Hui Zheng,Haixin Duan

2005-01-01

Abstract:Most of researches focus on modeling and detection of the Internet worm propagation, but in practice, the final objects are containment and elimination of Internet worm, which have not received enough research effects. In this paper, three categories of active technologies to contain Internet worm were introduced: vaccination for containing susceptible machines, forcing shutdown for containing infected machines, and bidirectional leading for containing worm spreading traffic. These technologies can be adopted to construct one or more automated Internet worm defense systems in any phase of Internet worm defense: prevention, detection, containment and elimination. Our experiment in large scale network shows that when combined with those active technologies, automated Internet worm defense systems are more effective to contain the Internet worm and to shorten the defense time.

WANG Wei,LU Dongming,DONG Yabo,CHEN Yufeng

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.17.072

2006-01-01

Abstract:With the rapid development of computer technology,Internet applications are used more and more widely,computer networks are exposed to various threats,especially network worms.This paper introduces the definition and principle of network worms,and based on the mechanism of network worms,it proposes and implements a network worm detection system for Internal network,which is proved to be able to detect the network worm accurately.

向郑涛,陈宇峰,董亚波,鲁东明

DOI: https://doi.org/10.16208/j.issn1000-7024.2009.05.037

2009-01-01

Abstract:The worm detection technologies are discussed. Anomaly detection will be a promising development because of the ability to detect unknown worms. For passive detection, the HoneyPot system designed deliberately with vulnerabilities is used to attract atta- ckers, collect attack information and process analysis. Active detection methods can process the mixed traffics of benign hosts and worm hosts, including the payload-based and behavior-based worm detection methods. The characters and applicability of each method are discussed. The viewpoint that more effective worm detection indices are needed for detection methods is proposed. Based on the diffe- rences of traffic self-similarity between benign hosts and worm hosts, the idea on how to select real-time detection indices is interpreted.

Yufeng Chen,Zhengtao Xiang,Yabo Dong,Dongming Lu

DOI: https://doi.org/10.1109/ical.2008.4636301

2008-01-01

Abstract:Worms not only infect vulnerable hosts, but also occupy a large amount of network bandwidth, which affects the normal operation of the network seriously. To achieve the worm detection and automatic quarantine in real time, a cooperation system of worm detection and quarantine is designed and implemented. The worm detection subsystem is implemented based on Bro and can detect worms in real time with our algorithm, which based on the failure probability of FCC and of heavy-tailed property. The worm quarantine subsystem can quarantine worm hosts automatically with ARP-spoofing. The cooperation between detection subsystem, quarantine subsystem and manager is achieved based on SNMP protocol. The system can be deployed easily with little effect on LAN. Experimental results show that the system can detect and quarantine worm hosts effectively.

GUO Ye,ZHU Miao-liang

2006-01-01

Journal of Computer Applications

Abstract:Current situation of the traditional security defense system was briefly introduced. Considering the shortcomings of the current worm defense system and advantages of Agents, an Agent-oriented worm defense system named AOSWD was proposed, which can defend against Internet worms quickly and effectively.The architecture and the key technology of the system were discussed. Experimental results prove the effectiveness of AOSWD.

Ye Guo,Miaoliang Zhu

DOI: https://doi.org/10.1109/IMSCCS.2006.178

2006-01-01

Abstract:Considering the shortcomings of the current worm Defense system, an agent-oriented worm Defense system, AOSWD, is proposed in this paper. In the hierarchical framework of AOSWD, the agents are independent but can roam in the network freely and collaborate with each other to defend against Internet worms. In this paper, we discuss the system architecture and the realization details, propose the key technique for the system and analyze the system performance.

Hong CHEN,Weiwei YANG,Jiankun SHI,Weiqiang LIN

DOI: https://doi.org/10.16400/j.cnki.kjdkz.2015.07.086

2015-01-01

Abstract:In order to reduce the harm of the computer virus, the proposal is presented to cut off the computer virus' lifecycle based on the working principles of the computer virus. The effective strategy is to implement the defense mechanism during the design stage, the propagation phase and the operation phase with the safety education, which demonstrates it is effective to reduce the average probability of poisoning about 23%and the percentage of working hours is improved 25%in lab of uni-versities and colleges.

ye guo,miaoliang zhu

2006-01-01

Abstract:Worm attacks are threatening today's Internet security. In this paper, we propose a Agent-Oriented Worm Defense System by which the agents collaborate with each other to defend against Internet worms. Some agents travel in the network and distribute vaccine to hosts. We discuss the migration mechanism of agents and the deployment algorithm of vaccine repository nodes. By this way, vaccine distribution path is optimized and distributing time is shortened. Experiments shows the path optimization mechanism is effective.

Zheng Hui,Sun Bin,Zheng Xianwei,Duan Haixin

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.08.033

2006-01-01

Abstract:In large scale network,a mass of susceptible machines and infected machines form a prefect environment for Internet worm living.Setting ACL on router only works at the beginning of worm broken out to steady situation,but there are still lots of infected machines in network after that.It would be a long term if network operators passively wait for each user to eliminate worm from his infected machine by himself.In this paper,it is discussed that taking advantage of DNS hijacking lead user's traffic to a warning machine so that user can be informed there are some thing wrong with his machine and know how to deal with the problems.The concrete DNS-hijacking-containing project was implemented in Tsinghua University and the statistics of data shows that Internet worms are cleared up very quickly in a large scale network as Tsinghua University.

Ye Guo,Miaoliang Zhu

2006-01-01

Journal of Information and Computational Science

Abstract:An agent-oriented worm defense system can be rather effective in resisting and eliminating network worms. In this paper, we propose an optimal vaccine delivery strategy in our worm defense system. By this strategy, agents can deliver vaccines more quickly so vaccine may reach hosts ahead of worm. We discuss detail of the strategy and analyze its performance.

Ye Guo,Miaoliang Zhu

DOI: https://doi.org/10.1109/WiCOM.2006.296

2006-01-01

Abstract:The current worm defense system cannot provide a safe mobile network against malicious worms. In this paper, we propose a fast vaccine distribution mechanism in Agent-Oriented Worm Defense System for mobile network. By this mechanism, the agents travel in a parallel and concurrent manner in the network by self-replicating approach, which tremendously improves the vaccine distributing efficiency. Several key technologies are discussed and the performance is analyzed

Chang-Ting Lin,Chunming Wu,Min Huang,Zhenyu Wen,Qiumei Cheng

DOI: https://doi.org/10.1109/SRDSW.2016.21

2016-01-01

Abstract:IP address mutation is a proactive defense method that is used to reduce the risk of network attacks, especially to deal with the worm propagation attacks. However, previous work did not give much consideration to the negative effects that IP address mutation could bring to network performance. To be specific, there is a trade-off between network performance and security, which implies that when a security mechanism is reinforced, network performance would be impaired and vice versa. Therefore, in order to achieve the optimal balance between performance and security, an optimal solution should be provided. In this paper, we propose an adaptive IP mutation defense method which is based on temporal-dimension, to dynamically control the mutation interval according to real-time measurable metrics, assurance and avoidance. This method leverages a genetic algorithm to achieve the optimization of performance-security trade-off. We then evaluate our method in a simulated computer cluster environment, including 1024 hosts, and demonstrate that our method can successfully find the optimal solution according to the experimental results. For example, it can reduce the worm propagation significantly, while maintaining the network performance in a predefined level.

Yufeng Chen,Yabo Dong,Dongming Lu,Zhengtao Xiang

DOI: https://doi.org/10.1007/978-3-540-25952-7_47

2004-01-01

Abstract:Worm is becoming a more and more serious issue because worm attacks can cause huge loss in short time due to the fast-spreading character. When breaking out, worms induce abnormal traffic unlike the normal traffic, which gives us a clue of worm detecting by analyzing the abnormal characteristics of traffic involving worms, i.e. lumped traffic. Worm detection based on analyzing abnormal traffic characteristics has the advantage that it can detect novel worms without understanding the nature of the worms. And worm detection at network level is one possible detecting path, especially for Network Intrusion Detection Systems(NIDS). In this poster, we present the diversity of traffic characteristics between the normal traffic and worm traffic from the self-similarity point of view, which can be a preparation for the further investigation of the diversity of traffic characteristics between the normal traffic and lumped traffic.

SUN Le-chang,CAI Ming,JIANG Xin

DOI: https://doi.org/10.3969/j.issn.1001-3695.2007.01.060

2007-01-01

Abstract:To prevent multi networm is an urgent problem in network security field.Based on the analysis of prevention and cure technologies in existence,the intelligent system for anti internet worm is designed to multi networm.Firstly,this article gives the architecture of system,and its work flow.Secondly,the paper expounds the intelligent prevention and cure center.At last,the sort,transformation and communication of intelligent vaccine are discussed in detail.

JIANG Jian,ZHUGE Jian-Wei,DUAN Hai-Xin,WU Jian-Ping

DOI: https://doi.org/10.3724/sp.j.1001.2012.04101

2012-01-01

Abstract:Botnets are one of the most serious threats to the Internet.Researchers have done plenty of research and made significant progress.However, botnets keep evolving and have become more and more sophisticated.Due to the underlying security limitation of current system and Internet architecture, and the complexity of botnet itself, how to effectively counter the global threat of botnets is still a very challenging issue.This paper first introduces the evolving of botnet's propagation, attack, command, and control mechanisms.Then the paper summarizes recent advances of botnet defense research and categorizes into five areas: Botnet monitoring, botnet infiltration, analysis of botnet characteristics, botnet detection and botnet disruption.The limitation of current botnet defense techniques, the evolving trend of botnet, and some possible directions for future research are also discussed.

LI Qing-peng,ZHENG Lian-qing,YANG Tong,ZHANG Chuan-rong

DOI: https://doi.org/10.3969/j.issn.1000-7024.2012.01.016

2012-01-01

Abstract:For the sake of defensing Botnets,methods of bot programming and network structures are researched.A bot is designed by analyzing the functional structure and working mechanism of Botnet.The program is broken down into four modules that are scan module,exploit module,upload module and communicate module.Then the four modules are implemented by programming,and performance of bot is tested in lab environment,the data show that,botnet can achieve the desired results.Finally,some kinds of prevention measures are presented.

WEN Shi-qiang,DUAN Hai-xin,WU Jian-ping

DOI: https://doi.org/10.3969/j.issn.1000-7024.2005.05.007

2005-01-01

Abstract:New internet worm including many attack measures, such as virus, trojan and DDDS, will cause network block even paralysis, when it breaks out. A detection algorithm is brought forward which can find abnormity in the forepart of worm eruption by detection on variable rate of network flux, and then network administrators and emergency response teams can gain more time to take measures before worm blocks the network. This algorithm is evaluatedby DARPA98 intrusion detection evaluation system and has applied to real flux data of worm (Blaster、Nachi、slammer) eruption.

Jinhuan Hou,Fuqiang Ding

DOI: https://doi.org/10.1155/2022/8587906

2022-01-25

Scientific Programming

Abstract:This study analyzes and designs a network security management system based on the K-means algorithm. Through the investigation of network security managers, this article uses structured modeling technology to derive the system’s logical business functions, which are data acquisition function, data analysis function, and post-processing function. This study uses a three-tier architecture to design the system, describes the system data business processing flow, and gives the key flow of the K-means algorithm application. In addition, the system database is designed to provide support for system data processing. This study proposes a dual-network text matching model based on local interactive components. This model composes two modalities of single-modal short text data: a positional structural modal for describing local interactions and a global semantic understanding modal for extracting global semantic information. Two heterogeneous networks are used to extract two modalities. The principle of complementarity of modalities is realized by constructing the differences of each modal. At the same time, through the attention mechanism, the position information of the position structure modal is transferred to the global semantic understanding modal to obtain consistent comprehensive information so as to realize the principle of modal consistency. On this basis, by designing low-order interaction functions and high-order interaction functions, and using long- and short-term memory networks, we have, respectively, improved the position structure modal and global semantic understanding modal. The theoretical analysis and simulation results of the model show that the propagation characteristics of the network worm are completely determined by the threshold R0 required for its existence. When R0 >1, the network worm will become popular even with a small initial infection number; conversely, even if the initial infection machine is large, the network worm will eventually become extinct. The research results of this article also show that the introduction of mobile devices has an important impact on the defense technology of network worms. To curb network worms that use both the network and mobile devices to spread, and to increase the proportion of machines that have never been infected with the virus, the most effective method is to control the number of mobile devices and reduce the possibility of cross-infection between mobile devices and machines. The simulation results show that, regardless of whether dynamic isolation and antivirus software are considered, the local area network-based choke method given in this study can effectively curb intelligent network worms that have slow scanning rates and clear scanning targets. In addition, the choke method presented in this article can determine the choke threshold without affecting the normal network scanning behavior of users in the local area network.

computer science, software engineering

Xiang Zhengtao,Chen Li,Dong Yabo

DOI: https://doi.org/10.3969/j.issn.1008-5483.2008.01.007

2008-01-01

Abstract:Based on the analysis of worm propagating mechanism and the framework of Bro—an intrusion detection system,the Bro-based worm detection system is designed and implemented.The failure frequency of FCC(First Contact Connections) and heavy-tailed property based worm detection algorithm is used as the kernel of the detection system.The detecting system extends the policy script interpreter of Bro,which sends the detecting results to the share memory based on the implementation of the policy script of the detecting algorithm.The results in the share memory are then sent to the monitor based on the SNMP,which is convenient for real-time monitoring the network worms.The worm detection system can detect network worm hosts quickly and accurately.

Cai Ming,Sun Lechang,Li Yongxiang

DOI: https://doi.org/10.3969/j.issn.1000-386X.2008.01.091

2008-01-01

Abstract:The vaccine technology is a hot issue for anti-internet worm problem.Based on the analysis of vaccine technologies in existence,an intelligent vaccine for multi-internet worm is given.Firstly,the intelligent vaccine is classified in detail.Then,its basic architecture,communication mode,and its process of intelligent transformation are expounded.At last,the application of intelligent vaccine is introduced.