Yufeng Chen,Yabo Dong,Dongming Lu,Zhengtao Xiang

DOI: https://doi.org/10.1007/978-3-540-25952-7_47

2004-01-01

Abstract:Worm is becoming a more and more serious issue because worm attacks can cause huge loss in short time due to the fast-spreading character. When breaking out, worms induce abnormal traffic unlike the normal traffic, which gives us a clue of worm detecting by analyzing the abnormal characteristics of traffic involving worms, i.e. lumped traffic. Worm detection based on analyzing abnormal traffic characteristics has the advantage that it can detect novel worms without understanding the nature of the worms. And worm detection at network level is one possible detecting path, especially for Network Intrusion Detection Systems(NIDS). In this poster, we present the diversity of traffic characteristics between the normal traffic and worm traffic from the self-similarity point of view, which can be a preparation for the further investigation of the diversity of traffic characteristics between the normal traffic and lumped traffic.

Lu Guang,Yu Fei,Guangxue Yue,Miaoliang Zhu

DOI: https://doi.org/10.1109/imsccs.2006.287

2006-01-01

Abstract:The research community is interested in finding effective methods to detect network traffic anomalies such as the propagation of a new worm, and to raise alarm in time. In this paper we research the principle that the number of network traffic can affect self-similarity of network traffics, and analyze the variety of self-similarity caused by abnormal network traffic. We propose a network traffic model on normal behaviors of users. An approach, which is applied to determine whether or not abnormal network traffic exists by comparing Hurst parameter with predefined threshold, is also presented. At last, implementation of network worm detecting agent in NP is described. Results of evaluation show that detecting agent performs very well in test-bed.

Yufeng Chen,Zhengtao Xiang,Yabo Dong,Dongming Lu

DOI: https://doi.org/10.1109/ical.2008.4636301

2008-01-01

Abstract:Worms not only infect vulnerable hosts, but also occupy a large amount of network bandwidth, which affects the normal operation of the network seriously. To achieve the worm detection and automatic quarantine in real time, a cooperation system of worm detection and quarantine is designed and implemented. The worm detection subsystem is implemented based on Bro and can detect worms in real time with our algorithm, which based on the failure probability of FCC and of heavy-tailed property. The worm quarantine subsystem can quarantine worm hosts automatically with ARP-spoofing. The cooperation between detection subsystem, quarantine subsystem and manager is achieved based on SNMP protocol. The system can be deployed easily with little effect on LAN. Experimental results show that the system can detect and quarantine worm hosts effectively.

YF Chen,YB Dong,DM Lu,YH Pan,ZT Xiang

DOI: https://doi.org/10.1109/icnsc.2005.1461215

2005-01-01

Abstract:Worm detection system must detect worms efficiently and effectively. Current detection methods are mainly based on the property of low successful connections rate of worms. However, they may neglect worms if worms insert successful connections deliberately. Because the size in packets or bytes of normal TCP connections is heavy-tailed, we present a detection method by combining detection criteria of failed connections and heavy-tailed distribution of connection size for a given local host. It is more difficult for worms to evade. The method can decrease false negative and positive rates. The experiments show that our method can detect scanning worms with high efficiency and effectiveness.

Yufeng Chen,Yabo Dong,Dongming Lu,Yunhe Pan,Honglan Lao

DOI: https://doi.org/10.1007/11760146_60

2006-01-01

Abstract:Worm research depends on simulation to a large degree due to worm propagation characters. In worm simulation, worm traffic generation is the base to analyze influences of worm traffic on network. The popular Random Constant Spread (RCS) model ignores the burstiness of “latency-limited” worm traffic, which will cause underestimation of the influences. According to worm scan behaviors, the Periodic Burst Scanning (PBS) model is proposed to model “latency-limited” worm traffic. Simulation results show that network performance decreases much more with PBS model than that with RCS model.

向郑涛,陈宇峰,董亚波,鲁东明

DOI: https://doi.org/10.16208/j.issn1000-7024.2009.05.037

2009-01-01

Abstract:The worm detection technologies are discussed. Anomaly detection will be a promising development because of the ability to detect unknown worms. For passive detection, the HoneyPot system designed deliberately with vulnerabilities is used to attract atta- ckers, collect attack information and process analysis. Active detection methods can process the mixed traffics of benign hosts and worm hosts, including the payload-based and behavior-based worm detection methods. The characters and applicability of each method are discussed. The viewpoint that more effective worm detection indices are needed for detection methods is proposed. Based on the diffe- rences of traffic self-similarity between benign hosts and worm hosts, the idea on how to select real-time detection indices is interpreted.

Yufeng Chen,Yabo Dong,Dongming Lu,Yunhe Pan

DOI: https://doi.org/10.1007/11427995_50

2005-01-01

Abstract:Worms have been becoming a serious threat in web age because worms can cause huge loss due to the fast-spread property. To detect worms effectively, it is important to investigate the characteristics of worm traffic at individual source level. We model worm traffic with the multi-fractal process, and compare the multi-fractal property of worm and normal traffics at individual source level. The results show that the worm traffic possesses less multi-fractal property.

WANG Wei,LU Dongming,DONG Yabo,CHEN Yufeng

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.17.072

2006-01-01

Abstract:With the rapid development of computer technology,Internet applications are used more and more widely,computer networks are exposed to various threats,especially network worms.This paper introduces the definition and principle of network worms,and based on the mechanism of network worms,it proposes and implements a network worm detection system for Internal network,which is proved to be able to detect the network worm accurately.

Ping Ren,Wu Liu,Ke Liu,Donghong Sun

DOI: https://doi.org/10.1109/IWCDM.2011.36

2011-01-01

Abstract:As the flooding of malicious codes such as worms, how to analyze large number of malicious samples quickly and effectively becomes a great issue for researchers in network security. This paper proposed an analysis algorithm for worm network behavior based on event sequence, which uses the data flow recombination and compression methods to process the pure malicious data. With this algorithm, one can quickly extract the network behavior profile and the signature of the worm. The application of this algorithm will greatly improve the efficiency of analyzing the worm network behavior, which will be significant for the deployment of firewalls and network invasion detection systems.

Ye Guo,Miaoliang Zhu

DOI: https://doi.org/10.1109/IMSCCS.2006.178

2006-01-01

Abstract:Considering the shortcomings of the current worm Defense system, an agent-oriented worm Defense system, AOSWD, is proposed in this paper. In the hierarchical framework of AOSWD, the agents are independent but can roam in the network freely and collaborate with each other to defend against Internet worms. In this paper, we discuss the system architecture and the realization details, propose the key technique for the system and analyze the system performance.

ZHANG Jia,DUAN Hai-xin,GE Lian-sheng

DOI: https://doi.org/10.3969/j.issn.1671-9352.2007.09.008

2007-01-01

Abstract:As the updating speed of the worm and other malicious codes grows faster and faster,how to analyze large sum of mali-cious sample quickly and effectively becomes an issue of research on internet security.Therefore,an analysis algorithm for worm network behavior based on event sequence was proposed.This algorithm uses the data flow recombination and compression meth-ods to process the pure malicious data.With this procedure,it can get the network behavior profile and the signature of the worm.The application of this algorithm will greatly improve the efficiency of analyzing the worm network behavior,which will be significant for the deployment of firewalls and network invasion detection systems.

Shiyu Ji,Tingting Chen,Sheng Zhong

DOI: https://doi.org/10.1109/tmc.2014.2324572

IF: 6.075

2014-01-01

IEEE Transactions on Mobile Computing

Abstract:Network coding has been shown to be an effective approach to improve the wireless system performance. However, many security issues impede its wide deployment in practice. Besides the well-studied pollution attacks, there is another severe threat, that of wormhole attacks, which undermines the performance gain of network coding. Since the underlying characteristics of network coding systems are distinctly different from traditional wireless networks, the impact of wormhole attacks and countermeasures are generally unknown. In this paper, we quantify wormholes' devastating harmful impact on network coding system performance through experiments. We first propose a centralized algorithm to detect wormholes and show its correctness rigorously. For the distributed wireless network, we propose DAWN, a Distributed detection Algorithm against Wormhole in wireless Network coding systems, by exploring the change of the flow directions of the innovative packets caused by wormholes. We rigorously prove that DAWN guarantees a good lower bound of successful detection rate. We perform analysis on the resistance of DAWN against collusion attacks. We find that the robustness depends on the node density in the network, and prove a necessary condition to achieve collusion-resistance. DAWN does not rely on any location information, global synchronization assumptions or special hardware/middleware. It is only based on the local information that can be obtained from regular network coding protocols, and thus the overhead of our algorithms is tolerable. Extensive experimental results have verified the effectiveness and the efficiency of DAWN.

王勇超,谢永凯,朱之平,林怀忠

DOI: https://doi.org/10.3969/j.issn.1001-3695.2010.03.062

2010-01-01

Abstract:This paper raised a method detect the abnormal net-flow based on normal distribution,then estimated the existence of Internet worm in internal network.According to the normal distribution character of the history flow,this method computed the normal behavior trusted zone of data flow in network,judged the inspected flow abnormal flow if it went beyond the trusted zone,and alarmed the threat of Internet worm.Combined with this method,further analyzed how to use two-factor model ana-lysis of the number of Internet worms in network.

Zhengtao Xiang,Yufeng Chen,Yabo Dong,Honglan Lao

DOI: https://doi.org/10.1007/11760146_61

2006-01-01

Abstract:Scanning traffic is the majority of worm traffic. Gaining deep insight into worm traffic can do much help in detecting worm hosts. The distributions of vectors related with First Contact Connections (FCC) of legitimate hosts and worm hosts are analyzed. The vectors are arrival interval, request size, response size, duration and RTT. Distributions of these vectors of worm traffic show abnormalities of the lack of heavy-tailed character, which is hold by that of legitimate traffic. Besides high probability of failed FCC, arrival interval and request size can be used as additional vectors.

ZHANG Xin-Yu,QING Si-Han,LI Qi,LI Da-Zhi,HE Zhao-Hui

DOI: https://doi.org/10.1360/jos180412

2007-01-01

Journal of Software

Abstract:There are several global detection methods, but they do not apply to local net. A new cooperative approach to automatic detection of worms using local nets is presented in this paper, which is called CWDMLN (coordinated worm detection method based on local nets). This algorithm focuses on scanning worm characteristics in local nets and uses different methods to cope with different worm behaviors, including using honeypots to deceive worms. CWDMLN coordinates these methods to give graded alarms to notify worm attacks. The grades reflect reliability of alarms. Experimental results show that this approach is promising for it can quickly find worm intrusion in local nets and extract unknown worm signatures that can be used for IDS (intrusion detection system) or firewall to prevent more worm threats. This method can also contribute to global worm alarming by scaling.

Yifan Wang,Siqi Wang,Guangmo Tong

DOI: https://doi.org/10.48550/arXiv.2209.09984

2022-09-21

Abstract:Wireless sensor networks (WSNs) are composed of spatially distributed sensors and are considered vulnerable to attacks by worms and their variants. Due to the distinct strategies of worms propagation, the dynamic behavior varies depending on the different features of the sensors. Modeling the spread of worms can help us understand the worm attack behaviors and analyze the propagation procedure. In this paper, we design a communication model under various worms. We aim to learn our proposed model to analytically derive the dynamics of competitive worms propagation. We develop a new searching space combined with complex neural network models. Furthermore, the experiment results verified our analysis and demonstrated the performance of our proposed learning algorithms.

Machine Learning,Cryptography and Security

Peijiang Liu,Anwarud Din

DOI: https://doi.org/10.1038/s41598-024-59203-3

IF: 4.6

2024-04-17

Scientific Reports

Abstract:Wireless sensor networks (WSNs) encounter a significant challenge in ensuring network security due to their operational constraints. This challenge stems from the potential infiltration of malware into WSNs, where a single infected node can rapidly propagate worms to neighboring nodes. To address this issue, this research introduces a stochastic model to characterize worm spread in WSNs. Initially, we established that our model possesses a globally positive solution. Subsequently, we determine a threshold value for our stochastic system and derive a set of sufficient conditions that dictate the persistence or extinction of worm spread in WSNs based on the mean behavior. Our study reveals that environmental randomness can impede the spread of malware in WSNs. Moreover, by utilizing various parameter sets, we obtain approximate solutions that showcase these precise findings and validate the effectiveness of the proposed model, which surpasses existing models in mitigating worm transmission in WSNs.

multidisciplinary sciences

王勇超,谢永凯,朱之平,董亚波

DOI: https://doi.org/10.3969/j.issn.1001-3695.2010.01.070

2010-01-01

Abstract:This paper presented a method of analyzing the probability of Internet worm infection in internal network.Analyzed the packets through the switch in network by using the active of Internet worm,acquired the amount of abnormal packets,then analyzed the number of abnormal packets to get the abnormal packets rise rate by using AR model.Weighted the abnormal flow and abnormal packets rise rate in internal network,comprehensively estimated them and got the probability of Internet worm infection in internal network.The experiment results show that the method is effective and feasible.

Shi Mingjiang,Li Xiang,Wang Xiaofan

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.11.035

2006-01-01

Abstract:The dynamics of Instant Message(IM) Worm is investigated through numerical simulations,which spreads faster on scale-free networks than on other types of networks.We find that enhancing users' sense of security can only reduce the impact of IM worm,but can not slow down its propagation.Based on the complex network theories,several methods are proposed to slow down and control IM worm,and monitor its outbreak as well.The virus database is introduced to Instant Message software,with which IM software can be immune to the known IM worms.Finally,according to the characteristics of IM worms' propagation and the IM network,we introduce Client-Based and Server-Side-Based monitoring techniques,respectively.

LIU Ting,ZHENG Qin-hua,GUAN Xiao-hong,QU Yu,WANG Na

DOI: https://doi.org/10.3321/j.issn:1000-436x.2007.12.012

2007-01-01

Abstract:The prediction of the worm propagation is the basis of the worm defense.It is becoming more difficult to model the propagation of worms in the early stage of worm-spreading,because the worm strategies are smarter and the Internet structure is more complicated than ever before.In present study,a stochastic simulator was designed to simulate the propagation of worms.From the analysis of 1000 groups of experiment results,it was proved that the worm-propagation is a stochastic process,and the correlation coefficient between each group of results is close to 1.Therefore,a new prediction method was proposed,which could accurately calculate the propagation of worm when 0.1% of all vulnerable hosts were infected.