zhen chen,chuang lin,jia ni,donghua ruan,bo zheng,yixin jiang,xuehai peng,yang wang,anan luo,bing zhu,yao yue,fengyuan ren

DOI: https://doi.org/10.1109/LCN.2005.31

2005-01-01

Abstract:TCP/IP protocol suite carries most application data in Internet. TCP flow retrieval has more security meanings than the IP packet payload. Hence, monitoring the TCP flow has more strength than only monitoring the IP packet payload in the AntiWorm system. The main idea of this paper is to use the flexibility and high performance of network processors to scan TCP flow for locating worm's binary codes, and cut off their propagation. A stateful TCP flow inspection engine is implemented based on IXP network processor, which can monitor about 512K flows. The performance issues about IXP network processors are evaluated and collected, and an analysis is made for further optimizing the system performance. The system is also demonstrated and proved by using the Internet traces and real assaults of Worms. Software Package TCPScanner 1.0 is also given as a software release of the research

Yufeng Chen,Zhengtao Xiang,Yabo Dong,Dongming Lu

DOI: https://doi.org/10.1109/ical.2008.4636301

2008-01-01

Abstract:Worms not only infect vulnerable hosts, but also occupy a large amount of network bandwidth, which affects the normal operation of the network seriously. To achieve the worm detection and automatic quarantine in real time, a cooperation system of worm detection and quarantine is designed and implemented. The worm detection subsystem is implemented based on Bro and can detect worms in real time with our algorithm, which based on the failure probability of FCC and of heavy-tailed property. The worm quarantine subsystem can quarantine worm hosts automatically with ARP-spoofing. The cooperation between detection subsystem, quarantine subsystem and manager is achieved based on SNMP protocol. The system can be deployed easily with little effect on LAN. Experimental results show that the system can detect and quarantine worm hosts effectively.

WANG Wei,LU Dongming,DONG Yabo,CHEN Yufeng

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.17.072

2006-01-01

Abstract:With the rapid development of computer technology,Internet applications are used more and more widely,computer networks are exposed to various threats,especially network worms.This paper introduces the definition and principle of network worms,and based on the mechanism of network worms,it proposes and implements a network worm detection system for Internal network,which is proved to be able to detect the network worm accurately.

NI Jia,LIN Chuang,CHEN Zhen

DOI: https://doi.org/10.3969/j.issn.0258-7998.2007.08.056

2007-01-01

Abstract:The HBM algorithm is proposed as a new multi-pattern matching algorithm and an anti-worm engine with HBM algorithm is implemented and optimized on an Intel IXP 2400 network processor. It gives a stable performance and meets the needs of Gigabit Ethernet according to the experiment results.

CHEN Hong-tao,CHEN De-ren,GU Xue-fei

2005-01-01

Abstract:Content filtering is an indispensable important part in the network security field.It analyses the information transported in application layer content protocol and controls the forwarding of the information based on the filtering rules.Network Processor is a new generation programmable processor of high speed for carrying out data processing and transmitting.With its obvious advantages in network data processing,the network processor becomes the essential component in high-speed network equipment which supports network functions,such as operation management、security and network monitoring,etc.Based on the advantage of network processor,this paper presented an implementation of an Intel IXP2400 network processor-based content filtering system.

Yueming Hu

DOI: https://doi.org/10.1007/1-4020-4933-1_10

2006-01-01

Abstract:One of the challenges on Internet intrusion detection (ID) is detecting the intrusion on high-speed networks. To cope with the intrusion on gigabit Ethernet or higher network links, the ID devices must utilize high-speed hardware, parallel structure and efficient algorithms. This paper presents a parallel approach of ID scheme based on network processor, the embedded processor for network devices. In this approach, packets from the network flow through multiple network processors. Within the network processor, multiple network processing engines are used to process the network data in parallel, each network processor/processing engine detect the packet flow for a subset of intrusion signature. The ID scheme is a MISD parallel mode. Data flow from the network is a single packet flow, and the detection device is a multiprocessor structure with different programs.

向郑涛,陈宇峰,董亚波,鲁东明

DOI: https://doi.org/10.16208/j.issn1000-7024.2009.05.037

2009-01-01

Abstract:The worm detection technologies are discussed. Anomaly detection will be a promising development because of the ability to detect unknown worms. For passive detection, the HoneyPot system designed deliberately with vulnerabilities is used to attract atta- ckers, collect attack information and process analysis. Active detection methods can process the mixed traffics of benign hosts and worm hosts, including the payload-based and behavior-based worm detection methods. The characters and applicability of each method are discussed. The viewpoint that more effective worm detection indices are needed for detection methods is proposed. Based on the diffe- rences of traffic self-similarity between benign hosts and worm hosts, the idea on how to select real-time detection indices is interpreted.

Lu Guang,Yu Fei,Guangxue Yue,Miaoliang Zhu

DOI: https://doi.org/10.1109/imsccs.2006.287

2006-01-01

Abstract:The research community is interested in finding effective methods to detect network traffic anomalies such as the propagation of a new worm, and to raise alarm in time. In this paper we research the principle that the number of network traffic can affect self-similarity of network traffics, and analyze the variety of self-similarity caused by abnormal network traffic. We propose a network traffic model on normal behaviors of users. An approach, which is applied to determine whether or not abnormal network traffic exists by comparing Hurst parameter with predefined threshold, is also presented. At last, implementation of network worm detecting agent in NP is described. Results of evaluation show that detecting agent performs very well in test-bed.

Xiang Zhengtao,Chen Li,Dong Yabo

DOI: https://doi.org/10.3969/j.issn.1008-5483.2008.01.007

2008-01-01

Abstract:Based on the analysis of worm propagating mechanism and the framework of Bro—an intrusion detection system,the Bro-based worm detection system is designed and implemented.The failure frequency of FCC(First Contact Connections) and heavy-tailed property based worm detection algorithm is used as the kernel of the detection system.The detecting system extends the policy script interpreter of Bro,which sends the detecting results to the share memory based on the implementation of the policy script of the detecting algorithm.The results in the share memory are then sent to the monitor based on the SNMP,which is convenient for real-time monitoring the network worms.The worm detection system can detect network worm hosts quickly and accurately.

Hao Tu,Zhitang Li,Bin Liu,Yejiang Zhang

DOI: https://doi.org/10.1080/15501320802508543

2009-01-01

Abstract:The fast spread of a worm is a great challenge to Internet security. Most current defense systems use a signature matching approach while most signatures are developed manually. It is difficult to catch a variety of new worms promptly. An efficient worm defense system is designed and implemented to provide early warning at the moment the worms start to spread in the network and to contain or slow down the spread of the worm by automatically extracting a signature that could be used by firewalls or Intrusion Prevention Systems. Several recent efforts to automatically extract worm signatures from Internet traffic have been done, but the efficiency is an unsolved problem especially in real high-speed network. In this paper, we proposed an efficient worm defense system based signature extraction. The input of the system is all traffic crossing an edge network and its output is a database of worm signatures which can be used by content-based defense. There are three main stages to extract signatures from network traffic. First, a clustering stage uses multidimensional traffic mining based IP header to identify significant traffic volume. We propose a binary clustering algorithm and this leaves a preferred policy to improve the front traffic filter, which can reduce the traffic to be processed and enhance its purity. After clustering, nonsignificant traffic volume is stored in an innocuous packet pool and significant traffic volume is further classified using address dispersion as suspicious or innocuous. After this stage, only a small portion of the packets captured from the edge network are analyzed in third stage, signature extraction. A position-aware signature generation method based bloom filter is proposed to extract more accurate signatures with less CPU time and memory consumption. To minimize false positives, the signatures will be verified based on the innocuous packet pool. Both trace data and tcpdump data are used to test the prototype system. Experiment results show that the system can efficiently filter through suspicious traffic with high purity and extract more accurate signature, which can well support popular content-based defense system such as Snort.

Shi-jie ZHOU,Zhi-guang QIN,Le-yuan LIU,Yi-yi DENG

DOI: https://doi.org/10.3969/j.issn.1002-137X.2011.03.012

2011-01-01

Computer Science

Abstract:P2P worms employ the distinctive features of P2P network,such as the local routing table,application routing mechanism and so on,to quickly distribute them into the network while holding the covert characteristic.Contrarily,the common internet worms generally rely on detecting the victims' IP address to spread.Therefore,the lack of hidden feature and feasible promulgating paths make that it is easier to detect and defense the ordinary internet worms than P2P worms.Consequently,the P2P worm can do more damage to the network if lacking the effective defensive scheme.In this paper,the P2P worm,especially its transmission mechanism was analyzed synthetically.Then,an anti-worm based scheme for the defensive of P2P worm was presented.The principle and functional modules of this new scheme were addressed as well.By using the Peersim P2P simulator,the performance of our novel scheme was evaluated experimentally in various system parameters.The primary experimental results indicated that our anti-worm based defensive scheme for P2P worm has the features of fast convergence,low overload of networking resource(including communication traffic and computing power),and high adaptability.

WEN Shi-qiang,DUAN Hai-xin,WU Jian-ping

DOI: https://doi.org/10.3969/j.issn.1000-7024.2005.05.007

2005-01-01

Abstract:New internet worm including many attack measures, such as virus, trojan and DDDS, will cause network block even paralysis, when it breaks out. A detection algorithm is brought forward which can find abnormity in the forepart of worm eruption by detection on variable rate of network flux, and then network administrators and emergency response teams can gain more time to take measures before worm blocks the network. This algorithm is evaluatedby DARPA98 intrusion detection evaluation system and has applied to real flux data of worm (Blaster、Nachi、slammer) eruption.

Hao Tu,Zhitang Li,Bin Liu

DOI: https://doi.org/10.1109/fskd.2008.434

2008-01-01

Abstract:Recent worm increasingly threaten the availability of Internet. It is difficult to catch variety of 0day worms promptly with current signature matching approach because most signatures are developed manually. Several recent efforts to automatically extract worm signatures from Internet traffic have been done, but the efficiency is an unsolved problem especially in real high-speed network. We propose a binary clustering algorithm and a leaves preferred policy to improve the front traffic filter, which can reduce the traffic to be processed and enhance its purity. A position-aware signature generation method based bloom filter is proposed to bring better performance and more accurate signature for content-based defense. Both trace data and tcp dump data are used to test the prototype system and experiment results show the system can efficiently filter through suspicious traffic with high purity, which is no more than 25% of entire traffic, and extract more accurate signature, which can well support popular defense system such as Snort.

Li Lu,Muhammad Jawad Hussain,Guoxing Luo,Zhigang Han

DOI: https://doi.org/10.1155/2015/356382

IF: 1.938

2015-01-01

International Journal of Distributed Sensor Networks

Abstract:Wormhole attack is one of the severe threats to wireless sensor and ad hoc networks. Most of the existing countermeasures either require specialized hardware or demand high network overheads in order to capture the specific symptoms induced by the wormholes, which in result limits their applicability. In this paper, we exploit an inevitable symptom of wormholes and present Pworm, a passive wormhole detection and localization system based upon the key observation that a large amount of network traffic will be attracted by the wormholes. The proposed scheme is passive, real-time, and efficient against both active and passive wormholes. Our approach silently observes the variations in network topology to infer the wormhole existence and solely relies on network routing information. It does not necessitate specialized hardware or poses rigorous assumptions on network features. We evaluate our scheme through extensive simulations of 100 to 800 nodes for various network scales and show that Pworm is well suited for false alarms, scalability, and time delay in terms of activation as well as detection latencies.

Hui He,Mingyi Hu,Weizhe Zhang,Hongli Zhang

DOI: https://doi.org/10.1007/11739685_70

2006-01-01

Abstract:Internet worms constitute a major threat to the security of today’s networks. They work by exploiting vulnerabilities in operating systems and application software that run on end systems. In this paper, an effective algorithm for fast detection of worms is proposed. It integrates the worms’ behavior attributes with their traffic distribution and detects abnormal behavior by their similarity distribution and changes in some of their attributes. The process of fast detection based on similarity is discussed in detail including threshold selection, similarity detection algorithm and fine analysis. Simulation experiments show that the detection algorithm can locate the worm infection prior to it spreading over the large-scale network.

涂浩,李之棠,柳斌

2009-01-01

Abstract:The fast spread of worm is a great challenge to Internet security.An effective worm detection and defense system is designed and implemented.A binary cluster algorithm is proposed to improve the front traffic filter,which reduce the traffic and enhance its purity.A method of position-aware signature generation based Bloom Filter is proposed to bring better performance and more accurate signature.Experiments show the system can effective detect worm traffic and generate accurate signature for content-based automatic defense.

Donghua Ruan,Chuang Lin,Zhen Chen,Jia Ni,Peter D. Ungsunan

DOI: https://doi.org/10.1109/ICCT.2006.341843

2006-01-01

Abstract:Traffic measurement is important in network management, accounting, worm detection, etc. It becomes more and more difficult today and cannot keep pace with the increasing speed of today's internet. Many new algorithms and hardware have been proposed to solve this problem. Network Processors, known for its nice tradeoff between performance and programming flexibility, are chosen as the platform. The goal of this paper is to find a suitable algorithm based on NPs to handle high speed network traffic measurement. Four algorithms, Raw measurement, Sampling, Multi-stage Filter and Multi-Resolution Space Code Bloom Filter (MRSCBF) are implemented and evaluated on Intel's IXP 2400 network processor. The results reveal that Sampling and Multi-stage Filters can fully exploit the parallel and heterogeneous architecture of network processor, so are suitable for high speed network traffic measurement on the network processor platform. MRSCBF, on the other hand, is not so efficient on network processors because of its complex process and frequent memory access.

SHAO Zong-you,LIU Xing-kui,LIU Xin-chun,SUN Ning-hui

DOI: https://doi.org/10.3969/j.issn.1002-137X.2013.03.014

2013-01-01

Computer Science

Abstract:As the network bandwidth continuously increases,the network security has been seriously threatened by malicious behaviors and risks.Network intrusion detection system(NIDS) is one of the efficient measures to cope with intrusion threats and protect information security,which employs pattern matching techniques to analyze incoming packe-ts and detect potential threats.However,pattern matching is such a compute-intensive task that most current techniques can't meet the demand of NIDS for backbone networks over 10Gbps speed.We proposed a novel Bloom filter based approach for pattern matching,called PBPM(Parallel-Bloom-filter-based multi-Pattern Matching).PBPM employs multiple copies of the same Bloom filter to carry out parallel matching on different positions of the input text at the same time.The fine-grained parallel approach is able to skip multiple characters per clock when implemented on FPGAs,dramatically improving pattern matching performance.Experimental results on the rule set from Snort 2.9 show that the throughput of PBPM exceeds more than 20Gbps.

PENG Yongchao,WANG Hui,LI Jinsheng,HONG Peilin

DOI: https://doi.org/10.3969/j.issn.1000-3428.2005.07.052

2005-01-01

Abstract:Using network processor to develop next-generation network devices will not only ensure performance of products, but also accelerate time-to-market of products, and products can be easily upgraded in software. This paper describes the design for a 1000Mb hardware firewall based on the Intel IXP1200 network processor, and the implementation of network address transition (NAT) function in detail.

wang xiaopeng,wang bailing,liu yang,he hui,sun yunxiao

2013-01-01

International Journal of Future Generation Communication and Networking

Abstract:Welchia worms were launched to terminate the Blaster worms and patch the vulnerable hosts. They created complex worm interactions as well as detrimental impact on infrastructure. Worm propagation analysis, including exploring mechanisms of predator-prey worms' propagation and formulating effects of network/worm parameters, has great importance for worm containment and host protection. In this paper, an integrated worm ecology model is given to study the propagation of such worms. The analytical results provide insights of the worm design and impact to network. The simulation results verify the correctness of our model and show the effectiveness of the worm model by applying it to the LiOn/Cheese and MSBlaster/Welchia.