Chen Bo,Bin-Xing Fang,Jun Zheng,Xiao-Chun Yun

2006-01-01

Abstract:Worm attacks represent a major security problem. It is clear that a simple self-propagation worm can quickly spread on Internet. And every worm incident can cause severe damage to our society. The main task of defense mechanism is to quickly detect worm attacks and response to constrain their propagation. We propose a distributed mechanism which is composed of two parts: a Date Processing Centre and distributed sensors for defending against worm attacks. These distributed sensors monitor the network and detect worm. Once a worm attack is detected, a dropping packet mechanism is used so that (1) the worm propagation is constrained, and (2) number of interference with normal activity is minimize. We report experimental results to prove the robustness and efficiency of the proposed defense mechanism.

Yufeng Chen,Zhengtao Xiang,Yabo Dong,Dongming Lu

DOI: https://doi.org/10.1109/ical.2008.4636301

2008-01-01

Abstract:Worms not only infect vulnerable hosts, but also occupy a large amount of network bandwidth, which affects the normal operation of the network seriously. To achieve the worm detection and automatic quarantine in real time, a cooperation system of worm detection and quarantine is designed and implemented. The worm detection subsystem is implemented based on Bro and can detect worms in real time with our algorithm, which based on the failure probability of FCC and of heavy-tailed property. The worm quarantine subsystem can quarantine worm hosts automatically with ARP-spoofing. The cooperation between detection subsystem, quarantine subsystem and manager is achieved based on SNMP protocol. The system can be deployed easily with little effect on LAN. Experimental results show that the system can detect and quarantine worm hosts effectively.

WANG Wei,LU Dongming,DONG Yabo,CHEN Yufeng

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.17.072

2006-01-01

Abstract:With the rapid development of computer technology,Internet applications are used more and more widely,computer networks are exposed to various threats,especially network worms.This paper introduces the definition and principle of network worms,and based on the mechanism of network worms,it proposes and implements a network worm detection system for Internal network,which is proved to be able to detect the network worm accurately.

Chen Bo,Yu Xiangzhan,Fang Binxing,Yun Xiaochun

DOI: https://doi.org/10.1007/s11460-007-0087-7

2007-01-01

Frontiers of Electrical and Electronic Engineering in China

Abstract:There appear many Internet-scale worm incidents in recent years, which have caused severe damage to the society. It is clear that a simple self-propagation worm can quickly spread across the Internet. Therefore, it is necessary to implement automatic mitigation which can detect worm and drop its packet. In this paper, the worm’s framework was first analyzed and its two characteristics were detected. Based on the two characteristics, a defending algorithm was presented to protect network. Experimental results verify that our algorithm is very effective to constrain the worm propagation and meanwhile it almost does not interfere in normal activity.

向郑涛,陈宇峰,董亚波,鲁东明

DOI: https://doi.org/10.16208/j.issn1000-7024.2009.05.037

2009-01-01

Abstract:The worm detection technologies are discussed. Anomaly detection will be a promising development because of the ability to detect unknown worms. For passive detection, the HoneyPot system designed deliberately with vulnerabilities is used to attract atta- ckers, collect attack information and process analysis. Active detection methods can process the mixed traffics of benign hosts and worm hosts, including the payload-based and behavior-based worm detection methods. The characters and applicability of each method are discussed. The viewpoint that more effective worm detection indices are needed for detection methods is proposed. Based on the diffe- rences of traffic self-similarity between benign hosts and worm hosts, the idea on how to select real-time detection indices is interpreted.

Ye Guo,Miaoliang Zhu

DOI: https://doi.org/10.1109/IMSCCS.2006.178

2006-01-01

Abstract:Considering the shortcomings of the current worm Defense system, an agent-oriented worm Defense system, AOSWD, is proposed in this paper. In the hierarchical framework of AOSWD, the agents are independent but can roam in the network freely and collaborate with each other to defend against Internet worms. In this paper, we discuss the system architecture and the realization details, propose the key technique for the system and analyze the system performance.

GUO Ye,ZHU Miao-liang

2006-01-01

Journal of Computer Applications

Abstract:Current situation of the traditional security defense system was briefly introduced. Considering the shortcomings of the current worm defense system and advantages of Agents, an Agent-oriented worm defense system named AOSWD was proposed, which can defend against Internet worms quickly and effectively.The architecture and the key technology of the system were discussed. Experimental results prove the effectiveness of AOSWD.

Chen Bo,Bin Xing Fang,Xiao Chun Yun

DOI: https://doi.org/10.1007/11760146_16

2006-01-01

Abstract:After many Internet-scale worm incidents in recent years, it is clear that a simple self-propagation worm can quickly spread across the Internet. And every worm incidents can cause severe damage to our society. So it is necessary to build a system that can detect the presence of worm as quickly as possible. This paper first analyzes the worm’s framework and its propagation model. Then, we describe a new algorithm for detecting worms. Our algorithm first monitors the computers on network and gets the number of abnormal computers. Then based on the monitoring result, we detect an unknown worm by using recursive least squares estimation. The experiments result proves that our approach is effective to detect unknown worm.

ZHENG Hui,DUAN Haixin

2004-01-01

Abstract:Most of researches focus on modeling and detection of the Internet worm propagation, but in practice, the final objects are containment and elimination of Internet worm, which have not received enough research effects. In this paper, three categories of active technologies to contain Internet worm were introduced: vaccination for containing susceptible machines, forcing shutdown for containing infected machines, and bidirectional leading for containing worm spreading traffic. These technologies can be adopted to construct one or more automated Internet worm defense systems in any phase of Internet worm defense: prevention, detection, containment and elimination. Our experiment in large scale network shows that when combined with those active technologies, automated Internet worm defense systems are more effective to contain the Internet worm and to shorten the defense time.

Chang-Ting Lin,Chunming Wu,Min Huang,Zhenyu Wen,Qiumei Cheng

DOI: https://doi.org/10.1109/SRDSW.2016.21

2016-01-01

Abstract:IP address mutation is a proactive defense method that is used to reduce the risk of network attacks, especially to deal with the worm propagation attacks. However, previous work did not give much consideration to the negative effects that IP address mutation could bring to network performance. To be specific, there is a trade-off between network performance and security, which implies that when a security mechanism is reinforced, network performance would be impaired and vice versa. Therefore, in order to achieve the optimal balance between performance and security, an optimal solution should be provided. In this paper, we propose an adaptive IP mutation defense method which is based on temporal-dimension, to dynamically control the mutation interval according to real-time measurable metrics, assurance and avoidance. This method leverages a genetic algorithm to achieve the optimization of performance-security trade-off. We then evaluate our method in a simulated computer cluster environment, including 1024 hosts, and demonstrate that our method can successfully find the optimal solution according to the experimental results. For example, it can reduce the worm propagation significantly, while maintaining the network performance in a predefined level.

C Bo,BX Fang,XC Yun

DOI: https://doi.org/10.1109/icmlc.2005.1527351

2005-01-01

Abstract:In recent years, Internet-scale worm incidents occurred many times. People wonder at the speediness of the worm spread and the severe damage to the Internet. So people began to find methods to detect worms as quickly as possible. The paper first describes a worm behavior and propagation model. And then based on it, a new approach for early detection of Internet worms is proposed. This approach determines whether a worm incident has occurred by the change of the computers' connection degree. The approach is proved to be effective on early detection of unknown worms by experiments.

Qin-ying Lin,De-qin Shi,Lei Huang,Xiao-lin Gui,Ya-nan Kou,Xiao-ping Wang

DOI: https://doi.org/10.1109/EMEIT.2011.6023947

2011-01-01

Abstract:Worm defense is an important security problem that has long aroused people's attention. With an eye to improve intranet security, an intelligent maintenance tree-based worm defense strategy is put forward by analyzing intranet worm propagation characteristics. Mobile agent-based down automatic maintenance line and detection-based up alarm line constitute an intranet active defense circuit and the mathematical model of intranet worm propagation is constructed based on the strategy. The functions of worm defense strategies of intelligent maintenance tree-based worm propagation model and traditional dual-factor model are analyzed through simulation. Experiment shows that the proposed strategy plays an important part in intranet worm protection and intelligent management of the maintenance net is achieved. © 2011 IEEE.

pingping lin,xiaosong zhang

DOI: https://doi.org/10.1142/9789812799524_0074

2008-01-01

Abstract:Give a simple but practical scheme for detecting and defending against Distributed Denial of Service (DDoS), especially for Highly Distributed Denial of Service (HDDoS) attacks by monitoring the increase of new IP addresses. Unlike previous proposals, this proposal includes three modules: detecting, filtering, and illegal-packets analyzing. To improve the detection accuracy, we also proposed a simple but robust algorithm: sliding window algorithm. In the filtering module, a filter performs its tasks only during attacks. While the attack-packets-analyzing module uses a trap to analyze attack packets, perfects the defense system. Simulation results demonstrate the effectiveness of the proposed scheme under varieties of DDoS attack scenarios.

Shi-jie ZHOU,Zhi-guang QIN,Le-yuan LIU,Yi-yi DENG

DOI: https://doi.org/10.3969/j.issn.1002-137X.2011.03.012

2011-01-01

Computer Science

Abstract:P2P worms employ the distinctive features of P2P network,such as the local routing table,application routing mechanism and so on,to quickly distribute them into the network while holding the covert characteristic.Contrarily,the common internet worms generally rely on detecting the victims' IP address to spread.Therefore,the lack of hidden feature and feasible promulgating paths make that it is easier to detect and defense the ordinary internet worms than P2P worms.Consequently,the P2P worm can do more damage to the network if lacking the effective defensive scheme.In this paper,the P2P worm,especially its transmission mechanism was analyzed synthetically.Then,an anti-worm based scheme for the defensive of P2P worm was presented.The principle and functional modules of this new scheme were addressed as well.By using the Peersim P2P simulator,the performance of our novel scheme was evaluated experimentally in various system parameters.The primary experimental results indicated that our anti-worm based defensive scheme for P2P worm has the features of fast convergence,low overload of networking resource(including communication traffic and computing power),and high adaptability.

Hui Zheng,Haixin Duan

2005-01-01

Abstract:Most of researches focus on modeling and detection of the Internet worm propagation, but in practice, the final objects are containment and elimination of Internet worm, which have not received enough research effects. In this paper, three categories of active technologies to contain Internet worm were introduced: vaccination for containing susceptible machines, forcing shutdown for containing infected machines, and bidirectional leading for containing worm spreading traffic. These technologies can be adopted to construct one or more automated Internet worm defense systems in any phase of Internet worm defense: prevention, detection, containment and elimination. Our experiment in large scale network shows that when combined with those active technologies, automated Internet worm defense systems are more effective to contain the Internet worm and to shorten the defense time.

ZHAO Ye-hong,YANG Shou-bao,WANG Shao-lin,DONG Kuo

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.34.030

2006-01-01

Abstract:The traditional approach keeping track of TCP SYN packets needs massive probe's memory and computation resources.An Internet-worm early detecting system based on ISP distributed is proposed in this paper,which relies on TCP RESET packet detecting to find the scan sources.Compared to existing methods,our approach has the merits of detecting the suspicious Internet worms,defending the forge attack,and reducing 59.4% and 28.9% overhead in normal and in simulation worm scanning respectively.

BaiLing Wang,BinXing Fang,XiaoChun Yun

DOI: https://doi.org/10.1007/11590354_9

2005-01-01

Abstract:A new detection approach based on worm behaviors for IDS anti-worm is presented. By the method, the susceptible hosts probed by worms can be detected, and then an immediate counter-attack to the susceptible host can be proposed. As a case study, a simulation on the IDS-based anti-worm counter-attacking the malicious worm is given, which shows the new containment is much more effective and bring less traffic to network than the traditional one. It can be used as a reference for Grid security infrastructure.

Yi Xin,Qingpu Zhang,Qinghai Yang,Dailiang Jin

DOI: https://doi.org/10.3772/j.issn.1002-0470.2012.06.009

2012-01-01

Abstract:According to the views that traditional countermeasure technologies are not sufficient to deal with the worm threat, and to defeat worms in an effective and timely manner, an effective worm countermeasure system must be established, this study presented an active worm countermeasure approach based on worm detection, which detects infectious hosts and scans susceptible hosts through the active worm countermeasure system based on detection (AWCSD), a worm detection system in the gateway of a network. The countermeasure system will clean the worms and patch the vulnerabilities in networks. The mathematic model of AWCSD was proposed based on the two-factor model, and then, the worm epidemic situation curves were depicted with different parameters.

Xiaojun Tong,Zhangquan Zhao,Huimin Shuai,Zhu Wang

DOI: https://doi.org/10.1109/DCABES.2010.51

2010-01-01

Abstract:At present there are some worm intrusion detection systems, primarily for a single LAN or with hardware router environment, which are not applicable for large-scale network detection or have high false alarm rate by using only worm propagation characteristics for detection. This paper analyzed worm non-linear propagation models and drew out the worm transmission curves. Then a distributed worm detection technology is designed. The novel distributed worm detection system consists of two parts, client end and console end programs. The system uses rule-based detection method to monitor network worms, and the console side manages and coordinates detection work of the client sides. Experimental results show that the technology is a good solution to worm detection in multiple network environments which can give an alarm with high detection rate and low false alarm rate when the known worm appears. © 2010 IEEE.

P Wang,BX Fang,XC Yun

DOI: https://doi.org/10.1109/pdcat.2005.25

2005-01-01

Abstract:Worms have seriously harmed computer and network systems due to their rapid spread rate. Therefore, it is necessary to research automatic worm detection systems in large networks. In this paper, data stream based anomaly detection is used to screen out anomalous network data flow, subsequently, the signature is extracted. After analyzed, the signature is updated to the misuse detection pattern. Based on an automatic worm defense, a system could discover an epidemic situation effectively and detect an unknown worm.