Xiaojun Tong,Zhangquan Zhao,Huimin Shuai,Zhu Wang

DOI: https://doi.org/10.1109/WCINS.2010.5541811

2010-01-01

Abstract:At present there are some worm detection systems, primarily for a single LAN or with hardware router environment, which main use worm propagation characteristics for detection and has high false alarm rate, but it is not applicable for large-scale network for detecting. This paper presents a distributed worm detection technology, which is divided into two parts, client end and the console end program. The system uses the rule-based detection methods to monitor network worms, and the console side manages and coordinates the multiple side work of detecting. Experimental results show that the method can be good applicable for worms conduct surveillance based on a single or multiple local area network and is used for worm alarming, the method has high detection rate and low false alarm rate. © 2010 IEEE.

TONG Xiao-jun,WANG Zhu

DOI: https://doi.org/10.3969/j.issn.1002-137x.2011.06.024

2011-01-01

Computer Science

Abstract:At present there are some worm intrusion detection systems which detect network worms only by using worm propagation properties and have high false alarm rate.This paper analyzed worm non-linear propagation models,realized the optimization of worm model,and proposed distributed worm propagation model.Then a distributed worm detection technology was designed according to the distributed worm propagation model.The system uses rule-based detection method to monitor network worms,and the console side manages and coordinates detection work of the client sides.The experimental results show that the technology is a good solution to worm warning and worm detection,which can give an alarm with high detection rate and low false alarm rate.

WANG Wei,LU Dongming,DONG Yabo,CHEN Yufeng

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.17.072

2006-01-01

Abstract:With the rapid development of computer technology,Internet applications are used more and more widely,computer networks are exposed to various threats,especially network worms.This paper introduces the definition and principle of network worms,and based on the mechanism of network worms,it proposes and implements a network worm detection system for Internal network,which is proved to be able to detect the network worm accurately.

Yufeng Chen,Zhengtao Xiang,Yabo Dong,Dongming Lu

DOI: https://doi.org/10.1109/ical.2008.4636301

2008-01-01

Abstract:Worms not only infect vulnerable hosts, but also occupy a large amount of network bandwidth, which affects the normal operation of the network seriously. To achieve the worm detection and automatic quarantine in real time, a cooperation system of worm detection and quarantine is designed and implemented. The worm detection subsystem is implemented based on Bro and can detect worms in real time with our algorithm, which based on the failure probability of FCC and of heavy-tailed property. The worm quarantine subsystem can quarantine worm hosts automatically with ARP-spoofing. The cooperation between detection subsystem, quarantine subsystem and manager is achieved based on SNMP protocol. The system can be deployed easily with little effect on LAN. Experimental results show that the system can detect and quarantine worm hosts effectively.

向郑涛,陈宇峰,董亚波,鲁东明

DOI: https://doi.org/10.16208/j.issn1000-7024.2009.05.037

2009-01-01

Abstract:The worm detection technologies are discussed. Anomaly detection will be a promising development because of the ability to detect unknown worms. For passive detection, the HoneyPot system designed deliberately with vulnerabilities is used to attract atta- ckers, collect attack information and process analysis. Active detection methods can process the mixed traffics of benign hosts and worm hosts, including the payload-based and behavior-based worm detection methods. The characters and applicability of each method are discussed. The viewpoint that more effective worm detection indices are needed for detection methods is proposed. Based on the diffe- rences of traffic self-similarity between benign hosts and worm hosts, the idea on how to select real-time detection indices is interpreted.

Lu Guang,Yu Fei,Guangxue Yue,Miaoliang Zhu

DOI: https://doi.org/10.1109/imsccs.2006.287

2006-01-01

Abstract:The research community is interested in finding effective methods to detect network traffic anomalies such as the propagation of a new worm, and to raise alarm in time. In this paper we research the principle that the number of network traffic can affect self-similarity of network traffics, and analyze the variety of self-similarity caused by abnormal network traffic. We propose a network traffic model on normal behaviors of users. An approach, which is applied to determine whether or not abnormal network traffic exists by comparing Hurst parameter with predefined threshold, is also presented. At last, implementation of network worm detecting agent in NP is described. Results of evaluation show that detecting agent performs very well in test-bed.

Yufeng Chen,Yabo Dong,Dongming Lu,Zhengtao Xiang

DOI: https://doi.org/10.1007/978-3-540-25952-7_47

2004-01-01

Abstract:Worm is becoming a more and more serious issue because worm attacks can cause huge loss in short time due to the fast-spreading character. When breaking out, worms induce abnormal traffic unlike the normal traffic, which gives us a clue of worm detecting by analyzing the abnormal characteristics of traffic involving worms, i.e. lumped traffic. Worm detection based on analyzing abnormal traffic characteristics has the advantage that it can detect novel worms without understanding the nature of the worms. And worm detection at network level is one possible detecting path, especially for Network Intrusion Detection Systems(NIDS). In this poster, we present the diversity of traffic characteristics between the normal traffic and worm traffic from the self-similarity point of view, which can be a preparation for the further investigation of the diversity of traffic characteristics between the normal traffic and lumped traffic.

Xiang Zhengtao,Chen Li,Dong Yabo

DOI: https://doi.org/10.3969/j.issn.1008-5483.2008.01.007

2008-01-01

Abstract:Based on the analysis of worm propagating mechanism and the framework of Bro—an intrusion detection system,the Bro-based worm detection system is designed and implemented.The failure frequency of FCC(First Contact Connections) and heavy-tailed property based worm detection algorithm is used as the kernel of the detection system.The detecting system extends the policy script interpreter of Bro,which sends the detecting results to the share memory based on the implementation of the policy script of the detecting algorithm.The results in the share memory are then sent to the monitor based on the SNMP,which is convenient for real-time monitoring the network worms.The worm detection system can detect network worm hosts quickly and accurately.

Hui He,Mingyi Hu,Weizhe Zhang,Hongli Zhang

DOI: https://doi.org/10.1007/11739685_70

2006-01-01

Abstract:Internet worms constitute a major threat to the security of today’s networks. They work by exploiting vulnerabilities in operating systems and application software that run on end systems. In this paper, an effective algorithm for fast detection of worms is proposed. It integrates the worms’ behavior attributes with their traffic distribution and detects abnormal behavior by their similarity distribution and changes in some of their attributes. The process of fast detection based on similarity is discussed in detail including threshold selection, similarity detection algorithm and fine analysis. Simulation experiments show that the detection algorithm can locate the worm infection prior to it spreading over the large-scale network.

Chen Bo,Bin-Xing Fang,Jun Zheng,Xiao-Chun Yun

2006-01-01

Abstract:Worm attacks represent a major security problem. It is clear that a simple self-propagation worm can quickly spread on Internet. And every worm incident can cause severe damage to our society. The main task of defense mechanism is to quickly detect worm attacks and response to constrain their propagation. We propose a distributed mechanism which is composed of two parts: a Date Processing Centre and distributed sensors for defending against worm attacks. These distributed sensors monitor the network and detect worm. Once a worm attack is detected, a dropping packet mechanism is used so that (1) the worm propagation is constrained, and (2) number of interference with normal activity is minimize. We report experimental results to prove the robustness and efficiency of the proposed defense mechanism.

Yi Xin,Bin-Xing Fang,Xiao-Chun Yun,Hai-Yong Chen

DOI: https://doi.org/10.1109/PDCAT.2005.255

2005-01-01

Abstract:Nowadays, worms have been one of the leading threats to information security and service availability. Current operational practices have not been able to manage the threat effectively. So it is very important to make early warning of the burst of worm in large scale network. In this paper we analyze the real network traffic in large scale network. Based on long time statistic, we construct a network traffic model which concern two parameters: the traffic volume and curve of traffic function. And then we propose a method to computer the function curve of normal traffic function in ideal condition. We deployed them in our campus network (more than 20000 computers, 400M/s bandwidth to internet).It is shown that the worms are detected automatically and efficiently.

Hui He,Ming-Zeng Hu,Wei-Zhe Zhang,Hong-Li Zhang

2005-01-01

Abstract:Internet worms are becoming a major threat to the security of today's large-scale networks. The fast spreading nature of worms calls for a worm monitoring and early detection system. In this paper, an effective algorithm for early detection of the active worms and the corresponding detection system are proposed. The detection engine is the key components to the system, and the early detection algorithm based on multi-similarity is discussed in detail, which is the core of the engine, that integrates the worms' behavior attributes with their traffic distribution and detects abnormal behavior by their similarity distribution change of some attributes. Our simulation experiments show that the system can detect the presence worms intrusion when attacks don't arouse the sharp changes of the network traffic. It can detect the worm attack ahead of its overspreading on the large-scale network.

Chen Bo,Bin Xing Fang,Xiao Chun Yun

DOI: https://doi.org/10.1007/11760146_16

2006-01-01

Abstract:After many Internet-scale worm incidents in recent years, it is clear that a simple self-propagation worm can quickly spread across the Internet. And every worm incidents can cause severe damage to our society. So it is necessary to build a system that can detect the presence of worm as quickly as possible. This paper first analyzes the worm’s framework and its propagation model. Then, we describe a new algorithm for detecting worms. Our algorithm first monitors the computers on network and gets the number of abnormal computers. Then based on the monitoring result, we detect an unknown worm by using recursive least squares estimation. The experiments result proves that our approach is effective to detect unknown worm.

Hui He,Hongli Zhang,Weizhe Zhang,MingZeng Hu

2005-01-01

Abstract:Worms have caused widespread damage to large-scale networks. Detecting the worm behavior very early in its proliferation cycle might provide first responders an opportunity to intercept a global scale epidemic. In the paper, a scalable framework for worm detecting based on similarity is proposed. By aggregating network traffic classified by its attribute, a rule of its distribution is found out, according to which it become the further detection algorithm selected. After analyzing of the traffic distribution, an effective algorithm for worm early detection based on similarity is put forward. That is the key parts to the detection engine, which is the main component of the detection framework. Afterwards, the early detection algorithm is discussed in detail that integrates the worms' behavior attributes with their traffic distribution and detects abnormal behavior by their similarity distribution change of some attributes. Promising results have been produced in simulation platform, demonstrating that worms can be detected at its early stage especially with multi-similarity compared with s-similarity.

LIAO Ming-tao,ZHANG De-yun,HOU Lin,LI Jin-ku

DOI: https://doi.org/10.3969/j.issn.1000-7180.2007.05.030

2007-01-01

Abstract:On the basis of characteristics of network worms attack, a system for early detection of network worms based on failed connections analysis is proposed. This system detects worms in real-time by calculating dissimilar degree of failed connections traffic distribution from the normal state. Furthermore, a method of analyzing self-similarity of failed connections set is developed to reduce the false positives caused by traffic noise. The experiment based on a prototype system shows that the approach can detect unknown worms in real-time, extract possible features of worms scan, derive the list of likely infected hosts. Compared to existing methods, this system is more sensitive, and has a lower false positive rate.

Li Lu,Muhammad Jawad Hussain,Guoxing Luo,Zhigang Han

DOI: https://doi.org/10.1155/2015/356382

IF: 1.938

2015-01-01

International Journal of Distributed Sensor Networks

Abstract:Wormhole attack is one of the severe threats to wireless sensor and ad hoc networks. Most of the existing countermeasures either require specialized hardware or demand high network overheads in order to capture the specific symptoms induced by the wormholes, which in result limits their applicability. In this paper, we exploit an inevitable symptom of wormholes and present Pworm, a passive wormhole detection and localization system based upon the key observation that a large amount of network traffic will be attracted by the wormholes. The proposed scheme is passive, real-time, and efficient against both active and passive wormholes. Our approach silently observes the variations in network topology to infer the wormhole existence and solely relies on network routing information. It does not necessitate specialized hardware or poses rigorous assumptions on network features. We evaluate our scheme through extensive simulations of 100 to 800 nodes for various network scales and show that Pworm is well suited for false alarms, scalability, and time delay in terms of activation as well as detection latencies.

Chen Bo,Yu Xiangzhan,Fang Binxing,Yun Xiaochun

DOI: https://doi.org/10.1007/s11460-007-0087-7

2007-01-01

Frontiers of Electrical and Electronic Engineering in China

Abstract:There appear many Internet-scale worm incidents in recent years, which have caused severe damage to the society. It is clear that a simple self-propagation worm can quickly spread across the Internet. Therefore, it is necessary to implement automatic mitigation which can detect worm and drop its packet. In this paper, the worm’s framework was first analyzed and its two characteristics were detected. Based on the two characteristics, a defending algorithm was presented to protect network. Experimental results verify that our algorithm is very effective to constrain the worm propagation and meanwhile it almost does not interfere in normal activity.

Xiaojun Tong,Zhu Wang

DOI: https://doi.org/10.1007/978-3-642-25002-6_23

2011-01-01

Abstract:The existing worm detection system requires high detection environment and has high false alarm rate. So the paper proposed a novel anomaly detection algorithm and the prewarning technology of unknown network worms. We detect unknown worms by means of multidimensional worm abnormal detection method to discover unknown worms, extracts unknown worm features set by analyzing worm data in a leap-style way and creates new rules which will be used to detect the corresponding worm in case that the unknown worm attacks again. Experiments have proved that this method can discover new worms successfully, extracts corresponding features and creates new rules for later detection. Experiment data has shown that this method has a high success detection rate and low false alarm rate.

Jinhuan Hou,Fuqiang Ding

DOI: https://doi.org/10.1155/2022/8587906

2022-01-25

Scientific Programming

Abstract:This study analyzes and designs a network security management system based on the K-means algorithm. Through the investigation of network security managers, this article uses structured modeling technology to derive the system’s logical business functions, which are data acquisition function, data analysis function, and post-processing function. This study uses a three-tier architecture to design the system, describes the system data business processing flow, and gives the key flow of the K-means algorithm application. In addition, the system database is designed to provide support for system data processing. This study proposes a dual-network text matching model based on local interactive components. This model composes two modalities of single-modal short text data: a positional structural modal for describing local interactions and a global semantic understanding modal for extracting global semantic information. Two heterogeneous networks are used to extract two modalities. The principle of complementarity of modalities is realized by constructing the differences of each modal. At the same time, through the attention mechanism, the position information of the position structure modal is transferred to the global semantic understanding modal to obtain consistent comprehensive information so as to realize the principle of modal consistency. On this basis, by designing low-order interaction functions and high-order interaction functions, and using long- and short-term memory networks, we have, respectively, improved the position structure modal and global semantic understanding modal. The theoretical analysis and simulation results of the model show that the propagation characteristics of the network worm are completely determined by the threshold R0 required for its existence. When R0 >1, the network worm will become popular even with a small initial infection number; conversely, even if the initial infection machine is large, the network worm will eventually become extinct. The research results of this article also show that the introduction of mobile devices has an important impact on the defense technology of network worms. To curb network worms that use both the network and mobile devices to spread, and to increase the proportion of machines that have never been infected with the virus, the most effective method is to control the number of mobile devices and reduce the possibility of cross-infection between mobile devices and machines. The simulation results show that, regardless of whether dynamic isolation and antivirus software are considered, the local area network-based choke method given in this study can effectively curb intelligent network worms that have slow scanning rates and clear scanning targets. In addition, the choke method presented in this article can determine the choke threshold without affecting the normal network scanning behavior of users in the local area network.

computer science, software engineering

Bo CHEN,Bin-Xing FANG,Xiao-Chun YUN

2007-01-01

Abstract:After many Internet-scale worm incidents in recent years, it is clear that a simple self-propagation worm can quickly spread across the Internet. And every worm incidents can cause severe damage to our society. So it is necessary to build a system that can detect the presence of worm as quickly as possible. This paper first analyzes the worm’s framework and its propagation model. Then, we describe a new monitoring algorithm. Based on the monitoring result, we present an adaptive method to detect un-known worm by using recursive least squares estimation. The experiment result proves that our approach can be effectively, quickly and robust to detect unknown worm.