Yufeng Chen,Yabo Dong,Dongming Lu,Yunhe Pan,Honglan Lao

DOI: https://doi.org/10.1007/11760146_60

2006-01-01

Abstract:Worm research depends on simulation to a large degree due to worm propagation characters. In worm simulation, worm traffic generation is the base to analyze influences of worm traffic on network. The popular Random Constant Spread (RCS) model ignores the burstiness of “latency-limited” worm traffic, which will cause underestimation of the influences. According to worm scan behaviors, the Periodic Burst Scanning (PBS) model is proposed to model “latency-limited” worm traffic. Simulation results show that network performance decreases much more with PBS model than that with RCS model.

Zhiyu Hao,Xiaochun Yun,Jinqiao Shi,Hongli Zhang

DOI: https://doi.org/10.1142/9789812799524_0111

2008-01-01

Abstract:Internet worms are one of the greatest threats to the Internet. Simulation is an efficient method to study the behavior of Internet worm propagation. All the current worm simulators can not provide the dynamic changing of topology and the dynamic routing mechanism, which badly compromises the fidelity of the Internet worm simulation. This paper presents a high-fidelity packet-level Internet worm simulator, called CCDRWS (Congestion Control and Dynamic Routing based Worm Simulator). CCDRWS includes accurate congestion control and dynamic routing models, thus greatly improves simulation fidelity. Experimental results show the correctness of CCDRWS, and also the effects of the congestion control and dynamic routing models on the behaviors of worm propagation.

曲晶莹,余翔湛,徐锐

DOI: https://doi.org/10.3969/j.issn.1008-0570.2009.03.013

2009-01-01

Abstract:In current worm simulation, network simulators will drop the scanning packets sent to invalid IP addresses,which will underestimate the traffic brought by worm. This paper focuses on that problem, introduces a modified routing strategy for worm simulation and implements the idea in the network simulator GTNetS. In order to quantitatively compare the differences between original routing strategy and the modified one, an ideal model is presented and several experiments have been made. Simulation results show that worm traffic is more accurately reflected after routing strategy has been modified.

Yufeng Chen,Zhengtao Xiang,Yabo Dong,Dongming Lu

DOI: https://doi.org/10.1109/ical.2008.4636301

2008-01-01

Abstract:Worms not only infect vulnerable hosts, but also occupy a large amount of network bandwidth, which affects the normal operation of the network seriously. To achieve the worm detection and automatic quarantine in real time, a cooperation system of worm detection and quarantine is designed and implemented. The worm detection subsystem is implemented based on Bro and can detect worms in real time with our algorithm, which based on the failure probability of FCC and of heavy-tailed property. The worm quarantine subsystem can quarantine worm hosts automatically with ARP-spoofing. The cooperation between detection subsystem, quarantine subsystem and manager is achieved based on SNMP protocol. The system can be deployed easily with little effect on LAN. Experimental results show that the system can detect and quarantine worm hosts effectively.

Chang-Ting Lin,Chunming Wu,Min Huang,Zhenyu Wen,Qiumei Cheng

DOI: https://doi.org/10.1109/SRDSW.2016.21

2016-01-01

Abstract:IP address mutation is a proactive defense method that is used to reduce the risk of network attacks, especially to deal with the worm propagation attacks. However, previous work did not give much consideration to the negative effects that IP address mutation could bring to network performance. To be specific, there is a trade-off between network performance and security, which implies that when a security mechanism is reinforced, network performance would be impaired and vice versa. Therefore, in order to achieve the optimal balance between performance and security, an optimal solution should be provided. In this paper, we propose an adaptive IP mutation defense method which is based on temporal-dimension, to dynamically control the mutation interval according to real-time measurable metrics, assurance and avoidance. This method leverages a genetic algorithm to achieve the optimization of performance-security trade-off. We then evaluate our method in a simulated computer cluster environment, including 1024 hosts, and demonstrate that our method can successfully find the optimal solution according to the experimental results. For example, it can reduce the worm propagation significantly, while maintaining the network performance in a predefined level.

Hui He,MingZeng Hu,Hongli Zhang

2005-01-01

Abstract:In recent years, large-scale Internet worms that break out frequently have become a great threat to the Internet security, and result in tremendous economic destruction. Because of the sudden breakout and serious disruption, it is difficult to do research and experiments in real-world networks. In the paper, model and simulation methods are utilized to study the worms. An enhancement of worms SIR propagation model is proposed, that discusses the outer factors, which lie in the network environment including network performance, congestion, human countermeasures and the distribution of network hosts. After theory analysis of this enhanced model, a simulated testbed of Internet worms propagation has been constructed to prove its effectiveness.

Jie DENG,Hai-Xin DUAN

2008-01-01

Abstract:Epidemic model is a general way of modeling worms,but it can not be satisfied on its poor fidelity,especially in the inability of modeling variety of network scenarios,such as rich network topologies and background traffic.The mixed abstraction level simulation is superior to epidemic model on the packet-level modeling of concerned network.However,it is still incapable of modeling worm traffic and the interaction between worms and background traffic.In this research,we design an approach of fine-granular modeling and simulation of worm propagation using SSFNet with higher fidelity than the two methods before,and carry it into execution.This model can not only model worm behaviors in propagation on the packet-level effectively,but also reflect the variance of background traffic and analyze the spread of worm under realistic environment which involves topologic layout,packet loss of routers,and variant scan strategies.

Ping Wang,Binxing Fang,Xiaochun Yun

DOI: https://doi.org/10.1007/11689522_6

2006-01-01

Abstract:Several worm propagation models have been proposed to describe the behavior of worms in order to find the weak link in the worm propagation for the purpose of further treatment measures. In this paper, we investigate the relation between worm spread and the scale of network. The partition-based model of worm propagation is developed, in which we focus on two key factors: the subnet number of the network to be partitioned into and the time to perform partition. Using a combination of analytic modeling and simulations, we describe how each of these two factors impacts the dynamics of worm epidemic. Based on our simulation experiment results, we propose the network partitioning approach to deescalate network scale and thus restrict the worm propagation in large scale networks.

Zhi-guang Qin,Chao-sheng Feng,Feng-li Zhang,Laurence CuthbeRt

DOI: https://doi.org/10.1109/icycs.2008.237

2012-01-01

Abstract:P2P worms pose heavy threatens to P2P networks. P2P worms exploit common vulnerabilities in member hosts of a P2P network and spread topologically in the P2P network, a potentially more effective strategy than random scanning for locating victims. Considering that the topology of P2P networks has important effect on P2P active worm spreading, it is very difficult to model propagation of P2P active worms. For this reason, so far few propagation models are proposed. In this paper, we propose a propagation model of active worms in P2P networks based the discrete-time method. The analysis on simulation results shows that there exists some threshold value during spreading of active worms and different infection strategies result in different infection results in P2P networks.

Yang Liu,Bai-ling Wang,Bin Li,Kai-kun Dong

DOI: https://doi.org/10.1109/paciia.2009.5406365

2009-01-01

Abstract:The traditional network simulator don't have the ability of simulation for the process of large-scale network security incidents outbreak, we designed a grid-based Internet worm behavior simulator which is consisted of foreground applications and background analog subsystems in parallel. It makes the most of the benefit of the grid computing capability, resource and task management. The experimental result shows that the grid based Internet worm behavior simulator provides a very effective analysis of data for the early detection of unknown worms' research and that is the effective means to solve large-scale worm behavioral analysis, study the unknown detection methods, and assess the situation and a variety of worm containment strategies.

WU Guo-zheng,QIN Zhi-guang

DOI: https://doi.org/10.3969/j.issn.1000-436x.2011.08.016

2011-01-01

Journal of Communications

Abstract:P2P worm has its own features and existing simulation approaches can not be used to it directly.In order to simulate large-scale P2P worm,a virtual-node based simulation approach and a double-engine based simulation architec-ture were proposed.In the virtual-node based P2P simulation solution,the data and the operation of worm nodes were separated to save computational power and storage.Therefore,large-scale P2P worms were simulated with available lim-ited physical resources in single or multiple simulating computers.In double-engine P2P simulation architecture,two en-gines,local engine and network engine,were used in simulation system.The local engine was responsible for local mes-sage processing and the network engine focused on message passing in communication network.Combined with these two engines,packet level P2P worm simulation was provided by the simulation system to enhance the fidelity and scal-ability.Experimental results showed that the novel simulation solution was practical to simulate large-scale P2P worms with high fidelity.

Ting LIU,Qing-Hua ZHENG,Xiao-Hong GUAN,Xin-Qi CHEN,Zhong-Min CAI

DOI: https://doi.org/10.3321/j.issn:0254-4164.2006.08.011

2006-01-01

Chinese Journal of Computers

Abstract:It is a common belief that IPv6 could defend against random-scanning worms due to its huge address space. However, a new type of worm, V6-Worm, possibly propagating in IPv6 network rapidly, is presented in this paper. Based on the analysis of the scanning strategy of V6-Worm , two models—? CSimple Epidemic Model (SEM) and Two-Factor Model (TFM) are established for simulating the propagation of V6-Worm. The simulation results of SEM show that V6-Worm can propagate more rapidly in the IPv6 network than the random-scanning worm in the current IPv4 network. Furthermore the simulation results of TFM show that V6-Worm can counter the worm defense strategies better than the random-scanning worms. The results also indicate that the percentage of vulnerable hosts is the key factor affecting V6-Worm's propagating capability. Some defense strategies are discussed focusing on preventing address leakage and reducing the percentage of vulnerable hosts.

Xin-yan ZHUANG,Yang LIU,Gai-fang DONG

2014-01-01

Abstract:The traditional network simulator has function limitation and performance limitation when simulating Internet worm,so we designed the grid based Internet worm behavior simulator(GBIWBS).IWBS Grid makes use of the real Internet topology information,link information and routing information,and simulates the worm behavior at the packet event- driven level;proposes a high- performance Internet worm behavior simulation platform by right of the grid computing capability,resource and task management,and etc.The experimental result shows that GBIWBS grid surpasses the traditional simulator in simulating capability,and the technology to track the worm propagation in packet level can propose the valuable infonnation for the further study on worm.In the mean while,it can promote further study and development on computing grid technology.

Hua Li,Zheng Qin,Xiaohui Pan,Xiaosong Zhang

DOI: https://doi.org/10.1109/MINES.2009.109

2009-01-01

Abstract:Nowadays, P2P network has been used by millions of internet subscribers because of its convenience in sharing and exchanging files. But non-scanning active worms which propagation by making use of the topology of the P2P network make P2P network facing heavy threaten. This kind of worms can propagate much faster than non-P2P worms since they needn't waste time for randomly searching for attack targets and can cause much more harm to network. So in this paper we study the propagation of this kind of worms in unstructured P2P network, propose a new non-scanning active worm propagation model and describe the impact of the related parameters, such as the size of the P2P network, the size of the hit list etc, on the propagation speed of the non-scanning active worm. We believe our model can be a guideline in the defense and control of non-scanning active worm propagation in unstructured P2P network to some extent

feng chaoshengl,Zhiguang Qin,Yuan Ding,Liu Xia,Jianjun Wang

DOI: https://doi.org/10.1109/ICCCAS.2010.5582004

2010-01-01

Abstract:Passive worms pose threats to mobile P2P(peer-to-peer) networks. To predict the tendency of propagation of mobile P2P passive worms and analyze their behaviors, it is necessary to model mobile P2P passive worm propagation. In this paper, the protocols of mobile P2P networks and the features of passive worm propagation are studied. On the basis, the mathematical model of passive worm propagation is proposed in applying Epidemiology. For the purpose of examining the effect of the mobile P2P-related parameters on worm propagation, simulation experiments are carried out. T he results of these experiments show that different parameters have different effect on passive worm propagation, among which the average downloading rate and the average recovery rate of fixed peers have the strongest effect on passive worm propagation among mobile peers. © 2010 IEEE.

WU Bin,YANG Shou-bao,ZHAO Ye-hong,WANG Shao-lin

DOI: https://doi.org/10.3969/j.issn.1000-1220.2007.09.002

2007-01-01

Abstract:This paper proposes a universal worm propagating model based on the mechanism of dynamic quarantine.The model defines the dubious state when worm stays in the phase of quarantine and depicts the process of dynamic quarantine explicitly.It also depicts packet loss caused by congestion of some routers and the mankind's initiative in the course of antagonizing the worm,by utilizing dynamic infecting rate and together with dynamic removing and auto-immunized rate. The analysis shows that the system based on the mechanism of dynamic quarantine can slow down a worm's propagation, reduce the number of infected hosts and delay the time when the worms burst out to the peak value.

GuoZheng Wu,Chaosheng Feng,Zhiguang Qin

DOI: https://doi.org/10.3772/j.issn.1006-6748.2012.04.012

2012-01-01

Abstract:This paper analyzes the characteristics of the Peer-to-Peer (P2P) active worm and its attacking mechanism, and then proposes a mathematical model of propagation of the P2P active worm applying Epidemiology. Based on the analysis on the protocols of realistic P2P systems, a software which can be used to simulate the P2P network environment and the propagation of P2P active worm is implemented in this paper. A large number of simulation experiments are performed using the developed simulation software. The results from these simulation experiments validate the proposed model, which means that the model can be used to analyze the spreading behaviors of the P2P active worm and predict its trend. Copyright © by HIGH TECHNOLOGY LETTERS PRESS.

Xiao-song Zhang,Ting Chen,Jiong Zheng,Hua Li

DOI: https://doi.org/10.1631/jzus.c0910488

2010-01-01

Journal of Zhejiang University SCIENCE C

Abstract:It is universally acknowledged by network security experts that proactive peer-to-peer (P2P) worms may soon engender serious threats to the Internet infrastructures. These latent threats stimulate activities of modeling and analysis of the proactive P2P worm propagation. Based on the classical two-factor model, in this paper, we propose a novel proactive worm propagation model in unstructured P2P networks (called the four-factor model) by considering four factors: (1) network topology, (2) countermeasures taken by Internet service providers (ISPs) and users, (3) configuration diversity of nodes in the P2P network, and (4) attack and defense strategies. Simulations and experiments show that proactive P2P worms can be slowed down by two ways: improvement of the configuration diversity of the P2P network and using powerful rules to reinforce the most connected nodes from being compromised. The four-factor model provides a better description and prediction of the proactive P2P worm propagation.

Lu Guang,Yu Fei,Guangxue Yue,Miaoliang Zhu

DOI: https://doi.org/10.1109/imsccs.2006.287

2006-01-01

Abstract:The research community is interested in finding effective methods to detect network traffic anomalies such as the propagation of a new worm, and to raise alarm in time. In this paper we research the principle that the number of network traffic can affect self-similarity of network traffics, and analyze the variety of self-similarity caused by abnormal network traffic. We propose a network traffic model on normal behaviors of users. An approach, which is applied to determine whether or not abnormal network traffic exists by comparing Hurst parameter with predefined threshold, is also presented. At last, implementation of network worm detecting agent in NP is described. Results of evaluation show that detecting agent performs very well in test-bed.

劳伦斯·库珀特,罗瑞莎·托卡库克

DOI: https://doi.org/10.3969/j.issn.1001-0548.2009.02.25

2010-01-01

Journal of Computer Research and Development

Abstract:Worms have posed a serious threat to Internet. Meanwhile, worms have posed a more serious threat to P2P networks based on Internet. The key properties of P2P networks, which bring facilities to users, result in vulnerabilities to attacks from P2P worms. Considering that models of the other two P2P worms of three classes of P2P worms,namely passive worms and active worms, have been proposed and reactive worms have seriously threatened P2P networks, the models of propagation and immunization of P2P reactive worms are proposed. Furthermore, the condition of worm free in the stead state is deduced from the model of propagation of reactive worms. In order to validate the epidemic model proposed and the condition of worms free in the steady state, large scale simulation experiments are carried out with the software Matlab. All the simulations validate the model and the necessary conditions. In addition, all the simulations show that it is the prevalent index that is in charge of whether worms are prevalent and the degree of worm spread if it will be prevalent. Obviously, the prevalent index is very helpful to find worm-throttling strategies. Analysis of the P2P-related parameters, which determine the value of the prevalent index, shows that decreasing the download rate is the most effective method of throttling worm spread before the corresponding patches are released.