanning worms, and further for local preference scanning worms and flash worms. Specifically, for uniform and local preference scanning worms, we are able to (1) provide a precise condition that determines whether the worm spread would eventually stop and (2) obtain the distribution of the total number of infected hosts. By using the same modeling approach, we reveal the underlying similarity and relationship between uniform scanning and local preference scanning worms. Finally, we validate the model by simulating the propagation of worms.     

面向异构网络环境的蠕虫传播模型Enhanced-AAWP

合理地建立蠕虫传播模型将有助于更准确地分析蠕虫在网络中的传播过程。首先通过对分层的异构网络环境进行抽象,在感染时间将影响到蠕虫传播速度的前提下使用时间离散的确定性建模分析方法,推导出面向异构网络环境的蠕虫传播模型Enhanced-AAWP。进而基于Enhanced-AAWP模型分别对本地优先扫描蠕虫和随机扫描蠕虫进行深入分析。模拟结果表明,NAT子网的数量、脆弱性主机在NAT子网内的密度以及本地优先扫描概率等因素都将对蠕虫在异构网络环境中的传播过程产生重要的影响。     

网络拓扑对Email蠕虫传播影响的分析与仿真

分析了Email蠕虫与传统蠕虫在扩散传播行为上的不同,着重研究了网络拓扑结构对Email蠕虫传播行：匆的影响,通过对power law网络模型,小世界（small world）拓扑模型和随机拓扑模型三种网络结构的分析设计与仿真实验,提出了Email蠕虫在power law拓扑模型传播速度最快并且易于感染高连接度节点的结论。     

Modeling the spread of internet worms via persistently unpatched hosts

This article considers the effects of Internet worms on persistently unpatched hosts and hosts for which vulnerabilities are refreshed. Previous models have been homogeneous; that is, all hosts transitioned through the same set of states. The model considered in this article is heterogeneous and more realistic in that subpopulations of hosts are assumed to have inherently different characteristics. Equilibrium conditions are obtained for which an Internet worm will self-propagate indefinitely, which lead to thresholds below which worms will become extinct.