蠕虫在P2P网络中的传播研究

P2P蠕虫是利用P2P机制进行传播的恶意代码。通过P2P节点的共享列表,蠕虫很容易获得攻击目标的信息,所以其爆发时传播速度很快,这种大量的快速传播导致的直接后果是网络阻塞。该文分析蠕虫在P2P网络中的传播原理,在经典病毒传播模型基础上提出了考虑带宽及治愈响应起始时间因素的蠕虫传播模型,从带宽饱和与阻塞两个方面分析带宽对蠕虫传播的影响,在此基础上分析了蠕虫的防御措施。通过模拟实验,该模型能够较真实地描述蠕虫大规模爆发时引起带宽拥塞的情况。     

离散时间下混合型良性蠕虫的建模仿真分析

为了更好地刻画良性蠕虫的传播过程,采用了离散时间模型。在离散时间下,考虑恶性蠕虫和良性蠕虫传播对网络的影响,对混合型良性蠕虫的传播过程进行分析和数学建模,通过仿真验证传播模型,并引入泰勒公式对关键参数进行分析比较。理论分析和仿真实验表明,在混合型良性蠕虫释放时间和网络性能一定的条件下,存在一个临界值使得切换时间最佳,而网络敏感度足够小时,不同的切换时间对感染类主机数量的变化几乎没有影响。     

Defending against the propagation of active worms

Active worms propagate across networks by employing the various target discovery techniques. The significance of target discovery techniques in shaping a worm’s propagation characteristics is derived from the life cycle of a worm. The various target discovery techniques that could be employed by active worms are discussed. It is anticipated that future active worms would employ multiple target discovery techniques simultaneously to greatly accelerate their propagation. To accelerate a worm’s propagation, the slow start phase in the worm’s propagation must be shortened by letting the worm infect the first certain percentage of susceptible hosts as soon as possible. Strategies that future active worms might employ to shorten the slow start phase in their propagation are studied. Their respective cost-effectiveness is assessed. A novel active defense mechanism is proposed, which could be an emerging solution to the active worm problem. Our major contributions in this article are first, we found the combination of target discovery techniques that can best accelerate the propagation of active worms; second, we proposed several strategies to shorten a worm’s slow start phase in its propagation and found the cost-effective hit-list size and average size of internally generated target lists; third, we proposed a novel active defense mechanism and evaluated its effectiveness; and fourth, we proposed three novel discrete time deterministic propagation models of active worms.     

Modeling and analyzing of the interaction between worms and antiworms during network worm propagation

Interaction of antiworms with a worm population of e.g. hosts of worm infected and hosts of antiworm infected must be considered as a dynamic process. This study is an attempt for the first time to understand how introduction of antiworm affects the dynamic of network worm propagation. In this paper, we create a mathematical model (SIAR model) using ordinary differential equations to describe the interaction of worms and antiworms. Although idealized, the model demonstrates how the combination of a few proposed nonlinear interaction rules between antiworms and worms is able to generate a considerable variety of different kinds of responses. Taking the Blaster and Nachi worms as an example, we give a brief analysis for designing a practical antiworm system. To the best of our knowledge, there is no model for the spread of an antiworm that employs the passive scan and the finite lifetime and we believe that this is the first attempt on understanding the interaction between worms and antiworms.     

基于免疫主机的蠕虫非线性传播新模型优化

基于Two-Factor传播模型提出了一种新的QSIRV传播模型,该模型更合理地考虑了被免疫主机的失效性。通过仿真得出,QSIRV模型较Two-Factor模型能够更好地描述蠕虫的传播规律以及传播过程中网络流量和蠕虫流量之间的相互影响,尤其是对免疫后的主机数目变化的仿真更是符合实际情况,同时考虑了已隔离、免疫及被感染主机的数量的影响以及人们对蠕虫传播的警惕性的提高。对QSIRV模型进行了进一步的改进。仿真结果验证,改进后的模型可以更快地遏制蠕虫传播。     

基于动态检测隔离机制的网络蠕虫传播模型与分析

提出一种基于动态检测隔离机制的通用网络蠕虫传播模型,该模型定义了蠕虫在隔离阶段的可疑状态,显式地刻画了蠕虫动态检测隔离过程;并利用动态蠕虫感染率和动态主机移除率、主机自动免疫率分别描述了蠕虫传播造成的网络拥塞现象和人类在对抗蠕虫病毒过程中的主观能动性.分析表明,基于动态检测隔离机制系统可有效降低蠕虫传播速度,减少被感染主机数,延迟蠕虫传播峰值出现的时间.     

Characterizing and defending against divide-conquer-scanning worms

Internet worms are a significant security threat. Divide-conquer scanning is a simple yet effective technique that can potentially be exploited for future Internet epidemics. Therefore, it is imperative that defenders understand the characteristics of divide-conquer-scanning worms and study the effective countermeasures. In this work, we first examine the divide-conquer-scanning worm and its potential to spread faster and stealthier than a traditional random-scanning worm. We then characterize the relationship between the propagation speed of divide-conquer-scanning worms and the distribution of vulnerable hosts through mathematical analysis and simulations. Specifically, we find that if vulnerable hosts follow a non-uniform distribution such as the Witty-worm victim distribution, divide-conquer scanning can spread a worm much faster than random scanning. We also empirically study the effect of important parameters on the spread of divide-conquer-scanning worms and a worm variant that can potentially enhance the infection ability at the late stage of worm propagation. Furthermore, to counteract such attacks, we discuss the weaknesses of divide-conquer scanning and study two defense mechanisms: infected-host removal and active honeynets. We find that although the infected-host removal strategy can greatly reduce the number of final infected hosts, active honeynets (especially uniformly distributed active honeynets) are more practical and effective to defend against divide-conquer-scanning worms.     

MIPv4网络中的蠕虫传播模型

基于MIPv4网络环境,构建一种新型蠕虫——MIPv4-Worm,给出MIPv4节点接触频率的计算方法,对MIPv4网络中蠕虫的传播策略进行了分析和研究,建立MIPv4网络蠕虫传播模型(MWM)。该模型显示了各参数对蠕虫传播的影响。MIPv4-Worm传播的仿真实验表明,该模型较好地模拟了MIPv4网络中蠕虫的传播规律,为采取有效措施防止MIPv4中蠕虫的大范围传播提供了理论依据。     

非均匀随机扫描的蠕虫离散传播模型

为进一步提高蠕虫传播效率,深入研究了非均匀扫描策略,建立了非均匀随机扫描的蠕虫传播模型,在此基础上从已感染主机免疫率、易感染主机免疫率、主机扫描数三个角度定量地分析了非均匀随机扫描策略下网络蠕虫的传播效率,得到在非均匀扫描模式下主机总体感染率峰值可达0.8以上,达到峰值提前近1000s,抑制过半延迟近2000s。最后通过模拟实验验证了非均匀随机扫描模型具有更高的蠕虫传播效率。     

基于常数输入的蠕虫传播模型及其分析

针对蠕虫病毒提出了易感主机有常数输入并具有标准传染率的SIRS传播模型,考虑蠕虫病毒在传播期间主机总数的动态变化性,应用微分方程定性与稳定性理论对该模型进行分析, 讨论了不同因素对蠕虫病毒控制的影响。并利用Abilene网络分析了网络拓扑对病毒传播速率的影响。最后,通过CAIDA提供的蠕虫数据对该模型进行了检验。     

Treating scalability and modelling human countermeasures against local preference worms via gradient models

A network worm is a specific type of malicious software that self propagates by exploiting application vulnerabilities in network-connected systems. Worm propagation models are mathematical models that attempt to capture the propagation dynamics of scanning worms as a means to understand their behaviour. It turns out that the emerged scalability in worm propagation plays an important role in order to describe the propagation in a realistic way. On the other hand human-based countermeasures also drastically affect the propagation in time and space. This work elaborates on a recent propagation model (Avlonitis et al. in J Comput Virol 3, 87–92, 2007) that makes use of Partial Differential Equations in order to treat correctly scalability and non-uniform behaviour (e.g., local preference worms). The aforementioned gradient model is extended in order to take into account human-based countermeasures that influence the propagation of local-preference worms in the Internet. Certain aspects of scalability emerged in random and local preference strategies are also discussed by means of random field considerations. As a result the size of a critical network that needs to be studied in order to describe the global propagation of a scanning worm is estimated. Finally, we present simulation results that validate the proposed analytical results and demonstrate the higher propagation rate of local preference worms compared with random scanning worms.     

基于失败连接流量偏离度的蠕虫早期检测方法

通过分析网络蠕虫攻击的特点，定义了能够反映蠕虫攻击特征的失败连接流量偏离度（FCFD）的概念，并提出了一种基于FCFD时间序列分析的蠕虫早期检测方法。该方法利用小波变换对FCFD时间序列进行多尺度分析，利用高频分量模极大值进行奇异点检测，从而发现可能的蠕虫攻击。同时给出了一种基于失败连接分析的蠕虫感染主机定位和蠕虫扫描特征提取方法。实验结果显示，该方法能够有效检测未知蠕虫的攻击。和已有方法相比，该方法具有更高的检测效率和更低的误报率。     

大规模蠕虫在线追踪培养皿

提出了一个用于反向追踪大规模网络蠕虫传播的虚拟实验环境，能够用于网络蠕虫检测和防御实验。实验环境使用虚拟机技术，虚拟大量主机和网络设备参加，尽量符合网络实际。在可控的范围内，使用真实的感染代码引发大规模蠕虫的爆发，观测蠕虫的传播过程。实验环境中可以发现蠕虫的传播特性，实时收集网络蠕虫的流量数据和感染过程。     

基于SEIPQR模型的工控蠕虫防御策略

随着社会的发展和技术的进步,计算机病毒也发生了进化,变得越来越复杂,越来越隐蔽。其中蠕虫病毒更是最早的计算机病毒发展进化成为可以在工控系统上感染并进行传播的工控蠕虫病毒,极大影响工业生产的安全。单一的网络隔离或者打补丁免疫,已经跟不上蠕虫病毒的传播速度。针对该现状,分析蠕虫病毒在工控系统上的传播方式以及特点,在原有网络隔离和补丁的基础上提出一种针对工控蠕虫的防御策略,以达到有效防御蠕虫病毒的目的。该防御策略基于传染病模型的基本思想提出了一个模拟蠕虫传播趋势的数学模型SEIPQR。该模型包含易感染（susceptible）状态、暴露（exposed）状态、打补丁（patched）状态、感染（infected）状态、隔离（quarantine）状态以及免疫（recovered）状态6种状态,创建模型的6种状态转换图,对状态转换图得到微积分方程组,在系统设备数量一定的情况下,对方程组进行变换,通过求解基本再生数R0的方法对方程组进行求解,并分析当暴露主机和感染主机的数量为0时模型的6种方程表达式,根据Routh-Hurwitz准则得出当R0<1时,系统是渐进稳定的;当R0>1时,...     

Pulse quarantine strategy of internet worm propagation: Modeling and analysis

Worms can spread throughout the Internet very quickly and are a great security threat. Constant quarantine strategy is a defensive measure against worms, but its reliability in current imperfect intrusion detection systems is poor. A pulse quarantine strategy is thus proposed in the current study. The pulse quarantine strategy adopts a hybrid intrusion detection system with both misuse and anomaly detection. Through analysis of corresponding worm propagation models, its stability condition is obtained: when the basic reproduction number is less than one, the model is stable at its infection-free periodic equilibrium point where worms get eliminated. Numerical and simulation experiments show that constant quarantine strategy is inefficient because of its high demand on the patching rate at “birth”, whereas the pulse quarantine strategy can lead to worm elimination with a relatively low value. As patching almost all hosts in the actual network is difficult, the pulse quarantine strategy is more effective in worm elimination.     

网络蠕虫传播模型的分析与仿真研究

研究网络安全问题,网络蠕虫是当前网络安全的重要威胁。网络蠕虫传播途径多样化、隐蔽性强、感染速度快等特点。蠕虫模型以简单传染病模型进行传播,无法准确描述网络蠕虫复杂变化特点,网络蠕虫检测正确率比较低。为了提高网络蠕虫检测正确率,提出一种改进的网络蠕虫传播模型。在网络蠕虫传播模型引入动态隔离策略,有效切断网络蠕虫传播途径,采用自适应的动态感染率和恢复率,降低网络蠕虫造成的不利影响。仿真结果表明,相对于经典网络蠕虫传播模型,改进模型有效地加低了网络蠕虫的传播速度,提高网络蠕虫检测正确率和整个网络安全性,为网络蠕虫传播研究提供重要指导。     

DAW: A Distributed Antiworm System

A worm automatically replicates itself across networks and may infect millions of servers in a short period of time. It is conceivable that the cyberterrorists may use a widespread worm to cause major disruption to the Internet economy. Much recent research concentrates on propagation models and early warning, but the defense against worms is largely an open problem. We propose a distributed antiworm architecture (DAW) that automatically slows down or even halts the worm propagation within an Internet service provider (ISP) network. New defense techniques are developed based on the behavioral difference between normal hosts and worm-infected hosts. Particularly, a worm-infected host has a much higher connection-failure rate when it randomly scans the Internet. This property allows DAW to set the worms apart from the normal hosts. We propose a temporal rate-limit algorithm and a spatial rate-limit algorithm, which makes the speed of worm propagation configurable by the parameters of the defense system. The effectiveness of the new techniques is evaluated analytically and by simulations.     

Deformable Model Fitting by Regularized Landmark Mean-Shift

Deformable model fitting has been actively pursued in the computer vision community for over a decade. As a result, numerous approaches have been proposed with varying degrees of success. A class of approaches that has shown substantial promise is one that makes independent predictions regarding locations of the model’s landmarks, which are combined by enforcing a prior over their joint motion. A common theme in innovations to this approach is the replacement of the distribution of probable landmark locations, obtained from each local detector, with simpler parametric forms. In this work, a principled optimization strategy is proposed where nonparametric representations of these likelihoods are maximized within a hierarchy of smoothed estimates. The resulting update equations are reminiscent of mean-shift over the landmarks but with regularization imposed through a global prior over their joint motion. Extensions to handle partial occlusions and reduce computational complexity are also presented. Through numerical experiments, this approach is shown to outperform some common existing methods on the task of generic face fitting.     

Generation of view dependent models using free form deformation

We present a scheme which, given two 3D geometric models, creates a third, synergetic model with resemblance to one input model from one viewing direction and the other input model from another, orthogonal, viewing direction. Our scheme automatically calculates the necessary constraints needed to deform the first model’s silhouette into the second model’s in 2D, and creates a 3D deformation function based on these constraints while minimizing the object’s distortion in all areas but the silhouette. The motivation of this work stems from the artwork of conceptual artists such as Shigeo Fukuda [9] and Markus Raetz [19].     

Novel Approaches to Probabilistic Neural Networks Through Bagging and Evolutionary Estimating of Prior Probabilities

In this contribution, novel approaches are proposed for the improvement of the performance of Probabilistic Neural Networks as well as the recently proposed Evolutionary Probabilistic Neural Networks. The Evolutionary Probabilistic Neural Network’s matrix of spread parameters is allowed to have different values in each class of neurons, resulting in a more flexible model that fits the data better and Particle Swarm Optimization is also employed for the estimation of the Probabilistic Neural Networks’s prior probabilities of each class. Moreover, the bagging technique is used to create an ensemble of Evolutionary Probabilistic Neural Networks in order to further improve the model’s performance. The above approaches have been applied to several well-known and widely used benchmark problems with promising results.