Ye Guo,Miaoliang Zhu

DOI: https://doi.org/10.1109/IMSCCS.2006.178

2006-01-01

Abstract:Considering the shortcomings of the current worm Defense system, an agent-oriented worm Defense system, AOSWD, is proposed in this paper. In the hierarchical framework of AOSWD, the agents are independent but can roam in the network freely and collaborate with each other to defend against Internet worms. In this paper, we discuss the system architecture and the realization details, propose the key technique for the system and analyze the system performance.

Yufeng Chen,Zhengtao Xiang,Yabo Dong,Dongming Lu

DOI: https://doi.org/10.1109/ical.2008.4636301

2008-01-01

Abstract:Worms not only infect vulnerable hosts, but also occupy a large amount of network bandwidth, which affects the normal operation of the network seriously. To achieve the worm detection and automatic quarantine in real time, a cooperation system of worm detection and quarantine is designed and implemented. The worm detection subsystem is implemented based on Bro and can detect worms in real time with our algorithm, which based on the failure probability of FCC and of heavy-tailed property. The worm quarantine subsystem can quarantine worm hosts automatically with ARP-spoofing. The cooperation between detection subsystem, quarantine subsystem and manager is achieved based on SNMP protocol. The system can be deployed easily with little effect on LAN. Experimental results show that the system can detect and quarantine worm hosts effectively.

Lu Guang,Yu Fei,Guangxue Yue,Miaoliang Zhu

DOI: https://doi.org/10.1109/imsccs.2006.287

2006-01-01

Abstract:The research community is interested in finding effective methods to detect network traffic anomalies such as the propagation of a new worm, and to raise alarm in time. In this paper we research the principle that the number of network traffic can affect self-similarity of network traffics, and analyze the variety of self-similarity caused by abnormal network traffic. We propose a network traffic model on normal behaviors of users. An approach, which is applied to determine whether or not abnormal network traffic exists by comparing Hurst parameter with predefined threshold, is also presented. At last, implementation of network worm detecting agent in NP is described. Results of evaluation show that detecting agent performs very well in test-bed.

WANG Wei,LU Dongming,DONG Yabo,CHEN Yufeng

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.17.072

2006-01-01

Abstract:With the rapid development of computer technology,Internet applications are used more and more widely,computer networks are exposed to various threats,especially network worms.This paper introduces the definition and principle of network worms,and based on the mechanism of network worms,it proposes and implements a network worm detection system for Internal network,which is proved to be able to detect the network worm accurately.

向郑涛,陈宇峰,董亚波,鲁东明

DOI: https://doi.org/10.16208/j.issn1000-7024.2009.05.037

2009-01-01

Abstract:The worm detection technologies are discussed. Anomaly detection will be a promising development because of the ability to detect unknown worms. For passive detection, the HoneyPot system designed deliberately with vulnerabilities is used to attract atta- ckers, collect attack information and process analysis. Active detection methods can process the mixed traffics of benign hosts and worm hosts, including the payload-based and behavior-based worm detection methods. The characters and applicability of each method are discussed. The viewpoint that more effective worm detection indices are needed for detection methods is proposed. Based on the diffe- rences of traffic self-similarity between benign hosts and worm hosts, the idea on how to select real-time detection indices is interpreted.

HUANG Xin,DENG Qian-ni

DOI: https://doi.org/10.19304/j.cnki.issn1000-7180.2013.03.021

2013-01-01

Abstract:In recent years,with the rapid development of online social network,it seems more and more popular that we use mobile devices to connect with other people.However,with the increased openness of operating systems,it makes realistic for worms and malicious software to propagate from one phone to another in mobile networks.So we need to find a strategy to efficiently contain the propagation of worms on the network.Existing strategies used for online social network cannot adapt to the structure of the real network.So we proposed a model based on target immunization,which can be used to design a more efficient counter-mechanism.Through analysis and comparing the infection situations under these two different strategies,we find that our model is faster and more efficient.

Hongyu Gao,Jun Hu,Christo Wilson,Zhichun Li,Yan Chen,Ben Y. Zhao

DOI: https://doi.org/10.1145/1866307.1866396

2010-01-01

Abstract:Online social networks (OSNs) are exceptionally useful collaboration and communication tools for millions of users and their friends. Unfortunately, in the wrong hands, they are also extremely effective tools for executing spam campaigns and spreading malware.In this poster, we present an initial study to detect and quantitatively analyze the coordinated spam campaigns on online social networks in the wild. Our system detected about 200K malicious wall posts with embedded URLs, traced back to roughly 57K accounts. We find that more than 70% of all malicious wall posts are advertising phishing sites.

Xiao Ying,Yun Xiaochun,Xin Yi

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.07.035

2006-01-01

Abstract:Nowadays,the worm becomes the biggest threat in the Internet,the method of propagation of worm is becoming more intelligent and enshrouded.Search engines are used to retrieve interesting things,meanwhile,they can be used by worm for propagation.Worms based on search engines implement enshrouded,precise propagation with small network traffic.In this paper,we introduce the feature of this kind of worm,and then we propose a client search model and an anomalous detection algorithm.This method is proved to be of high efficiency by experiments.

Chen Bo,Bin-Xing Fang,Jun Zheng,Xiao-Chun Yun

2006-01-01

Abstract:Worm attacks represent a major security problem. It is clear that a simple self-propagation worm can quickly spread on Internet. And every worm incident can cause severe damage to our society. The main task of defense mechanism is to quickly detect worm attacks and response to constrain their propagation. We propose a distributed mechanism which is composed of two parts: a Date Processing Centre and distributed sensors for defending against worm attacks. These distributed sensors monitor the network and detect worm. Once a worm attack is detected, a dropping packet mechanism is used so that (1) the worm propagation is constrained, and (2) number of interference with normal activity is minimize. We report experimental results to prove the robustness and efficiency of the proposed defense mechanism.

Shuhao Li,Xiaochun Yun,Zhiyu Hao,Yongzheng Zhang,Xiang Cui,Yipeng Wang

DOI: https://doi.org/10.1007/978-3-642-30436-1_22

2012-01-01

Abstract:In recent years, widely spreading botnets in social networks are becoming a major security threat to both social networking services and the privacy of their users. In order to have a better understanding of the dynamics of these botnets, defenders should model the process of their propagation. However, previous studies on botnet propagation model have tended to focus solely on characterizing the vulnerability propagation on one infection domain, and left two key properties (cross-domain mobility and user dynamics) untouched. In this paper, we formalize a new propagation model to reveal the general infection process of social engineering botnets in multiple social networks. This proposed model is based on stochastic process, and investigates two important factors involved in botnet propagation: (i) bot spreading across multiple domains, and (ii) user behaviors in social networks. Furthermore, with statistical data obtained from four real-world social networks, a botnet simulation platform is built based on OMNeT++ to test the validity of our model. The experimental results indicate that our model can accurately predict the infection process of these new advanced botnets with less than 5% deviation.

Shuhao Li,Xiaochun Yun,Zhiyu Hao,Xiang Cui,Yipeng Wang

DOI: https://doi.org/10.1109/PDCAT.2011.8

2011-01-01

Abstract:With the rapid development of social networking services and the diversification of social engineering attacks, new high-infection botnet (called SE-botnet by us), which exploits social engineering attacks to spread bots in social networks, has become an underlying threat. Predicting the threat of SE-botnet can help defenders mitigate it effectively. In this paper, we focus on SE-botnet's infection and defense, presenting a propagation model for it. We take full account of social networks' characteristics and human dynamics, and abstract the general process of social engineering attacks used by SE-botnet. Our preliminary simulation results demonstrate that the SE-botnet can capture tens of thousands of bots in one day with a great infection capacity. our propagation model can accurately predict this process with less than 5% deviation.

wang xiaopeng,wang bailing,liu yang,he hui,sun yunxiao

2013-01-01

International Journal of Future Generation Communication and Networking

Abstract:Welchia worms were launched to terminate the Blaster worms and patch the vulnerable hosts. They created complex worm interactions as well as detrimental impact on infrastructure. Worm propagation analysis, including exploring mechanisms of predator-prey worms' propagation and formulating effects of network/worm parameters, has great importance for worm containment and host protection. In this paper, an integrated worm ecology model is given to study the propagation of such worms. The analytical results provide insights of the worm design and impact to network. The simulation results verify the correctness of our model and show the effectiveness of the worm model by applying it to the LiOn/Cheese and MSBlaster/Welchia.

Hao Tu,Zhitang Li,Bin Liu,Yejiang Zhang

DOI: https://doi.org/10.1080/15501320802508543

2009-01-01

Abstract:The fast spread of a worm is a great challenge to Internet security. Most current defense systems use a signature matching approach while most signatures are developed manually. It is difficult to catch a variety of new worms promptly. An efficient worm defense system is designed and implemented to provide early warning at the moment the worms start to spread in the network and to contain or slow down the spread of the worm by automatically extracting a signature that could be used by firewalls or Intrusion Prevention Systems. Several recent efforts to automatically extract worm signatures from Internet traffic have been done, but the efficiency is an unsolved problem especially in real high-speed network. In this paper, we proposed an efficient worm defense system based signature extraction. The input of the system is all traffic crossing an edge network and its output is a database of worm signatures which can be used by content-based defense. There are three main stages to extract signatures from network traffic. First, a clustering stage uses multidimensional traffic mining based IP header to identify significant traffic volume. We propose a binary clustering algorithm and this leaves a preferred policy to improve the front traffic filter, which can reduce the traffic to be processed and enhance its purity. After clustering, nonsignificant traffic volume is stored in an innocuous packet pool and significant traffic volume is further classified using address dispersion as suspicious or innocuous. After this stage, only a small portion of the packets captured from the edge network are analyzed in third stage, signature extraction. A position-aware signature generation method based bloom filter is proposed to extract more accurate signatures with less CPU time and memory consumption. To minimize false positives, the signatures will be verified based on the innocuous packet pool. Both trace data and tcpdump data are used to test the prototype system. Experiment results show that the system can efficiently filter through suspicious traffic with high purity and extract more accurate signature, which can well support popular content-based defense system such as Snort.

Yadong Zhou,Bowen Hu,Junjie Zhang,Liyuan Sun,Xingyu Zhu,Ting Liu

DOI: https://doi.org/10.1016/j.jnca.2022.103555

IF: 7.574

2022-01-01

Journal of Network and Computer Applications

Abstract:Online social networks (OSN) have started to integrate financial capabilities such as the usage of virtual currency. In OSNs with such capabilities, user accounts can also be used as financial accounts to manage virtual currency. Attackers are highly motivated to compromise user accounts and engage them in transactions to “steal” virtual currency. Such attacks represent a real and ongoing threat against a massive number of users in global social networks such as Tencent QQ. Aiming to address this emerging security concern, we have proposed an effective system, namely VC-Guard , to detect transactions that are likely initiated by attackers (i.e., suspicious transactions). Our system features the design and integration of multi-faceted features of each transaction. We have performed extensive experiments based on real-world data collected from Tencent QQ, a global leading OSN that has a virtual-currency-enabled ecosystem. Experimental results have demonstrated that our system has accomplished a high detection rate of 98.76% at a very low false positive rate of 1.24%.

Xiao-song Zhang,Ting Chen,Jiong Zheng,Hua Li

DOI: https://doi.org/10.1631/jzus.c0910488

2010-01-01

Journal of Zhejiang University SCIENCE C

Abstract:It is universally acknowledged by network security experts that proactive peer-to-peer (P2P) worms may soon engender serious threats to the Internet infrastructures. These latent threats stimulate activities of modeling and analysis of the proactive P2P worm propagation. Based on the classical two-factor model, in this paper, we propose a novel proactive worm propagation model in unstructured P2P networks (called the four-factor model) by considering four factors: (1) network topology, (2) countermeasures taken by Internet service providers (ISPs) and users, (3) configuration diversity of nodes in the P2P network, and (4) attack and defense strategies. Simulations and experiments show that proactive P2P worms can be slowed down by two ways: improvement of the configuration diversity of the P2P network and using powerful rules to reinforce the most connected nodes from being compromised. The four-factor model provides a better description and prediction of the proactive P2P worm propagation.

Hongyu Gao,Yan Chen,Kathy Lee,Diana Palsetia,Alok Choudhary

DOI: https://doi.org/10.1145/2046707.2093489

2011-01-01

Abstract:Online social networks (OSNs) are popular collaboration and communication tools for millions of users and their friends. Unfortunately, in the wrong hands, they are also effective tools for executing spam campaigns. In this paper, we present an online spam filtering system that can be deployed as a component of the OSN platform to inspect messages generated by users in real-time. We propose to reconstruct spam messages into campaigns for classification rather than examine them individually. Although campaign identification has been used for offline spam analysis, we apply this technique to aid the online spam detection problem with sufficiently low overhead. Accordingly, our system adopts a set of novel features that effectively distinguish spam campaigns. It is highly accurate and confidently drops messages classified as "spam" before they reach the intended recipients, thus protecting them from various kinds of fraud. In addition, the system achieves an average throughput of 1580 messages/sec and an average processing latency of 69.7ms for each message. The high throughput and low latency guarantees that it will not become the bottleneck of the whole OSN platform.

Chun-Ming Lai,Xiaoyun Wang,Yunfeng Hong,Yu-Cheng Lin,S. Felix Wu,Patrick McDaniel,Hasan Cam

DOI: https://doi.org/10.23919/CNSM.2017.8256040

2018-02-13

Abstract:Online social network (OSN) discussion groups are exerting significant effects on political dialogue. In the absence of access control mechanisms, any user can contribute to any OSN thread. Individuals can exploit this characteristic to execute targeted attacks, which increases the potential for subsequent malicious behaviors such as phishing and malware distribution. These kinds of actions will also disrupt bridges among the media, politicians, and their constituencies. For the concern of Security Management, blending malicious cyberattacks with online social interactions has introduced a brand new challenge. In this paper we describe our proposal for a novel approach to studying and understanding the strategies that attackers use to spread malicious URLs across Facebook discussion groups. We define and analyze problems tied to predicting the potential for attacks focused on threads created by news media organizations. We use a mix of macro static features and the micro dynamic evolution of posts and threads to identify likely targets with greater than 90% accuracy. One of our secondary goals is to make such predictions within a short (10 minute) time frame. It is our hope that the data and analyses presented in this paper will support a better understanding of attacker strategies and footprints, thereby developing new system management methodologies in handing cyber attacks on social networks.

Social and Information Networks

David Koll,Martin Schwarzmaier,Jun Li,Xiang-Yang Li,Xiaoming Fu

DOI: https://doi.org/10.1109/icdcsw.2017.67

2017-01-01

Abstract:Online Social Networks (OSNs) have become a rewarding target for attackers. One particularly popular attack is the Sybil attack, in which the adversary creates many fake accounts called Sybils in order to, for instance, distribute spam or manipulate voting results. A first generation of defense systems tried to detect these Sybils by analyzing changes in the structure of the OSN graph unfortunately with limited success. Based on these efforts a second generation of solutions enriches the graph structural approaches with higher-level user features in order to detect Sybil nodes more efficiently. In this work we provide an in-depth analysis of these defenses. We describe their common design and working principles, analyze their vulnerabilities, and design simple yet effective attack strategies that an adversary could launch to circumvent these systems. In our evaluation we reveal that an miscreant can exploit the credulity of OSN users and follow a targeted attack strategy to successfully avoid detection by all existing approaches.

Yijin Chen,Yuming Mao,Supeng Leng,Yunkai Wei,Yuchen Chiang

DOI: https://doi.org/10.1109/icct.2017.8359857

2017-01-01

Abstract:The powerful information diffusion ability of online social networks (OSNs) attracts many attackers to spread malware, because malware can fiercely spread among massive active users with close social relationship in OSNs. A message-recallable function in user profile of modern OSNs can delete messages containing malicious link, and stop malware spreading. However, existing works on malware propagation models have not concerned the new message-recallable mechanism (MRM). This paper proposes a novel malware spread model to analyze the performance of malware propagation in OSNs with MRM. For analyzing the malware spread model, we carry out theoretical derivation to obtain key metrics, including infection rate, recalling rate, and epidemic threshold. Numerical analysis and simulation are conducted to validate the accuracy of the proposed model. The proposed malware spread model with theoretical metrics can provide a guidance to design highly efficient network defense schemes for emerging message-recallable OSNs.

Ping Wang,Binxing Fang,Xiaochun Yun

DOI: https://doi.org/10.1007/11596981_32

2005-01-01

Abstract:In the long term usage of the network, users will form certain types of habit according to their specific characteristics, individual hobbies and given restrictions. On the burst-out of worms, the overwhelming flow caused by random scanning will temporarily alter the behavior representation of users. Therefore, it is reasonable to conclude that the statistics and classification of the user habit can contribute to the detection of worms. On the basis of analysis about both users and worms, we construct the model of user-habit and propose a new approach for the early warning of worms. This paper possesses strong direction significance due to its broad applicability since extended models can be derived from the model proposed in this paper.