基于失败连接分析的网络蠕虫检测系统研究

根据网络蠕虫攻击的特点，提出一种基于失败连接分析的网络蠕虫早期检测系统。该系统通过实时分析失败连接流量分布和正常状态的偏离度来检测蠕虫，通过分析失败连接集的自相似度进一步降低蠕虫检测的误报率。基于原型系统的实验结果显示，该系统能够实时检测未知类型的网络蠕虫攻击，分析蠕虫扫描的网络传输特征和网络内可能感染的主机列表。和已有方法相比，该系统对蠕虫的早期扫描行为更加敏感，并具有更低的误报率。     

分布式入侵检测系统的体系架构

由于 ＴＣＰ／ＩＰ协议的开放性，目前的网络极易受到攻击。网络入侵行为，特别是分布式入侵行为，给网络的正常运行造成了巨大的危害，阻碍了网络经济的迅速发展。为了能有效地检测和跟踪入侵行为，这里提出了一个基于智能代理的入侵检测系统的体系结构和分布跟踪算法。该系统是一个分布式实时入侵检测系统，它由智能的主机代理、网络代理和路由器／网关代理组咸。每个智能代理都是独立的实体，拥有解决问题的不完全的信息或能力，通过协同工作并使用分布跟踪算法，实时检测网络入侵行为，跟踪网络入侵者，有效地维护网络安全。     

家庭多媒体网关的技术与应用

家庭多媒体网关是实现家庭网络内部各设备与外部设备相互通信的设备,是家庭网络中最核心的构成部分。通过家庭多媒体网关,家庭网络内的设备可以与公共网络进行信息交互,也可以进行内部设备之间的信息交互。家庭多媒体网关在家庭内部建立统一的数据处理中心,对家庭内部数据进行管理,对外连接运营商网络。智能家庭多媒体网关在实现传统网关和数字电视的基础上,借助于强大的内部组网,实现更为丰富的功能和多媒体应用。     

基于随机实验的蠕虫传播预测研究

蠕虫传播预测是蠕虫防御的基础之一，但随着蠕虫扫描策略日趋多样和互联网结构逐步复杂，在蠕虫爆发初期及时建立精确的蠕虫传播模型变得越来越困难。利用随机仿真实验来模拟蠕虫在网络中的传播行为，通过统计分析仿真实验结果，发现蠕虫传播实验结果是一个随机过程，而实验结果间存在很高的线性相关性。由此提出一种基于仿真实验统计结果的蠕虫传播趋势预测方法，该方法可以利用0．1％存在漏洞主机的感染信息精确的预测蠕虫传播趋势。     

基于多播扫描机制的双栈蠕虫研究

IPv4网络到IPv6网络的过渡过程中将出现两种网络协议将共同存在。研究了一种具有分层扫描策略的蠕虫——双栈蠕虫,该蠕虫利用多播扫描策略实现本地IPv6子网内主机的检测,利用IPv4随机地址扫描发现子网外的目标主机。通过在真实网络中进行传播测试和利用仿真程序模拟双栈蠕虫在大规模网络中的传播行为,发现双栈蠕虫可以在IPv4-IPv6双栈网络中快速传播。     

基于随机Transformer的多维时间序列异常检测模型

针对已有基于变分自编码器（VAE）的多维时间序列（MTS）异常检测模型无法在隐空间中传播随机变量间的长时依赖性问题，提出了一种融合Transformer编码器和VAE的随机TransformerMTS异常检测模型（ST-MTS-AD）。在ST-MTS-AD的推断网络中，Transformer编码器产生的当前时刻MTS长时依赖特征和上一时刻随机变量的采样值被输入多层感知器，由此生成当前时刻随机变量的近似后验分布，实现随机变量间的时序依赖。采用门控转换函数（GTF）生成随机变量的先验分布，ST-MTS-AD的生成网络由多层感知器重构MTS各时刻取值分布，该多层感知器的输入为推断网络生成的MTS的长时依赖特征和随机变量近似后验采样值。ST-MTS-AD基于变分推断技术学习正常MTS样本集分布，由重构概率对数似然确定MTS异常片段。4个公开数据集上的实验表明，ST-MTS-AD模型比典型相关基线模型的F1分数有明显提升。     

一种基于Netflow的蠕虫攻击检测方法研究

文中在分析Netflow原理和蠕虫攻击行为特征的基础上,提出了一种基于Netflow的蠕虫检测方法。对检测算法中的流量异常和特征异常检测模块进行了编码实现,并搭建了相应的实验环境。通过模拟RedCode蠕虫爆发时的网络行为,实验结果表明:该方法可快速、准确地实现常见蠕虫的检测,对新型蠕虫也可实现特征提取和预警。     

基于随机进程代数的P2P网络蠕虫对抗传播特性分析

 研究P2P网络中良性蠕虫和恶意蠕虫在对抗传播过程中的特性,可为制定合理的蠕虫对抗策略提供科学依据.提出一种基于随机进程代数的P2P网络蠕虫对抗传播的建模与分析方法.首先,分析了传播过程中蠕虫之间的对抗交互行为以及网络节点的状态转换过程;然后,利用PEPA语法建立了恶意蠕虫初始传播阶段与蠕虫对抗阶段的随机进程代数模型;最后,采用随机进程代数的流近似方法,推导得到能够描述蠕虫传播特性的微分方程组,通过求解该方程组,分析得到P2P蠕虫的对抗传播特性.试验结果表明,良性蠕虫可以有效遏制P2P网络中的恶意蠕虫传播,但需要根据当前的网络条件制定科学的传播策略,以减少良性蠕虫自身的传播对网络性能的影响.     

Ad hoc与Internet互联的网关发现机制研究

Ad hoc网络是一种无有线基础设施支持的移动网络，它与internet相比存在许多差异，不仅有网络拓扑结构的不同，还存在通信方式的不同，因此两者的互联是一具有挑战性的课题。Adhoc网络结点要进行internet连接，必须寻找internet网关，如何发现和维持与网关的连接以及如何切换到一个更合适的相邻网关是这个问题的关键。文章在主动式、被动式、混合式及AODV路由协议中Hello消息机制的基础上，讨论了一种新的网关发现方法，即利用Hello消息机制，通过改进网关和节点对Hello消息的处理所得到的新的网关发现机制，仿真结果显示在一定网络环境下能够基本满足adhoc接入internet的需要。     

IXP2400网络处理器在NAT—PT中的应用

NAT—PT是IP网络过渡的关键技术，本文提出一种基于IXP2400网络处理实现NAT—PT的方法，对IXP2400网络处理器软硬架构进行了详细的分析，阐述了NAT—PT实现过程中的数据处理，映射表管理、内部模块通信机制以及应用层网关的实现方法。     

Research on the Propagation Models and Defense Techniques of Internet Worms

Internet worm is harmful to network security,and it has become a research hotspot in recent years.A thorough survey on the propagation models and defense techniques of Internet worm is made in this paper.We first give its strict definition and discuss the working mechanism.We then analyze and compare some repre-sentative worm propagation models proposed in recent years,such as K-M model,two-factor model,worm-anti-worm model（WAW）,firewall-based model,quarantine-based model and hybrid benign worm-based model,etc.Some typical defense techniques such as virtual honeypot,active worm prevention and agent-oriented worm defense,etc.,are also discussed.The future direction of the worm defense system is pointed out.     

Adaptive Defense Against Various Network Attacks

In defending against various network attacks, such as distributed denial-of-service (DDoS) attacks or worm attacks, a defense system needs to deal with various network conditions and dynamically changing attacks. Therefore, a good defense system needs to have a built-in “adaptive defense” functionality based on cost minimization—adaptively adjusting its configurations according to the network condition and attack severity in order to minimize the combined cost introduced by false positives (misidentify normal traffic as attack) and false negatives (misidentify attack traffic as normal) at any time. In this way, the adaptive defense system can generate fewer false alarms in normal situations or under light attacks with relaxed defense configurations, while protecting a network or a server more vigorously under severe attacks. In this paper, we present concrete adaptive defense system designs for defending against two major network attacks: SYN flood DDoS attack and Internet worm infection. The adaptive defense is a high-level system design that can be built on various underlying nonadaptive detection and filtering algorithms, which makes it applicable for a wide range of security defenses.     

DDoS攻击恶意行为知识库构建

针对分布式拒绝服务（distributed denial of service,DDoS）网络攻击知识库研究不足的问题,提出了DDoS攻击恶意行为知识库的构建方法。该知识库基于知识图谱构建,包含恶意流量检测库和网络安全知识库两部分：恶意流量检测库对 DDoS 攻击引发的恶意流量进行检测并分类;网络安全知识库从流量特征和攻击框架对DDoS 攻击恶意行为建模,并对恶意行为进行推理、溯源和反馈。在此基础上基于DDoS 开放威胁信号（DDoS open threat signaling,DOTS）协议搭建分布式知识库,实现分布式节点间的数据传输、DDoS攻击防御与恶意流量缓解功能。实验结果表明,DDoS攻击恶意行为知识库能在多个网关处有效检测和缓解DDoS攻击引发的恶意流量,并具备分布式知识库间的知识更新和推理功能,表现出良好的可扩展性。     

P2P触发式主动型蠕虫传播建模

对P2 P触发式主动型蠕虫的攻击机制进行了研究,发现该类蠕虫传播通常包括四个阶段：信息收集,攻击渗透、自我推进与干预激活。基于对P2 P触发式主动型蠕虫攻击机制的分析并运用流行病学理论提出了P2 P触发式主动型蠕虫传播数学模型并基于该模型推导了蠕虫传播进入无蠕虫平衡状态的充分条件。仿真实验验证了所提出传播模型的有效性。     

分布式蠕虫流量检测技术

分析了网络蠕虫病毒的传播特点和已有的检测方法,针对慢速传播蠕虫病毒,提出了基于流量异常传播序列的检测算法,并通过分布式系统结构,综合多个子网的检测结果,进一步提高检测准确率。模拟实验证明：该算法可以根据流量特征,在蠕虫病毒慢速传播的早期检测到该病毒的传播行为,并获得传播所用网络协议和目标端口。     

一种基于资源感知的小流量DDoS攻击防御方法

分布式拒绝服务攻击（DDoS）对网络具有极大的破坏性,严重影响现网的正常运营。虽然现网已经部署针对DDoS的流量清洗系统,然而小流量的攻击较洪水型攻击更难以被感知,进而不能得到有效的清洗。本文分析了网络中小流量DDoS攻击的原理和防御现状,并提出一种基于资源感知的小流量DDoS攻击防御方法。     

A new worm exploiting IPv6 and IPv4-IPv6 dual-stack networks: experiment, modeling, simulation, and defense

It is commonly believed that the IPv6 protocol can provide good protection against network worms that try to find victims through random address scanning due to its huge address space. However, we discover that there is serious vulnerability in terms of worm propagation in IPv6 and IPv4-IPv6 dual-stack networks. It is shown in this article that a new worm can collect the IPv6 addresses of all running hosts in a local subnet very quickly, leading to accelerated worm propagation. Similar to modeling the self-replicating behaviors of biological viruses, a Species-Patch model and a discrete-time simulator are developed to study how the dual-stack worm spreads in networks with various topologies. It is shown that the worm could propagate in the IPv6 and IPv4-IPv6 dual-stack networks much faster than in the current IPv4 Internet. Several effective defense strategies focusing on network deployment are proposed.     

Simple,secure, and lightweight mechanism for mutual authentication of nodes in tiny wireless sensor networks

Wireless sensor networks (WSNs) are widely used in large areas of applications; due to advancements in technology, very tiny sensors are readily available, and their usage reduces the cost. The mechanisms designed for wireless networks cannot be implied on networks with tiny nodes due to battery and computational constraints. Understanding the significance of security in WSNs and resource constraintness of tiny WSNs, we propose a node authentication mechanism for nodes in wireless sensor networks to avoid security attacks and establish secure communication between them. In the proposed mechanism, a base station (BS) generates a secret value and random value for each sensor node and stores at the node. The sensor node authenticates using secret value and random number. Random nonce ensures freshness, efficiency, and robustness. The proposed mechanism is lightweight cryptographic, hence requires very less computational, communication, and storage resources. Security analysis of the proposed mechanism could not detect any security attack on it, and the mechanism was found to incur less storage, communication, and computation overheads. Hence, the proposed mechanism is best suitable for wireless sensor networks with tiny nodes.     

Neighbor Detection-Based Spectrum Sensing Algorithm in Distributed Cognitive Radio Networks

Security issues of spectrum sensing have drawn a lot of attentions in Cognitive radio networks (CRNs). Malicious users can m islead the network to m ake wrong decision about the states of channels by tampering spectrum sensing data. To defense against Spectrum sens-ing data falsification (SSDF) attack, we propose a neighbor detection-based spectrum sensing algorithm in distributed CRNs, which can detect attackers with the help of neigh-bors during spectrum sensing to improve the accuracy of decision making. The proposed scheme can also guarantee the connectivity of the network. Simulation results illus-trate that the proposed scheme can defense against SSDF attacks effectively and reach the unified information of spectrum sensing data.