Xin-yan ZHUANG,Yang LIU,Gai-fang DONG

2014-01-01

Abstract:The traditional network simulator has function limitation and performance limitation when simulating Internet worm,so we designed the grid based Internet worm behavior simulator(GBIWBS).IWBS Grid makes use of the real Internet topology information,link information and routing information,and simulates the worm behavior at the packet event- driven level;proposes a high- performance Internet worm behavior simulation platform by right of the grid computing capability,resource and task management,and etc.The experimental result shows that GBIWBS grid surpasses the traditional simulator in simulating capability,and the technology to track the worm propagation in packet level can propose the valuable infonnation for the further study on worm.In the mean while,it can promote further study and development on computing grid technology.

刘扬,王佰玲,董开坤,苑新玲,张慈,饶明

2011-01-01

Abstract:The traditional network simulator has function and performance limitation when simulating Internet worms,so we designed the grid-based Internet worm behavior simulator （IWBS Grid）.IWBS Grid makes use of the real Internet topology,link and routing information,and simulates the worm behavior at the packet event-driven level;and proposes a high-performance Internet worms behavior simulation platform by right of the grid computing capability,resource and task management,and so on.The experimental results show that IWBS grid surpasses the traditional simulator in simulating capability,and the technology to track the worm propagation in packet level can propose the valuable information for the further study on worms.

Yufeng Chen,Zhengtao Xiang,Yabo Dong,Dongming Lu

DOI: https://doi.org/10.1109/ical.2008.4636301

2008-01-01

Abstract:Worms not only infect vulnerable hosts, but also occupy a large amount of network bandwidth, which affects the normal operation of the network seriously. To achieve the worm detection and automatic quarantine in real time, a cooperation system of worm detection and quarantine is designed and implemented. The worm detection subsystem is implemented based on Bro and can detect worms in real time with our algorithm, which based on the failure probability of FCC and of heavy-tailed property. The worm quarantine subsystem can quarantine worm hosts automatically with ARP-spoofing. The cooperation between detection subsystem, quarantine subsystem and manager is achieved based on SNMP protocol. The system can be deployed easily with little effect on LAN. Experimental results show that the system can detect and quarantine worm hosts effectively.

Yufeng Chen,Yabo Dong,Dongming Lu,Yunhe Pan,Honglan Lao

DOI: https://doi.org/10.1007/11760146_60

2006-01-01

Abstract:Worm research depends on simulation to a large degree due to worm propagation characters. In worm simulation, worm traffic generation is the base to analyze influences of worm traffic on network. The popular Random Constant Spread (RCS) model ignores the burstiness of “latency-limited” worm traffic, which will cause underestimation of the influences. According to worm scan behaviors, the Periodic Burst Scanning (PBS) model is proposed to model “latency-limited” worm traffic. Simulation results show that network performance decreases much more with PBS model than that with RCS model.

Lu Guang,Yu Fei,Guangxue Yue,Miaoliang Zhu

DOI: https://doi.org/10.1109/imsccs.2006.287

2006-01-01

Abstract:The research community is interested in finding effective methods to detect network traffic anomalies such as the propagation of a new worm, and to raise alarm in time. In this paper we research the principle that the number of network traffic can affect self-similarity of network traffics, and analyze the variety of self-similarity caused by abnormal network traffic. We propose a network traffic model on normal behaviors of users. An approach, which is applied to determine whether or not abnormal network traffic exists by comparing Hurst parameter with predefined threshold, is also presented. At last, implementation of network worm detecting agent in NP is described. Results of evaluation show that detecting agent performs very well in test-bed.

Yufeng Chen,Yabo Dong,Dongming Lu,Zhengtao Xiang

DOI: https://doi.org/10.1007/978-3-540-25952-7_47

2004-01-01

Abstract:Worm is becoming a more and more serious issue because worm attacks can cause huge loss in short time due to the fast-spreading character. When breaking out, worms induce abnormal traffic unlike the normal traffic, which gives us a clue of worm detecting by analyzing the abnormal characteristics of traffic involving worms, i.e. lumped traffic. Worm detection based on analyzing abnormal traffic characteristics has the advantage that it can detect novel worms without understanding the nature of the worms. And worm detection at network level is one possible detecting path, especially for Network Intrusion Detection Systems(NIDS). In this poster, we present the diversity of traffic characteristics between the normal traffic and worm traffic from the self-similarity point of view, which can be a preparation for the further investigation of the diversity of traffic characteristics between the normal traffic and lumped traffic.

Yu Lin Wang,Jin Heng Wang

DOI: https://doi.org/10.4028/www.scientific.net/amr.1030-1032.1792

2014-01-01

Advanced Materials Research

Abstract:With the development of Internet virtual network , In the network environment , a variety of pathways and complex application environments enables network worms increased frequency of occurrence. Firstly, the paper summarizes the general research situation of Internet worms, and then expounds the basic definition and the working principle of network worms, finally carries on the simulation of the network worm using UDP protocol. Finally, making a modeling and simulation for using UDP transport protocol network worm. This research provides important support for worm-related research and It’s important for maintaining network security

Zhiyu Hao,Xiaochun Yun,Jinqiao Shi,Hongli Zhang

DOI: https://doi.org/10.1142/9789812799524_0111

2008-01-01

Abstract:Internet worms are one of the greatest threats to the Internet. Simulation is an efficient method to study the behavior of Internet worm propagation. All the current worm simulators can not provide the dynamic changing of topology and the dynamic routing mechanism, which badly compromises the fidelity of the Internet worm simulation. This paper presents a high-fidelity packet-level Internet worm simulator, called CCDRWS (Congestion Control and Dynamic Routing based Worm Simulator). CCDRWS includes accurate congestion control and dynamic routing models, thus greatly improves simulation fidelity. Experimental results show the correctness of CCDRWS, and also the effects of the congestion control and dynamic routing models on the behaviors of worm propagation.

WU Guo-zheng,QIN Zhi-guang

DOI: https://doi.org/10.3969/j.issn.1000-436x.2011.08.016

2011-01-01

Journal of Communications

Abstract:P2P worm has its own features and existing simulation approaches can not be used to it directly.In order to simulate large-scale P2P worm,a virtual-node based simulation approach and a double-engine based simulation architec-ture were proposed.In the virtual-node based P2P simulation solution,the data and the operation of worm nodes were separated to save computational power and storage.Therefore,large-scale P2P worms were simulated with available lim-ited physical resources in single or multiple simulating computers.In double-engine P2P simulation architecture,two en-gines,local engine and network engine,were used in simulation system.The local engine was responsible for local mes-sage processing and the network engine focused on message passing in communication network.Combined with these two engines,packet level P2P worm simulation was provided by the simulation system to enhance the fidelity and scal-ability.Experimental results showed that the novel simulation solution was practical to simulate large-scale P2P worms with high fidelity.

Yang Xiang,Qiang Li

2007-01-01

Abstract:Breaking out of network worms brings a tremendous damage to the Internet. Launch the worm defense and response can improve network anti-strike capability. Tracing worm propagation path after its outbreak can reconstruct not only the earliest infected nodes but also the timing order of victims been infected. For the detection and defense of large scale Internet worm outbreaks, a convenient and safety experimental environment that capable of running real worm become an important work to observe large scale worm infection, intrusion and propagation, it can be a large scale worm testbed for forensic evidence. This paper presents a large-scale worm propagation experiments environment for tracing algorithm, which is an isolation environment that can run related experiments. To conform as much as really to the actual network, the experimental environment use virtual machine technology, simulate a large number of hosts and network equipments attend. According to the actual worm, this environment can trigger large-scale worm outbreaks within the controllable scope of human, observe propagation process of the worm, experiment detection and defense techniques, discover worm propagation characteristic such as scanning method and propagation process, real-time collect network traffic and propagation process, investigate network traffic, launch speculate algorithm for reconstructing out patient zero and propagation path of the worm. Then actual worm propagation process can be captured and compared with the results using tracing algorithm.

Zhang Ran,Li Yan

2009-01-01

Abstract:How to analyze and depict the propagation characteristic of network worms is the basis of researching on worm defense. In this paper, network worms were researched on and the propagation behavior of network worms based on simple epidemic model in the self-defined campus network was simulated by SSFNet, which is an open source network simulation tool. Then the propagation speed of several network worms based on different scanning strategies was analyzed and compared. The simulation results show that the worm scanning strategies impact the network worm propagation speed tremendously.

Wei Shi,Qiang Li,Jian Kang

2008-01-01

Abstract:Network worms have been a serious security threat on the Internet. Tracing worm propagation path can identify the overall structure of a worm attack's propagation. To detect and defense large scale Internet worms, setting up a convenient and safe experimental environment that capable of running and observing real world worm become an important work, it can be a large scale worm test bed for forensic evidence. We provide a systemic analysis of large-scale worm propagation tracing experiment strategy which is based on virtual machine technology by setting up an experimental environment called zooecium (ZE). First, the framework of ZE is addressed. Then, the design and control of ZE is given. Finally, ZE is analyzed with experiments. Experimental results show that ZE can trigger large-scale worm outbreaks within the controllable scope of human, observe propagation process of the worm, experiment detection and defense techniques, discover worm propagation characteristic such as scanning method and propagation process, real-time collect network traffic and propagation process, investigate network traffic, dynamically throw out the result launch speculate algorithm for reconstructing out propagation path of the worm. Then actual worm propagation process can be captured and compared with the results using tracing algorithm.

Ping Ren,Wu Liu,Ke Liu,Donghong Sun

DOI: https://doi.org/10.1109/IWCDM.2011.36

2011-01-01

Abstract:As the flooding of malicious codes such as worms, how to analyze large number of malicious samples quickly and effectively becomes a great issue for researchers in network security. This paper proposed an analysis algorithm for worm network behavior based on event sequence, which uses the data flow recombination and compression methods to process the pure malicious data. With this algorithm, one can quickly extract the network behavior profile and the signature of the worm. The application of this algorithm will greatly improve the efficiency of analyzing the worm network behavior, which will be significant for the deployment of firewalls and network invasion detection systems.

Yunkai Zhang,Fangwei Wang,Changguang Wang,Jianfeng Ma

DOI: https://doi.org/10.1007/11596981_70

2005-01-01

Abstract:In recent years, network worms that had a dramatic increase in the frequency and virulence of such outbreaks have become one of the major threats to the security of the Internet. This paper provides a worm propagation model based on the SEIR deterministic model. The model adopts the birth rate and death rate so that it can provide a more realistic portrait of the worm propagation. In the process of defending worm, dynamic quarantine strategy, dynamic infecting rate and removing rate are adopted. The analysis shows that the worm propagation speed can be efficiently reduced to give people more precious time to defend it. So the negative influence of the worm can be reduced. The simulation results verify the effectiveness of the model.

Hui He,MingZeng Hu,Hongli Zhang

2005-01-01

Abstract:In recent years, large-scale Internet worms that break out frequently have become a great threat to the Internet security, and result in tremendous economic destruction. Because of the sudden breakout and serious disruption, it is difficult to do research and experiments in real-world networks. In the paper, model and simulation methods are utilized to study the worms. An enhancement of worms SIR propagation model is proposed, that discusses the outer factors, which lie in the network environment including network performance, congestion, human countermeasures and the distribution of network hosts. After theory analysis of this enhanced model, a simulated testbed of Internet worms propagation has been constructed to prove its effectiveness.

HUANG Hua

DOI: https://doi.org/10.3969/j.issn.1674-4896.2010.03.017

2010-01-01

Abstract:At present the network worm has posed serious threat to the network security.In order to study worm's proliferation,the examination and the control effectively,grasp the behavior process of worm on the Internet,a simulation system has been designed to realize an objective quota description of the worm dissemination through this system.

Jie DENG,Hai-Xin DUAN

2008-01-01

Abstract:Epidemic model is a general way of modeling worms,but it can not be satisfied on its poor fidelity,especially in the inability of modeling variety of network scenarios,such as rich network topologies and background traffic.The mixed abstraction level simulation is superior to epidemic model on the packet-level modeling of concerned network.However,it is still incapable of modeling worm traffic and the interaction between worms and background traffic.In this research,we design an approach of fine-granular modeling and simulation of worm propagation using SSFNet with higher fidelity than the two methods before,and carry it into execution.This model can not only model worm behaviors in propagation on the packet-level effectively,but also reflect the variance of background traffic and analyze the spread of worm under realistic environment which involves topologic layout,packet loss of routers,and variant scan strategies.

曲晶莹,余翔湛,徐锐

DOI: https://doi.org/10.3969/j.issn.1008-0570.2009.03.013

2009-01-01

Abstract:In current worm simulation, network simulators will drop the scanning packets sent to invalid IP addresses,which will underestimate the traffic brought by worm. This paper focuses on that problem, introduces a modified routing strategy for worm simulation and implements the idea in the network simulator GTNetS. In order to quantitatively compare the differences between original routing strategy and the modified one, an ideal model is presented and several experiments have been made. Simulation results show that worm traffic is more accurately reflected after routing strategy has been modified.

Yi Xin,Bin-Xing Fang,Xiao-Chun Yun,Hai-Yong Chen

DOI: https://doi.org/10.1109/PDCAT.2005.255

2005-01-01

Abstract:Nowadays, worms have been one of the leading threats to information security and service availability. Current operational practices have not been able to manage the threat effectively. So it is very important to make early warning of the burst of worm in large scale network. In this paper we analyze the real network traffic in large scale network. Based on long time statistic, we construct a network traffic model which concern two parameters: the traffic volume and curve of traffic function. And then we propose a method to computer the function curve of normal traffic function in ideal condition. We deployed them in our campus network (more than 20000 computers, 400M/s bandwidth to internet).It is shown that the worms are detected automatically and efficiently.

sujun wang,jianping li

DOI: https://doi.org/10.1142/9789812799524_0152

2008-01-01

Abstract:With the wide application of the Internet, worm's threat to security of computer system and security of network increases day by day. Especially under the environment of Internet, the diversified spread ways and the complicated applied environment make the emergence frequency of the network worm increase, the propagation becomes faster, and the coverage rate is wider. In this paper, the definition and research situation of Internet worms, exploration function component and execution mechanism are first presented, then the scanning strategies and propagation model are focus discussed, and finally discuss the development trend of propagation and the future research directions of Internet worm..