网络蠕虫扩散策略研究

蠕虫在传播时所采取的扫描策略直接决定了蠕虫的感染速度和程度.论文对蠕虫传播时采用的不同扫描策略进行了深度分析,并建模比较.针对各种扩散策略的不足,提出了随机均匀扫描、基于路由扫描和预定义目标地址列表相结合的扫描策略,简称RRH-1扫描策略.经验证,和已有单一扩散策略相比,采用RRH-1扫描策略的蠕虫传播时具有快速、准确和流量小的优点.     

蠕虫扫描策略和流量模拟方法研究

对蠕虫扫描策略及其传播效率进行了深入分析;并提出了"带宽限制型 部分预定义目标地址列表 基于路由扫描 随机均匀扫描"的快速扫描策略.分析了各种蠕虫传播过程模拟方法和蠕虫流量模拟方法的优劣;并从统计意义上建立了"延迟限制型"蠕虫的周期性突发的扫描流量模型,结合混合层次模拟方法,能够为蠕虫模拟、检测和应对技术提供基础,同时减少了蠕虫模拟的复杂性.     

网络蠕虫扩散策略研究

蠕虫在传播时所采取的扫描策略直接决定了蠕虫的感染速度和程度。论文对蠕虫传播时采用的不同扫描策略进行了深度分析，并建模比较。针对各种扩散策略的不足，提出了随机均匀扫描、基于路由扫描和预定义目标地址列表相结合的扫描策略，简称RRH-1扫描策略。经验证，和已有单一扩散策略相比，采用RRH—l扫描策略的蠕虫传播时具有快速、准确和流量小的优点。     

一种基于P2P网络的蠕虫传播模型研究

P2P蠕虫是利用P2P机制进行传播的恶意代码.本文针对基于P2P(peer-to-peer)的大规模网络,对P2P蠕虫的传播展开相关研究.首先介绍三个基本的蠕虫传播模型,分析了引入良性蠕虫后的四种情况.然后根据几个P2P蠕虫的扫描策略之一,提出了基于P2P系统的网络对抗蠕虫传播模型,并进行了初步的模拟分析.     

基于拓扑结构的蠕虫防御策略仿真分析

提出了基于拓扑结构控制的蠕虫防御策略,并通过构建仿真模型对其进行了仿真验证分析.首先对蠕虫传播所依赖的拓扑结构的主要形式进行了分析,提出了相应的生成算法,并对算法的有效性进行了验证;随后提出了三种拓扑结构控制策略仿真模型;最后分别对这三种策略在不同拓扑结构下的蠕虫传播控制性能进行了仿真实验.实验结果证明:通过适当地控制拓扑结构,可以有效地遏制拓扑相关蠕虫传播.     

基于阳性选择的蠕虫检测系统

蠕虫通过发送网络服务请求搜寻感染目标,主机的异常网络服务请求可以作为蠕虫检测的依据.提出了一种蠕虫检测系统,基于阳性选择算法构造自体字符串集合描述主机的正常网络行为.自体字符串集合采用Bloom filter过滤器的形式表示,用于监视主机的网络行为以发现网络中可疑的网络服务请求.依据蠕虫的传播特征,采用二叉树的形式对所发现的可疑网络服务请求进行关联分析,通过无参CUSUM(cumulative sum)算法监视二叉树异常值的变化,从而及时、准确地发现蠕虫传播.GTNetS(Georgia Tech Network Simulation)平台的测试实验结果表明,所提出的蠕虫检测系统能够有效检测蠕虫,同时对于主机正常网络通信的影响较小.     

网络蠕虫的扫描策略分析

网络蠕虫已经严重威胁了网络的安全.为了有效防治网络蠕虫,首要任务必须清楚有什么扫描方法,以及这些扫描方法对蠕虫传播的影响.为此,本文构建了一个基于离散时间的简单蠕虫传播模型,通过对Code Red蠕虫传播的真实数据比较,验证了此模型的有效性.以此模型为基础,详细分析了蠕虫的不同扫描策略,如均匀扫描、目标列表扫描、路由扫描、分治扫描、本地子网、顺序扫描、置换扫描,并给出了相应的模型.     

P2P干预式蠕虫传播仿真分析*

对P2P干预式主动型蠕虫的传播机制进行了研究,指出其传播主要包括四个阶段:信息收集,攻击渗透、自我推进与干预激活。研究发现,P2P干预式蠕虫实际是一种拓扑蠕虫,能利用邻居节点信息准确地确定攻击目标,而且攻击非常隐蔽。采用仿真的方法研究了P2P相关参数对P2P干预式蠕虫传播的影响。仿真实验表明,潜伏主机激活率对干预式蠕虫传播的影响最大,而攻击率对干预式蠕虫传播的影响较小。     

基于社团并行发现的在线社交网络蠕虫抑制

随着在线社交网络(Online Social Network,OSN)的快速发展,OSN蠕虫已经成为最具威胁的网络安全问题之一.为了防止OSN蠕虫的快速传播,文中提出了一种基于社团并行发现的OSN蠕虫抑制方法.首先将分布式图计算框架Pregel和基于标签传播的社团发现算法(Label Propagation Algorithm,LPA)相结合,提出了一种能够处理大规模OSN网络社团发现问题的并行LPA算法(Parallel LPA,PLPA).其次,文中在PLPA算法的基础上给出了3种社团关键节点的选取策略,并提出了相应的OSN蠕虫抑制方法.最后,通过在两组真实数据集上进行的社团并行发现及OSN蠕虫抑制仿真实验证明了文中方法的有效性.     

IPV6网络中搜索引擎蠕虫的传播研究

针对传统蠕虫传播模型无法准确预测基于搜索引擎的蠕虫的传播问题,在IPv6网络环境下构建了一种基于搜索引擎的蠕虫-V6.MAMWorm,并在分层扫描策略的基础上提出了一种混合智能算法.在本地应用子网内扫描策略,在子网间应用搜索引擎扫描策略,从而建立了一种新型的蠕虫传播模型(multi-tierarchitecturemodel,MAM).仿真结果表明,V6-MAM-Worm在IPv6网络中具有更快的传播速度,其将对IPv6网络的安全性带来巨大的威胁.     

Defending against the propagation of active worms

Active worms propagate across networks by employing the various target discovery techniques. The significance of target discovery techniques in shaping a worm’s propagation characteristics is derived from the life cycle of a worm. The various target discovery techniques that could be employed by active worms are discussed. It is anticipated that future active worms would employ multiple target discovery techniques simultaneously to greatly accelerate their propagation. To accelerate a worm’s propagation, the slow start phase in the worm’s propagation must be shortened by letting the worm infect the first certain percentage of susceptible hosts as soon as possible. Strategies that future active worms might employ to shorten the slow start phase in their propagation are studied. Their respective cost-effectiveness is assessed. A novel active defense mechanism is proposed, which could be an emerging solution to the active worm problem. Our major contributions in this article are first, we found the combination of target discovery techniques that can best accelerate the propagation of active worms; second, we proposed several strategies to shorten a worm’s slow start phase in its propagation and found the cost-effective hit-list size and average size of internally generated target lists; third, we proposed a novel active defense mechanism and evaluated its effectiveness; and fourth, we proposed three novel discrete time deterministic propagation models of active worms.     

Containing large-scale worm spreading in the Internet by cooperative distribution of traffic filtering policies

The Internet is crucial to business, government, education and many other facets of society, but the easy access and wide usage of the most common network services make it a primary target for the propagation of viral infections or worms. It has been widely experienced that the massive worldwide spreading of very fast and aggressive worms may easily disrupt or damage the connectivity of large sections of the Internet, affecting millions of users. Classical containment strategies, based on manual application of traffic filters will be almost totally ineffective in the wide area. Consequently, developing an automated self-distributing containment strategy is the most viable way to defeat the worm propagation in an acceptable time The objective of our work is to develop a distributed and cooperative containment strategy based on having traffic filtering information dynamically disseminate throughout the network at a speed that is faster than (or at least comparable with) the propagation of worms. Our framework based on BGP extensions to distribute traffic filtering information has the advantage of using the existing infrastructure and inter-as communication channels. We envision that the above solution will be one of the most effective and challenging lines of defense against next-generation more aggressive worms.     

无标度网络上电子邮件蠕虫的传播与仿真

电子邮件蠕虫是引起因特网中垃圾邮件泛滥的原因之一,严重威胁着因特网。该文提出了一种无标度网络上电子邮件蠕虫的传播模型,它通过用户检查邮件的频率和打开邮件附件的概率来描述邮件用户的行为,仿真了蠕虫在无标度网络和随机网络中的传播。结果表明,蠕虫在无标度网络中的传播速度比在随机网络中快得多,对进一步研究蠕虫的防御具有重要的意义。     

Worm propagation and generic attacks

The defining task of propagating malicious code is to locate new targets to attack. Viruses search for files in a computer system to which to attach, whereas worms search for new targets to which to transmit themselves. Depending on their method of transmission, malicious code writers have developed different strategies for finding new victims. Worms transmitted via email have had great success propagating themselves because they find their next targets either by raiding a user's email address book or by searching through the user's mailbox. Such addresses are almost certain to be valid, permitting the worm to hijack the user's social web and exploit trust relationships. In most cases, the worm will craft its own message to send to the target, but some will wait for the user to send a message and attach themselves to it. Network worms, those that attack network services, must determine their next victim's IP address.     

一种无尺度网络上垃圾邮件蠕虫的传播模型

用有向图描述了电子邮件网络的结构,并分析了电子邮件网络的无尺度特性。在此基础上,通过用户检查邮件的频率和打开邮件附件的概率建立了一种电子邮件蠕虫的传播模型。分别仿真了电子邮件蠕虫在无尺度网络和随机网络中的传播,结果表明,邮件蠕虫在无尺度网络中的传播速度比在随机网络中更快,与理论分析相一致。     

基于博弈论研究社交网络内蠕虫的传播

社交网络内蠕虫的爆发对用户及社交网络造成了极大的威胁。将社交网络的普通用户和网络攻击者作为博弈双方,分析双方的行为策略集合及影响因素,得到收益矩阵的计算方法。基于博弈论确定用户面对信息超链接的点击概率,运行了仿真实验。实验结果表明,蠕虫伪装技术对蠕虫传播影响较大,用户安全意识程度则影响较小。当蠕虫危害度较小或信息价值度较大时,蠕虫传播速度将会加快。基于博弈论研究社交网络的蠕虫传播是可行的。     

动态环境下的主动蠕虫攻击分析

鉴于当前很少有传播模型充分考虑到P2P节点动态特征对主动蠕虫攻击的影响, 提出两个动态环境下的主动蠕虫传播模型。分析了主动蠕虫两种常见的攻击方式, 给出了相应攻击背景下的节点状态转换过程, 在综合考虑P2P节点动态特征的基础上提出了两种主动蠕虫传播模型, 并对所提出的模型进行了数值分析, 探讨动态环境下影响主动蠕虫传播速度的关键因素。实验结果表明, 通过提高P2P节点的离线率和免疫力可以有效地抑制主动蠕虫对P2P网络的攻击。     

Evaluation of various inverse docking schemes in multiple targets identification

The lack of accurate and efficient methods for target identification has been the bottleneck in drug discovery. In recent years, inverse docking has been applied as an efficient method in target identification, and several specific inverse docking strategies have been employed in academic and industrial researches. However, the effectiveness of these docking strategies in multiple targets identification is unclear. In this study, five inverse docking schemes were evaluated to find out the most effective approach in multiple targets identification. A target database containing a highly qualified dataset that is composed of 1714 entries from 1594 known drug targets covering 18 biochemical functions was collected as a testing pool for inverse docking. The inverse docking engines including GOLD, FlexX, Tarfisdock and two in-house target search schemes TarSearch-X and TarSearch-M were evaluated by eight multiple target systems in the dataset. The results show that TarSearch-X is the most effective method in multiple targets identification and validation among these five schemes, and the effectiveness of GOLD in multiple targets identification is also acceptable. Moreover, these two inverse docking strategies will also be helpful in predicting the undesirable effects of drugs, such as toxicity.