共查询到14条相似文献,搜索用时 103 毫秒
1.
大部分蠕虫建模工作都是基于相对简单的随机扫描蠕虫,而且蠕虫的形态是相对固定的。随着蠕虫技术的显著提高,在传播方式上出现了较高级的传播方式如permutation扫描,同时出现了能改变蠕虫形态的多态变形技术。为了更好地理解该类型蠕虫的传播特性,首先研究permutation扫描技术,然后构建实验模拟具有permutation扫描特性的多态蠕虫传播。分析当环境中不存在IDS时,各类蠕虫数目和被感染主机的运行情况,当环境中存在IDS时,各参数对多态蠕虫传播过程的影响。最后在仿真的基础上对蠕虫传播的动力学机制进行了总结,对防御方法进行了初步探讨。 相似文献
2.
汪洁 《计算机应用与软件》2012,29(7):274-277,291
为了更好地研究和防御多态蠕虫,在研究多态变形技术的基础上,针对基于缓冲区溢出漏洞进行传播的蠕虫,设计了多态蠕虫产生器。以SQL Slammer蠕虫和ATPhttpd蠕虫作为实例介绍产生器的工作过程。从产生器的设计过程和实例分析可以看出,通过多态处理的蠕虫依旧具有相同字符串序列特征,可以依据这些字符串序列对多态蠕虫进行有效防御。最后对产生器的功能进行测试。测试结果表明,该产生器能够对程序进行有效的多态处理,为多态蠕虫防御和特征自动提取等研究工作提供有效的实验数据。 相似文献
3.
4.
5.
快速而准确地提取蠕虫特征对于有效防御多态蠕虫的传播至关重要,但是目前的特征产生方法在噪音干扰下无法产生正确的蠕虫特征.提出基于彩色编码的特征自动提取算法CCSF(color coding signature finding)来解决有噪音干扰情况下的多态蠕虫特征提取问题.CCSF算法将可疑池中的n条序列分成m组,然后运用彩色编码对每组序列进行特征提取.通过对每组提取出来的特征集合进行过滤筛选,最终产生正确的蠕虫特征.采用多类蠕虫对CCSF算法进行测试,并与其他蠕虫特征提取方法进行比较,结果表明,CCSF算法能够在有噪音干扰的条件下准确地提取出多态蠕虫的特征,该特征不包含碎片,易于应用到IDS(intrusion detection system)中对多态蠕虫进行检测. 相似文献
6.
针对多态技术下变形蠕虫的特征与自动提取算法的问题, 提出一种多态蠕虫特征描述方法, 并给出特征码自动提取算法. 这种结合了PADS和Polygraph优点的MS-PADS特征提取方法, 能在强噪声下快速提取高质量的多态蠕虫特征, 具有低误报率、检测精度高和通用性好等特点. 相似文献
7.
随着计算机网络的不断普及与发展,网络蠕虫已经成为网络系统安全的重要威胁之一。近年来,网络蠕虫又有了新的变化,出现了新的Zero-day攻击多态蠕虫,这种蠕虫采用"多态"技术并以"Zero-day漏洞"为攻击目标,可在短时间内有效地避开检测系统,成为未来互联网安全的一大隐患。因此,研究Zero-day攻击多态蠕虫及其检测技术是非常必要的。首先论述了Zero-day攻击多态蠕虫的攻击原理,接着对近几年提出的基于网络流过滤和模拟执行检测等方法进行了分析、总结,最后给出一些热点问题及展望。 相似文献
8.
随着网络系统应用及复杂性的增加,网络蠕虫成为网络系统安全的重要威胁。最近,蠕虫本身又有了新的进展,即多态蠕虫的出现,其通过使用多种变形技术可以很容易地避开现有入侵检测系统的检测,成为未来威胁到互联网络安全的一个重大隐患。目前,针对多态蠕虫的检测技术的研究已经成为现在蠕虫研究的热点。首先综合论述了多态蠕虫本身的结构,然后对近几年针对多态蠕虫的防治技术进行了归纳总结和比较分析,最后给出针对多态网络蠕虫研究的热点问题及展望。 相似文献
9.
多态蠕虫特征提取是基于特征的入侵检测的难点,快速提取出精确程度更高的多态蠕虫特征对于有效防范蠕虫的快速传播有着重要的作用。针对层次式的多序列匹配(HMSA)算法进行多序列比对的时间效率较低和由迭代方法提取出的特征不够精确等问题,提出了基于改进蚁群算法的多态蠕虫特征提取方法antMSA。该方法首先对蚁群的搜索策略进行了相应的改进,并将改进后的蚁群算法引入到奖励相邻匹配的全局联配(CMENW)算法中,利用蚁群算法快速收敛能力,在全局范围内快速生成较好解,提取出多态蠕虫的特征片段;然后将其转化为标准入侵检测系统(IDS)规则,用于后期防御。实验表明,改进后的蚁群算法能够较好地克服基本蚁群算法的停滞现象,扩大搜索空间,能够有效提高特征提取的效率和质量,降低误报率。 相似文献
10.
对蠕虫扫描策略及其传播效率进行了深入分析;并提出了"带宽限制型 部分预定义目标地址列表 基于路由扫描 随机均匀扫描"的快速扫描策略.分析了各种蠕虫传播过程模拟方法和蠕虫流量模拟方法的优劣;并从统计意义上建立了"延迟限制型"蠕虫的周期性突发的扫描流量模型,结合混合层次模拟方法,能够为蠕虫模拟、检测和应对技术提供基础,同时减少了蠕虫模拟的复杂性. 相似文献
11.
Sellke S.H. Shroff N.B. Bagchi S. 《Dependable and Secure Computing, IEEE Transactions on》2008,5(2):71-86
Self-propagating codes, called worms, such as Code Red, Nimda, and Slammer, have drawn significant attention due to their enormously adverse impact on the Internet. Thus, there is great interest in the research community in modeling the spread of worms and in providing adequate defense mechanisms against them. In this paper, we present a (stochastic) branching process model for characterizing the propagation of Internet worms. The model is developed for uniform scanning worms and then extended to preference scanning worms. This model leads to the development of an automatic worm containment strategy that prevents the spread of a worm beyond its early stage. Specifically, for uniform scanning worms, we are able to 1) provide a precise condition that determines whether the worm spread will eventually stop and 2) obtain the distribution of the total number of hosts that the worm infects. We then extend our results to contain preference scanning worms. Our strategy is based on limiting the number of scans to dark-address space. The limiting value is determined by our analysis. Our automatic worm containment schemes effectively contain both uniform scanning worms and local preference scanning worms, and it is validated through simulations and real trace data to be nonintrusive. We also show that our worm strategy, when used with traditional firewalls, can be deployed incrementally to provide worm containment for the local network and benefit the Internet. 相似文献
12.
13.
Markos Avlonitis Emmanouil Magkos Michalis Stefanidakis Vassilis Chrissikopoulos 《Journal in Computer Virology》2009,5(4):357-364
A network worm is a specific type of malicious software that self propagates by exploiting application vulnerabilities in
network-connected systems. Worm propagation models are mathematical models that attempt to capture the propagation dynamics
of scanning worms as a means to understand their behaviour. It turns out that the emerged scalability in worm propagation
plays an important role in order to describe the propagation in a realistic way. On the other hand human-based countermeasures
also drastically affect the propagation in time and space. This work elaborates on a recent propagation model (Avlonitis et
al. in J Comput Virol 3, 87–92, 2007) that makes use of Partial Differential Equations in order to treat correctly scalability
and non-uniform behaviour (e.g., local preference worms). The aforementioned gradient model is extended in order to take into
account human-based countermeasures that influence the propagation of local-preference worms in the Internet. Certain aspects
of scalability emerged in random and local preference strategies are also discussed by means of random field considerations.
As a result the size of a critical network that needs to be studied in order to describe the global propagation of a scanning
worm is estimated. Finally, we present simulation results that validate the proposed analytical results and demonstrate the
higher propagation rate of local preference worms compared with random scanning worms. 相似文献
14.
Modeling and Simulation Study of the Propagation and Defense of Internet E-mail Worms 总被引:5,自引:0,他引:5
Zou C.C. Towsley D. Weibo Gong 《Dependable and Secure Computing, IEEE Transactions on》2007,4(2):105-118
As many people rely on e-mail communications for business and everyday life, Internet e-mail worms constitute one of the major security threats for our society. Unlike scanning worms such as Code Red or Slammer, e-mail worms spread over a logical network defined by e-mail address relationships, making traditional epidemic models invalid for modeling the propagation of e-mail worms. In addition, we show that the topological epidemic models presented by M. Boguna, et al. (2000) largely overestimate epidemic spreading speed in topological networks due to their implicit homogeneous mixing assumption. For this reason, we rely on simulations to study e-mail worm propagation in this paper. We present an e-mail worm simulation model that accounts for the behaviors of e-mail users, including e-mail checking time and the probability of opening an e-mail attachment. Our observations of e-mail lists suggest that an Internet e-mail network follows a heavy-tailed distribution in terms of node degrees, and we model it as a power-law network. To study the topological impact, we compare e-mail worm propagation on power-law topology with worm propagation on two other topologies: small-world topology and random-graph topology. The impact of the power-law topology on the spread of e-mail worms is mixed: E-mail worms spread more quickly on a power-law topology than on a small-world topology or a random-graph topology, but immunization defense is more effective on a power-law topology. 相似文献