具有permutation扫描特征的多态蠕虫传播实验仿真*

大部分蠕虫建模工作都是基于相对简单的随机扫描蠕虫,而且蠕虫的形态是相对固定的。随着蠕虫技术的显著提高,在传播方式上出现了较高级的传播方式如permutation扫描,同时出现了能改变蠕虫形态的多态变形技术。为了更好地理解该类型蠕虫的传播特性,首先研究permutation扫描技术,然后构建实验模拟具有permutation扫描特性的多态蠕虫传播。分析当环境中不存在IDS时,各类蠕虫数目和被感染主机的运行情况,当环境中存在IDS时,各参数对多态蠕虫传播过程的影响。最后在仿真的基础上对蠕虫传播的动力学机制进行了总结,对防御方法进行了初步探讨。     

多态蠕虫产生器的设计与实现

为了更好地研究和防御多态蠕虫,在研究多态变形技术的基础上,针对基于缓冲区溢出漏洞进行传播的蠕虫,设计了多态蠕虫产生器。以SQL Slammer蠕虫和ATPhttpd蠕虫作为实例介绍产生器的工作过程。从产生器的设计过程和实例分析可以看出,通过多态处理的蠕虫依旧具有相同字符串序列特征,可以依据这些字符串序列对多态蠕虫进行有效防御。最后对产生器的功能进行测试。测试结果表明,该产生器能够对程序进行有效的多态处理,为多态蠕虫防御和特征自动提取等研究工作提供有效的实验数据。     

网络蠕虫扫描策略和检测技术的研究

随着网络蠕虫的出现,网络的安全性受到极大挑战,许多重要数据遭到破坏和丢失,造成社会财富的巨大浪费,因此,研究网络蠕虫的传播行为和防御策略非常重要。重点研究了网络蠕虫工作机制中的蠕虫扫描和蠕虫检测,介绍了多种扫描策略和检测方法,并给出了各自的优点和不足。随着网络蠕虫复杂性的增加,多态蠕虫已成为新的研究方向。     

一种改进的多态蠕虫特征提取算法

大多数多态蠕虫特征提取方法不能很好地处理噪音,提取出的蠕虫特征无法对多态蠕虫进行有效检测。为此,提出一种改进的多态蠕虫特征提取算法。采用Gibbs算法从包含n条序列(包括k条蠕虫序列)的可疑流量池中提取出蠕虫特征,在识别蠕虫序列的过程中基于color coding技术提高算法的运行效率。仿真实验结果表明,该算法能够减少时间和空间开销,即使可疑池中存在噪音,也能有效地提取多态蠕虫。     

基于彩色编码的多态蠕虫特征自动提取方法

快速而准确地提取蠕虫特征对于有效防御多态蠕虫的传播至关重要,但是目前的特征产生方法在噪音干扰下无法产生正确的蠕虫特征.提出基于彩色编码的特征自动提取算法CCSF(color coding signature finding)来解决有噪音干扰情况下的多态蠕虫特征提取问题.CCSF算法将可疑池中的n条序列分成m组,然后运用彩色编码对每组序列进行特征提取.通过对每组提取出来的特征集合进行过滤筛选,最终产生正确的蠕虫特征.采用多类蠕虫对CCSF算法进行测试,并与其他蠕虫特征提取方法进行比较,结果表明,CCSF算法能够在有噪音干扰的条件下准确地提取出多态蠕虫的特征,该特征不包含碎片,易于应用到IDS(intrusion detection system)中对多态蠕虫进行检测.     

多态蠕虫特征码自动提取算法

针对多态技术下变形蠕虫的特征与自动提取算法的问题, 提出一种多态蠕虫特征描述方法, 并给出特征码自动提取算法. 这种结合了PADS和Polygraph优点的MS-PADS特征提取方法, 能在强噪声下快速提取高质量的多态蠕虫特征, 具有低误报率、检测精度高和通用性好等特点.     

Zero-day攻击多态蠕虫研究与进展

随着计算机网络的不断普及与发展,网络蠕虫已经成为网络系统安全的重要威胁之一。近年来,网络蠕虫又有了新的变化,出现了新的Zero-day攻击多态蠕虫,这种蠕虫采用＂多态＂技术并以＂Zero-day漏洞＂为攻击目标,可在短时间内有效地避开检测系统,成为未来互联网安全的一大隐患。因此,研究Zero-day攻击多态蠕虫及其检测技术是非常必要的。首先论述了Zero-day攻击多态蠕虫的攻击原理,接着对近几年提出的基于网络流过滤和模拟执行检测等方法进行了分析、总结,最后给出一些热点问题及展望。     

多态蠕虫的研究与进展

随着网络系统应用及复杂性的增加,网络蠕虫成为网络系统安全的重要威胁。最近,蠕虫本身又有了新的进展,即多态蠕虫的出现,其通过使用多种变形技术可以很容易地避开现有入侵检测系统的检测,成为未来威胁到互联网络安全的一个重大隐患。目前,针对多态蠕虫的检测技术的研究已经成为现在蠕虫研究的热点。首先综合论述了多态蠕虫本身的结构,然后对近几年针对多态蠕虫的防治技术进行了归纳总结和比较分析,最后给出针对多态网络蠕虫研究的热点问题及展望。     

基于改进蚁群算法的多态蠕虫特征提取

多态蠕虫特征提取是基于特征的入侵检测的难点,快速提取出精确程度更高的多态蠕虫特征对于有效防范蠕虫的快速传播有着重要的作用。针对层次式的多序列匹配(HMSA)算法进行多序列比对的时间效率较低和由迭代方法提取出的特征不够精确等问题,提出了基于改进蚁群算法的多态蠕虫特征提取方法antMSA。该方法首先对蚁群的搜索策略进行了相应的改进,并将改进后的蚁群算法引入到奖励相邻匹配的全局联配(CMENW)算法中,利用蚁群算法快速收敛能力,在全局范围内快速生成较好解,提取出多态蠕虫的特征片段;然后将其转化为标准入侵检测系统(IDS)规则,用于后期防御。实验表明,改进后的蚁群算法能够较好地克服基本蚁群算法的停滞现象,扩大搜索空间,能够有效提高特征提取的效率和质量,降低误报率。     

蠕虫扫描策略和流量模拟方法研究

对蠕虫扫描策略及其传播效率进行了深入分析;并提出了"带宽限制型 部分预定义目标地址列表 基于路由扫描 随机均匀扫描"的快速扫描策略.分析了各种蠕虫传播过程模拟方法和蠕虫流量模拟方法的优劣;并从统计意义上建立了"延迟限制型"蠕虫的周期性突发的扫描流量模型,结合混合层次模拟方法,能够为蠕虫模拟、检测和应对技术提供基础,同时减少了蠕虫模拟的复杂性.     

Modeling and Automated Containment of Worms

Self-propagating codes, called worms, such as Code Red, Nimda, and Slammer, have drawn significant attention due to their enormously adverse impact on the Internet. Thus, there is great interest in the research community in modeling the spread of worms and in providing adequate defense mechanisms against them. In this paper, we present a (stochastic) branching process model for characterizing the propagation of Internet worms. The model is developed for uniform scanning worms and then extended to preference scanning worms. This model leads to the development of an automatic worm containment strategy that prevents the spread of a worm beyond its early stage. Specifically, for uniform scanning worms, we are able to 1) provide a precise condition that determines whether the worm spread will eventually stop and 2) obtain the distribution of the total number of hosts that the worm infects. We then extend our results to contain preference scanning worms. Our strategy is based on limiting the number of scans to dark-address space. The limiting value is determined by our analysis. Our automatic worm containment schemes effectively contain both uniform scanning worms and local preference scanning worms, and it is validated through simulations and real trace data to be nonintrusive. We also show that our worm strategy, when used with traditional firewalls, can be deployed incrementally to provide worm containment for the local network and benefit the Internet.     

网络蠕虫的扫描策略分析

网络蠕虫已经严重威胁了网络的安全.为了有效防治网络蠕虫,首要任务必须清楚有什么扫描方法,以及这些扫描方法对蠕虫传播的影响.为此,本文构建了一个基于离散时间的简单蠕虫传播模型,通过对Code Red蠕虫传播的真实数据比较,验证了此模型的有效性.以此模型为基础,详细分析了蠕虫的不同扫描策略,如均匀扫描、目标列表扫描、路由扫描、分治扫描、本地子网、顺序扫描、置换扫描,并给出了相应的模型.     

Treating scalability and modelling human countermeasures against local preference worms via gradient models

A network worm is a specific type of malicious software that self propagates by exploiting application vulnerabilities in network-connected systems. Worm propagation models are mathematical models that attempt to capture the propagation dynamics of scanning worms as a means to understand their behaviour. It turns out that the emerged scalability in worm propagation plays an important role in order to describe the propagation in a realistic way. On the other hand human-based countermeasures also drastically affect the propagation in time and space. This work elaborates on a recent propagation model (Avlonitis et al. in J Comput Virol 3, 87–92, 2007) that makes use of Partial Differential Equations in order to treat correctly scalability and non-uniform behaviour (e.g., local preference worms). The aforementioned gradient model is extended in order to take into account human-based countermeasures that influence the propagation of local-preference worms in the Internet. Certain aspects of scalability emerged in random and local preference strategies are also discussed by means of random field considerations. As a result the size of a critical network that needs to be studied in order to describe the global propagation of a scanning worm is estimated. Finally, we present simulation results that validate the proposed analytical results and demonstrate the higher propagation rate of local preference worms compared with random scanning worms.     

Modeling and Simulation Study of the Propagation and Defense of Internet E-mail Worms

As many people rely on e-mail communications for business and everyday life, Internet e-mail worms constitute one of the major security threats for our society. Unlike scanning worms such as Code Red or Slammer, e-mail worms spread over a logical network defined by e-mail address relationships, making traditional epidemic models invalid for modeling the propagation of e-mail worms. In addition, we show that the topological epidemic models presented by M. Boguna, et al. (2000) largely overestimate epidemic spreading speed in topological networks due to their implicit homogeneous mixing assumption. For this reason, we rely on simulations to study e-mail worm propagation in this paper. We present an e-mail worm simulation model that accounts for the behaviors of e-mail users, including e-mail checking time and the probability of opening an e-mail attachment. Our observations of e-mail lists suggest that an Internet e-mail network follows a heavy-tailed distribution in terms of node degrees, and we model it as a power-law network. To study the topological impact, we compare e-mail worm propagation on power-law topology with worm propagation on two other topologies: small-world topology and random-graph topology. The impact of the power-law topology on the spread of e-mail worms is mixed: E-mail worms spread more quickly on a power-law topology than on a small-world topology or a random-graph topology, but immunization defense is more effective on a power-law topology.