基于FPGA的硬件蠕虫检测系统的设计与实现

分析了现有的蠕虫检测算法的优缺点,提出了基于数据包统计的蠕虫检测算法。该算法简单有效,适合硬件实现。同时设计了一个硬件蠕虫检测系统,最终在FPGA上实现,并对其进行了仿真与综合,验证了设计的正确性。本检测系统适合用于嵌入网卡,实时监测蠕虫,所以该基于FPGA的硬件蠕虫检测系统对蠕虫的检测和抑制具有积极的意义。     

蠕虫建模仿真及检测技术研究进展

计算机网络蠕虫作为当前互联网所面临的最为严重的安全威胁之一,对其进行细致的研究显得尤为重要。为了体现网络蠕虫技术研究方面的最新成果,针对当前网络蠕虫技术研究领域的热门方向,整理并分析了蠕虫传播模型和蠕虫软件仿真技术等方面的研究思路和成果,并对多种新型的网络蠕虫检测技术进行了分析和评估。最后根据研究结果,对网络蠕虫技术研究的新方向进行了总结与展望。     

基于用户习惯的蠕虫的早期发现

在蠕虫传播时,由于扫描会产生大量的陌生访问,从而破坏用户的习惯。因而,对用户的习惯进行统计分类,在蠕虫发作时则能及时有效的发现蠕虫。对用户的行为进行了分析,提出了一种对蠕虫进行早期发现的新方法,并且实现了一个基于用户习惯的蠕虫早期发现系统。实验证明该方法能够有效快速的发现蠕虫的传播。由于用户的习惯多种多样,可以衍生出很多应用模型,因此具有很强的指导意义。     

高速实时的一种邮件蠕虫异常检测模型

提出了一种基于带泄漏的积分触发测量方法的电子邮件蠕虫异常检测方法,用来检测邮件蠕虫在传播过程中的流量异常。根据邮件流量所表现出的明显的日周期特性和周周期特性,首先计算出当前邮件流量和历史邮件流量的最小Hellinger距离,通过带泄漏的积分触发方法把邮件流量的Hellinger积累起来,从而把邮件蠕虫在传播过程中没有明显流量特征的慢速酝酿阶段的异常特征进行积累,达到在其进入快速传播期之前检测出异常的目的。检测过程只需要检查邮件的流量信息,因而适合大规模高速网络的异常检测。     

基于本地主机传播行为的蠕虫预警新方法

对于利用漏洞扫描技术传播的蠕虫进行预警，传统方法存在着诸如无法区分P2P数据流，无法检测利用多个端口传播蠕虫等问题。针对这些问题，结合对网络蠕虫行为模式的分析，提出了一种改进的算法，并建立了基于该算法的预警模型。最后对该方法的可行性和各项性能进行了分析，发现新方法能更有效的预警未知的网络蠕虫。     

基于通信特征分析的蠕虫检测和特征提取方法的研究

提出了一种基于通信特征分析的蠕虫检测与特征提取技术，在解析蠕虫传播过程中特有的通信模式的基础上，评估通信特征集合问的相似度，通过检测传染性来检测蠕虫，这种方法具有更高的检测精度、通用性和适应性。在此基础上设计了启发式检测体系结构，利用盲目跟踪、意向跟踪和锁定跟踪从通信协议、通信序列和通信内容3个层次逐级排除非蠕虫通信，筛选出蠕虫报文组，提取出蠕虫特征码。这种技术大幅缩减了采集量和分析量，能在高强度背景噪声的干扰快速检测蠕虫并提取出相应的特征。     

分布式蠕虫检测和遏制方法的研究

提出了一种分布式蠕虫遏制机制，它由两大部分组成：中央的数据处理中心和分布在各网关的感知器。中央的数据处理中心接收感知器的检测结果，并统计蠕虫的感染状况。分布在各网关的感知器监测网络行为并检测蠕虫是否存在。若检测到蠕虫的存在，感知器根据蠕虫的疫情状况，启动自适应的丢包机制。最后，实验结果证明了该遏制系统能够有效地遏制蠕虫的传播，保护网络的运行；尽可能小的干扰正常的网络行为。     

基于近邻关系特征的多态蠕虫防御方法

结合多态蠕虫的特点,着重考虑负载字节之间的关系,将蠕虫负载内部的近邻关系特征(NRS,neighbor-hood-relation signature)提取出来用于蠕虫检测。NRS建立在蠕虫负载内部相邻字节之间关系的基础上,体现了某些多态蠕虫各形态之间的共性特征,能够更灵活地对多态蠕虫进行检测。设计了NRSGA(NRS generating algorithm)算法来提取1-NRS、2-NRS和(1,2)-NRS,并分别进行了实验,以测试特征提取过程的正确性和NRS检测蠕虫的有效性。实验结果表明,与其他方法相比,NRS在检测多态蠕虫时具有更低的漏报率,能够更好地防御多态蠕虫的传播。     

模型检验下蠕虫病毒检测器的设计与实现

现在蠕虫病毒检测技术主要是基于病毒特征库,通过特征码的匹配来确定。这种方法的主要缺点是病毒特征库的更新总是滞后于病毒的发布,实时性效果较差。这里提出了一种新的方法,采用模型检验技术的方法,结合蠕虫病毒的入侵原理,改进计算逻辑树的规范设计,从汇编代码层面对蠕虫病毒行为进行特征提取,有效建模,实验结果显示这种方法能够有效地检测蠕虫病毒及其变种。     

一种基于暗网的蠕虫早期检测方法

为了对网络蠕虫等网络攻击行为进行早期检测,论文设计实现了一个基于暗网的可视化的早期检测系统,并采用实际网络实验的方法,在某专用网络中进行实验,结果表明该系统在专用网络中比传统入侵检测系统更早发现蠕虫,且时间提前量十分可观。     

小波包分析在薄板腐蚀检测中的应用

本文为了快速检测薄板的腐蚀状况对薄板进行主动的全波检测,首先用压电元件产生激励信号并采集传播后的响应信号,然后利用小波包的高时频分析能力对包含缺陷信息的响应信号进行频率带的细分,对各系数进行重构,提取各频率带信号的能量特征,最后分析缺陷和能量向量的映射关系,并建立能量向量-缺陷映射库,从而可以从能量向量直接判断薄板的健康状况,这为快速检测薄板的腐蚀状况提供一种新的技术手段。用小波包对信号进行处理,可以把信号分解到想要的任意细节,很巧妙地将各个频段信号分离,从而方便的达到提取能量向量的目的。     

Wireless sensor networks for intrusion detection: packet traffic modeling

Performance evaluation of wireless sensor network (WSN) protocols requires realistic data traffic models since most of the WSNs are application specific. In this letter, a sensor network packet traffic model is derived and analyzed for intrusion detection applications. Presented analytical work is also validated using simulations.     

Sizing a packet reassembly buffer at a host computer in an ATMnetwork

This paper develops a queueing model of a buffer that collects cells for reassembly into packets for a protocol layer above the asynchronous transfer mode (ATM) layer. Whenever the buffer fills with all packets incomplete, a packet must be sacrificed to make room for others. The queueing model estimates the equilibrium fraction of packets sacrificed under one algorithm for selecting the packet to be sacrificed. The paper also uses simulation to compare three sacrifice algorithms. The model's predicted packet loss probabilities bound from above the loss probabilities in the simulations of the different algorithms. Applications to sizing the buffer for a prescribed loss probability are given     

IPv6网络环境下的蠕虫传播模型研究

研究了IPv6网络中,蠕虫在子网间和子网内传播的多种扫描策略;讨论了基于P2P的去重复和可控机制;研究了一种能够在IPv6网络中形成大规模传播的新型混合式蠕虫——NHIW。NHIW具有随机扫描蠕虫的特点,同时能够迅速获取子网内的易感染活跃主机IPv6地址,并能解决重复感染的问题。通过研究NHIW不同传播阶段的时延,理论分析其传播率,建立了NHIW的3层传播模型TLWPM。实验表明,NHIW能够在IPv6网络中形成大规模传播。最后,针对NHIW的特点,讨论了相关防御策略。     

数据包探测法在解决网络故障中的应用

网络故障排查是一个十分复杂的过程。本文分析了网络故障排查的特点和常用方法，提出了以网络探测数据包发送和确认为基础的通信链路检查方法。     

视频监控下利用记忆力增强自编码的行人异常行为检测

随着视频监控数据的快速增长,对大规模视频数据的自动异常检测的需求越来越大,基于深度自编码器重构误差检测方法已经被广泛探讨。但是,有时自编码器“泛化”得很好,能够很好地重建异常并导致漏检。为了解决这个问题,提出了采用记忆力模块来增强自动编码器,称为记忆力增强自编码（Memory-augmented autoencoder, Memory AE）方法。给定输入,Memory AE首先从编码器获取编码,然后将其用作查询以检索最相关的记忆项来进行重建。在训练阶段,记忆内容被更新以表示正常数据的原型元素。在测试阶段,将学习到的记忆元素固定下来,从正常数据的几个选定的记忆记录中获得重建,因此重建将趋向于接近正常样本。因此,将加强对异常的重构误差以进行异常检测。对两个公共视频异常检测数据集,即Avenue数据集和ShanghaiTech数据集的研究证明了所提出方法的有效性。     

An adaptive algorithm for optimizing the packet size used in wireless ARQ protocols

We develop an algorithm that allows an ARQ protocol to dynamically optimize the packet size based on estimates of the channel biterrorrate. Our algorithm is particularly useful for wireless and satellite channels where the biterrorrates tend to be relatively high and time variable. Our algorithm uses the acknowledgment history to make estimates of the channel biterrorrate, based on which the optimal packet size can be chosen. We develop a Markov chain model for the analysis of the system, under static channel conditions, and show that the algorithm can achieve close to optimal performance using a history of just 10,000 bits. We also use the Gilbert–Elliott twostate Markov channel to model dynamic channel conditions. We show, through simulation, that the algorithm performs well even under rapidly changing channel conditions. Finally, we discuss a maximum likelihood approach for choosing the packet size, which performs almost optimally but is much easier to implement.     

Link failure detection for maintaining session continuity in packet data networks

A link failure in the path of a virtual circuit in a packet data network will lead to premature disconnection of the circuit by the end-points. A soft failure will result in degraded throughout over the virtual circuit. If these failures can be detected quickly and reliably, then appropriate rerouteing strategies can automatically reroute the virtual circuits that use the failed facility. In this paper, we develop a methodology for analysing and designing failure detection schemes for digital facilites. Based on errored second data, we develop a Markov model for the error and failure behaviour of a T1

1 T1 carrier, the lowest level in the plesiochronous digital carrier hierarchy in the United States. AT1 carrier has a payload of 24 64Kbps PCM channels.

trunk. The performance of a detection scheme is characterized by its false alarm probability and the detection delay. Using the Markov model, we analyse the performance of detection schemes that use physical layer or link layer information. The schemes basically rely upon detecting the occurrence of severely errored seconds (SESs). A failure is declared when a counter, that is driven by the occurrence of SESs, reaches a certain threshold. For hard failures, the design problem reduces to a proper choice of the threshold at which failure is declared, and on the connection. reattempt parameters of the virtual circuit end-point session recovery procedures. For soft failures, the performance of a detection scheme depends, in addition, on how long and how frequent the error bursts are in a given failure mode. We also propose and analyse a novel Level 2 detection scheme that relies only upon anomalies observable at Level 2, i.e. CRC failures and idle-fill flag errors. Our results suggest that Level 2 schemes that perform as well as Level 1 schemes are possible.     

Stochastic game theoretical model for packet forwarding in relay networks

In this article, a new game theoretical method is proposed to model packet forwarding in relay networks. A simple case of relay network that consists of a source, a relay and a destination node communicating on a common channel is considered. A stationary Markovian game model is utilized to optimize the system performance in terms of throughput, delay and power consumption cost. Both cooperative and non-cooperative solutions are provided for this model. Best strategy set taken by players as well as system performance is studied for different system parameters. Also, the proposed method is extended to model a more general case of Ad-hoc networks considering different packet error rates in case of collision occurrence that improves the system performance further. Simulation results show that performance of the non-cooperative solution, in which players do not require to know each other’s selected strategy, asymptotically approaches the cooperative system performance. Hence, the proposed model with non-cooperative solution is an appropriate method to apply in practical Ad-hoc networks.