共查询到20条相似文献,搜索用时 46 毫秒
1.
2.
3.
Modeling and Simulation Study of the Propagation and Defense of Internet E-mail Worms 总被引:5,自引:0,他引:5
Zou C.C. Towsley D. Weibo Gong 《Dependable and Secure Computing, IEEE Transactions on》2007,4(2):105-118
As many people rely on e-mail communications for business and everyday life, Internet e-mail worms constitute one of the major security threats for our society. Unlike scanning worms such as Code Red or Slammer, e-mail worms spread over a logical network defined by e-mail address relationships, making traditional epidemic models invalid for modeling the propagation of e-mail worms. In addition, we show that the topological epidemic models presented by M. Boguna, et al. (2000) largely overestimate epidemic spreading speed in topological networks due to their implicit homogeneous mixing assumption. For this reason, we rely on simulations to study e-mail worm propagation in this paper. We present an e-mail worm simulation model that accounts for the behaviors of e-mail users, including e-mail checking time and the probability of opening an e-mail attachment. Our observations of e-mail lists suggest that an Internet e-mail network follows a heavy-tailed distribution in terms of node degrees, and we model it as a power-law network. To study the topological impact, we compare e-mail worm propagation on power-law topology with worm propagation on two other topologies: small-world topology and random-graph topology. The impact of the power-law topology on the spread of e-mail worms is mixed: E-mail worms spread more quickly on a power-law topology than on a small-world topology or a random-graph topology, but immunization defense is more effective on a power-law topology. 相似文献
4.
Internet worms are a significant security threat. Divide-conquer scanning is a simple yet effective technique that can potentially be exploited for future Internet epidemics. Therefore, it is imperative that defenders understand the characteristics of divide-conquer-scanning worms and study the effective countermeasures. In this work, we first examine the divide-conquer-scanning worm and its potential to spread faster and stealthier than a traditional random-scanning worm. We then characterize the relationship between the propagation speed of divide-conquer-scanning worms and the distribution of vulnerable hosts through mathematical analysis and simulations. Specifically, we find that if vulnerable hosts follow a non-uniform distribution such as the Witty-worm victim distribution, divide-conquer scanning can spread a worm much faster than random scanning. We also empirically study the effect of important parameters on the spread of divide-conquer-scanning worms and a worm variant that can potentially enhance the infection ability at the late stage of worm propagation. Furthermore, to counteract such attacks, we discuss the weaknesses of divide-conquer scanning and study two defense mechanisms: infected-host removal and active honeynets. We find that although the infected-host removal strategy can greatly reduce the number of final infected hosts, active honeynets (especially uniformly distributed active honeynets) are more practical and effective to defend against divide-conquer-scanning worms. 相似文献
5.
Markos Avlonitis Emmanouil Magkos Michalis Stefanidakis Vassilis Chrissikopoulos 《Journal in Computer Virology》2009,5(4):357-364
A network worm is a specific type of malicious software that self propagates by exploiting application vulnerabilities in
network-connected systems. Worm propagation models are mathematical models that attempt to capture the propagation dynamics
of scanning worms as a means to understand their behaviour. It turns out that the emerged scalability in worm propagation
plays an important role in order to describe the propagation in a realistic way. On the other hand human-based countermeasures
also drastically affect the propagation in time and space. This work elaborates on a recent propagation model (Avlonitis et
al. in J Comput Virol 3, 87–92, 2007) that makes use of Partial Differential Equations in order to treat correctly scalability
and non-uniform behaviour (e.g., local preference worms). The aforementioned gradient model is extended in order to take into
account human-based countermeasures that influence the propagation of local-preference worms in the Internet. Certain aspects
of scalability emerged in random and local preference strategies are also discussed by means of random field considerations.
As a result the size of a critical network that needs to be studied in order to describe the global propagation of a scanning
worm is estimated. Finally, we present simulation results that validate the proposed analytical results and demonstrate the
higher propagation rate of local preference worms compared with random scanning worms. 相似文献
6.
The Internet is crucial to business, government, education and many other facets of society, but the easy access and wide usage of the most common network services make it a primary target for the propagation of viral infections or worms. It has been widely experienced that the massive worldwide spreading of very fast and aggressive worms may easily disrupt or damage the connectivity of large sections of the Internet, affecting millions of users. Classical containment strategies, based on manual application of traffic filters will be almost totally ineffective in the wide area. Consequently, developing an automated self-distributing containment strategy is the most viable way to defeat the worm propagation in an acceptable time The objective of our work is to develop a distributed and cooperative containment strategy based on having traffic filtering information dynamically disseminate throughout the network at a speed that is faster than (or at least comparable with) the propagation of worms. Our framework based on BGP extensions to distribute traffic filtering information has the advantage of using the existing infrastructure and inter-as communication channels. We envision that the above solution will be one of the most effective and challenging lines of defense against next-generation more aggressive worms. 相似文献
7.
研究网络安全问题,网络蠕虫是当前网络安全的重要威胁。网络蠕虫传播途径多样化、隐蔽性强、感染速度快等特点。蠕虫模型以简单传染病模型进行传播,无法准确描述网络蠕虫复杂变化特点,网络蠕虫检测正确率比较低。为了提高网络蠕虫检测正确率,提出一种改进的网络蠕虫传播模型。在网络蠕虫传播模型引入动态隔离策略,有效切断网络蠕虫传播途径,采用自适应的动态感染率和恢复率,降低网络蠕虫造成的不利影响。仿真结果表明,相对于经典网络蠕虫传播模型,改进模型有效地加低了网络蠕虫的传播速度,提高网络蠕虫检测正确率和整个网络安全性,为网络蠕虫传播研究提供重要指导。 相似文献
8.
针对传统蠕虫传播模型无法准确预测基于搜索引擎的蠕虫的传播问题,在IPv6网络环境下构建了一种基于搜索引擎的蠕虫-V6.MAMWorm,并在分层扫描策略的基础上提出了一种混合智能算法.在本地应用子网内扫描策略,在子网间应用搜索引擎扫描策略,从而建立了一种新型的蠕虫传播模型(multi-tierarchitecturemodel,MAM).仿真结果表明,V6-MAM-Worm在IPv6网络中具有更快的传播速度,其将对IPv6网络的安全性带来巨大的威胁. 相似文献
9.
Benign worms have been attracting wide attention in the field of worm research due to the proactive defense against the worm propagation and patch for the susceptible hosts. In this paper, two revised Worm?CAnti-Worm (WAW) models are proposed for cloud-based benign worm countermeasure. These Re-WAW models are based on the law of worm propagation and the two-factor model. One is the cloud-based benign Re-WAW model to achieve effective worm containment. Another is the two-stage Re-WAW propagation model, which uses proactive and passive switching defending strategy based on the ratio of benign worms to malicious worms. This model intends to avoid the network congestion and other potential risks caused by the proactive scan of benign worms. Simulation results show that the cloud-based Re-WAW model significantly improves the worm propagation containment effect. The cloud computing technology enables rapid delivery of massive initial benign worms, and the two stage Re-WAW model gradually clears off the benign worms with the containment of the malicious worms. 相似文献
10.
11.
Studies of worm outbreaks have found that the speed of worm propagation makes manual intervention ineffective. Consequently, many automated containment mechanisms have been proposed to contain worm outbreaks before they grow out of control. These containment systems, however, only provide protection for hosts within networks that implement them. Such a containment strategy requires complete participation to protect all vulnerable hosts. Moreover, collaborative containment systems, where participants share alert data, face a tension between resilience to false alerts and quick reaction to worm outbreaks.This paper suggests an alternative approach where an autonomous system in an internetwork, such as the Internet, protects not only its local hosts, but also all hosts that route traffic through it, which we call internetwork-centric containment. Additionally, we propose a novel reputation-based alerting mechanism to provide fast dissemination of infection information while maintaining the fairness of the system. Through simulation studies, we show that the combination of internetwork-centric containment and reputation-based alerting is able to contain an extremely virulent worm with relatively little participation in the containment system. In comparison to other collaborative containment systems, ours provides better protection against worm outbreaks and resilience to false alerts. 相似文献
12.
13.
杨昱 《网络安全技术与应用》2013,(12):83-84
随着网络系统应用及其复杂性的增加,网络蠕虫已成为网络安全的主要威胁之一。目前的蠕虫传播速度如此之快使得单纯依靠人工手段已无法抑制蠕虫的爆发。本文首先介绍了蠕虫的相关概念,然后详细介绍了当前蠕虫检测的关键技术,最后给出了蠕虫检测技术的总结和展望。 相似文献
14.
Contagion蠕虫传播仿真分析 总被引:2,自引:0,他引:2
Contagion 蠕虫利用正常业务流量进行传播,不会引起网络流量异常,具有较高的隐蔽性,逐渐成为网络安全的一个重要潜在威胁.为了能够了解Contagion蠕虫传播特性,需要构建一个合适的仿真模型.已有的仿真模型主要面向主动蠕虫,无法对Contagion蠕虫传播所依赖的业务流量进行动态模拟.因此,提出了一个适用于Contagion蠕虫仿真的Web和P2P业务流量动态仿真模型,并通过选择性抽象,克服了数据包级蠕虫仿真的规模限制瓶颈,在通用网络仿真平台上,实现了一个完整的Contagion蠕虫仿真系统.利用该系统,对Contagion蠕虫传播特性进行了仿真分析.结果显示:该仿真系统能够有效地用于Contagion蠕虫传播分析. 相似文献
15.
A spatial stochastic model for worm propagation: scale effects 总被引:1,自引:0,他引:1
Markos Avlonitis Emmanouil Magkos Michalis Stefanidakis Vassilis Chrissikopoulos 《Journal in Computer Virology》2007,3(2):87-92
Realistic models for worm propagation in the Internet have become one of the major topics in the academic literature concerning
network security. In this paper, we propose an evolution equation for worm propagation in a very small number of Internet
hosts, hereinafter called a subnet and introduce a generalization of the classical epidemic model by including a second order
spatial term which models subnet interactions. The corresponding gradient coefficient is a measure of the characteristic scale
of interactions and as a result a novel scale approach for understanding the evolution of worm population in different scales,
is considered. Results concerning random scan strategies and local preference scan worms are presented. A comparison of the
proposed model with simulation results is also presented. Based on our model, more efficient monitoring strategies could be
deployed. 相似文献
16.
Min Cai Kai Hwang Jianping Pan Papadopoulos C. 《Dependable and Secure Computing, IEEE Transactions on》2007,4(2):88-104
Fast and accurate generation of worm signatures is essential to contain zero-day worms at the Internet scale. Recent work has shown that signature generation can be automated by analyzing the repetition of worm substrings (that is, fingerprints) and their address dispersion. However, at the early stage of a worm outbreak, individual edge networks are often short of enough worm exploits for generating accurate signatures. This paper presents both theoretical and experimental results on a collaborative worm signature generation system (WormShield) that employs distributed fingerprint filtering and aggregation over multiple edge networks. By analyzing real-life Internet traces, we discovered that fingerprints in background traffic exhibit a Zipf-like distribution. Due to this property, a distributed fingerprint filtering reduces the amount of aggregation traffic significantly. WormShield monitors utilize a new distributed aggregation tree (DAT) to compute global fingerprint statistics in a scalable and load-balanced fashion. We simulated a spectrum of scanning worms including CodeRed and Slammer by using realistic Internet configurations of about 100,000 edge networks. On average, 256 collaborative monitors generate the signature of CodeRedl-v2 135 times faster than using the same number of isolated monitors. In addition to speed gains, we observed less than 100 false signatures out of 18.7-Gbyte Internet traces, yielding a very low false-positive rate. Each monitor only generates about 0.6 kilobit per second of aggregation traffic, which is 0.003 percent of the 18 megabits per second link traffic sniffed. These results demonstrate that the WormShield system offers distinct advantages in speed gains, signature accuracy, and scalability for large-scale worm containment. 相似文献
17.
一种基于门限签名的可靠蠕虫特征产生系统 总被引:3,自引:0,他引:3
蠕虫特征产生系统是一种利用大量的、分布式部署在Internet的监控器共同协作,从而产生和发布有效的蠕虫特征的新型安全系统.该系统产生的蠕虫特征可以配置到防火墙或者路由器中以遏制蠕虫的传播.虽然它是一项比较有效的对抗蠕虫的安全技术,但是其自身存在一些严重的安全问题,特别是当一个或者少数几个系统节点被黑客控制后,它们可能被利用来阻碍系统产生蠕虫特征,篡改系统发布的特征甚至误导系统发布虚假的特征,这些都会严重影响系统产生特征的可靠性.针对现有系统存在的问题,作者提出了一种基于门限签名的可靠蠕虫特征产生系统,它通过数字签名技术保证系统产生的蠕虫特征是可验证的,同时,为了避免单点失效和提供高可靠性,作者利用一种改进的双层门限签名机制来产生签名.可靠性分析表明,新系统能够抵抗攻击者对部分系统节点的各种形式的攻击,在可靠性上优于现有的主流蠕虫特征产生系统. 相似文献
18.
对等网络蠕虫利用对等网络的固有特征(如本地路由表、应用层路由等),不仅复制快,而且提供了更好的隐蔽性和传播性,因而其危害大,防御困难。从分析互联网蠕虫及其传播机制入手,对对等网络上的蠕虫(即P2P蠕虫)及其特殊性进行了综合分析。在此基础之上,提出了基于良性益虫的被动激活主动传播防御策略(PAIFDP),并对该策略的技术原理和响应防御系统的功能模块等进行了详细设计。以Peersim仿真平台为基础,对各种不同网络参数下的防御效果和资源消耗情况进行了实验分析。结果表明,基于良性益虫的P2P蠕虫防御技术具有收敛时间快、网络资源消耗少、适应性强等特点。 相似文献
19.
20.
Yu YaoAuthor Vitae Lei GuoAuthor Vitae Hao GuoAuthor Vitae Ge YuAuthor Vitae Fu-xiang GaoAuthor Vitae Xiao-jun TongAuthor Vitae 《Computers & Electrical Engineering》2012,38(5):1047-1061
Worms can spread throughout the Internet very quickly and are a great security threat. Constant quarantine strategy is a defensive measure against worms, but its reliability in current imperfect intrusion detection systems is poor. A pulse quarantine strategy is thus proposed in the current study. The pulse quarantine strategy adopts a hybrid intrusion detection system with both misuse and anomaly detection. Through analysis of corresponding worm propagation models, its stability condition is obtained: when the basic reproduction number is less than one, the model is stable at its infection-free periodic equilibrium point where worms get eliminated. Numerical and simulation experiments show that constant quarantine strategy is inefficient because of its high demand on the patching rate at “birth”, whereas the pulse quarantine strategy can lead to worm elimination with a relatively low value. As patching almost all hosts in the actual network is difficult, the pulse quarantine strategy is more effective in worm elimination. 相似文献