Yufeng Chen,Zhengtao Xiang,Yabo Dong,Dongming Lu

DOI: https://doi.org/10.1109/ical.2008.4636301

2008-01-01

Abstract:Worms not only infect vulnerable hosts, but also occupy a large amount of network bandwidth, which affects the normal operation of the network seriously. To achieve the worm detection and automatic quarantine in real time, a cooperation system of worm detection and quarantine is designed and implemented. The worm detection subsystem is implemented based on Bro and can detect worms in real time with our algorithm, which based on the failure probability of FCC and of heavy-tailed property. The worm quarantine subsystem can quarantine worm hosts automatically with ARP-spoofing. The cooperation between detection subsystem, quarantine subsystem and manager is achieved based on SNMP protocol. The system can be deployed easily with little effect on LAN. Experimental results show that the system can detect and quarantine worm hosts effectively.

Lu Guang,Yu Fei,Guangxue Yue,Miaoliang Zhu

DOI: https://doi.org/10.1109/imsccs.2006.287

2006-01-01

Abstract:The research community is interested in finding effective methods to detect network traffic anomalies such as the propagation of a new worm, and to raise alarm in time. In this paper we research the principle that the number of network traffic can affect self-similarity of network traffics, and analyze the variety of self-similarity caused by abnormal network traffic. We propose a network traffic model on normal behaviors of users. An approach, which is applied to determine whether or not abnormal network traffic exists by comparing Hurst parameter with predefined threshold, is also presented. At last, implementation of network worm detecting agent in NP is described. Results of evaluation show that detecting agent performs very well in test-bed.

Chen Bo,Bin Xing Fang,Xiao Chun Yun

DOI: https://doi.org/10.1007/11760146_16

2006-01-01

Abstract:After many Internet-scale worm incidents in recent years, it is clear that a simple self-propagation worm can quickly spread across the Internet. And every worm incidents can cause severe damage to our society. So it is necessary to build a system that can detect the presence of worm as quickly as possible. This paper first analyzes the worm’s framework and its propagation model. Then, we describe a new algorithm for detecting worms. Our algorithm first monitors the computers on network and gets the number of abnormal computers. Then based on the monitoring result, we detect an unknown worm by using recursive least squares estimation. The experiments result proves that our approach is effective to detect unknown worm.

Hui He,Mingyi Hu,Weizhe Zhang,Hongli Zhang

DOI: https://doi.org/10.1007/11739685_70

2006-01-01

Abstract:Internet worms constitute a major threat to the security of today’s networks. They work by exploiting vulnerabilities in operating systems and application software that run on end systems. In this paper, an effective algorithm for fast detection of worms is proposed. It integrates the worms’ behavior attributes with their traffic distribution and detects abnormal behavior by their similarity distribution and changes in some of their attributes. The process of fast detection based on similarity is discussed in detail including threshold selection, similarity detection algorithm and fine analysis. Simulation experiments show that the detection algorithm can locate the worm infection prior to it spreading over the large-scale network.

LIU Ting,ZHENG Qin-hua,GUAN Xiao-hong,QU Yu,WANG Na

DOI: https://doi.org/10.3321/j.issn:1000-436x.2007.12.012

2007-01-01

Abstract:The prediction of the worm propagation is the basis of the worm defense.It is becoming more difficult to model the propagation of worms in the early stage of worm-spreading,because the worm strategies are smarter and the Internet structure is more complicated than ever before.In present study,a stochastic simulator was designed to simulate the propagation of worms.From the analysis of 1000 groups of experiment results,it was proved that the worm-propagation is a stochastic process,and the correlation coefficient between each group of results is close to 1.Therefore,a new prediction method was proposed,which could accurately calculate the propagation of worm when 0.1% of all vulnerable hosts were infected.

Zhi-guang Qin,Chao-sheng Feng,Feng-li Zhang,Laurence CuthbeRt

DOI: https://doi.org/10.1109/icycs.2008.237

2012-01-01

Abstract:P2P worms pose heavy threatens to P2P networks. P2P worms exploit common vulnerabilities in member hosts of a P2P network and spread topologically in the P2P network, a potentially more effective strategy than random scanning for locating victims. Considering that the topology of P2P networks has important effect on P2P active worm spreading, it is very difficult to model propagation of P2P active worms. For this reason, so far few propagation models are proposed. In this paper, we propose a propagation model of active worms in P2P networks based the discrete-time method. The analysis on simulation results shows that there exists some threshold value during spreading of active worms and different infection strategies result in different infection results in P2P networks.

Zhitang Li,Yejiang Zhang,Zhengbing Hu,Huaiqing Lin,Chuiwei Lu

DOI: https://doi.org/10.1109/nswctc.2009.357

2009-01-01

Abstract:In addition to the real time nature, the neighbor list/routing table of the node in P2P (peer-to-peer) systems presents precise topological information, which makes it possible for proactive P2P worms to propagate over P2P networks rapidly and cause severe damage. However, it is still a challenge to detect their propagation before they plague P2P networks. Based on modeling and analysis of proactive P2P worm propagation and its abnormal multicast traffic pattern, we propose an efficient method for real time worm detection and control against proactive P2P worms according to its multicast characteristic. Simulations on scale-free P2P network topologies have shown promising results of our method.

Qinhua Zheng,Ting Liu,Xiaohong Guan,Yu Qu,Na Wang

DOI: https://doi.org/10.1145/1314389.1314392

2007-01-01

Abstract:It is commonly believed that the IPv6 protocol can provide good protection against network worms due to its huge address space. However, it is proved to be incorrect by our study on the new "dual-stack worm" which can spread in IPv4-IPv6 dual-stack networks. It is found in this paper that the dual-stack worm can collect the IPv6 addresses of all running hosts on the link-local quickly and effectively, which may result in accelerated worm spreading on the IPv6 link-locals. This worm applies a two-level scanning mechanism to find its targets in dual-stack networks, which is investigated by exploring its similarity to the self-replicating behaviors of biological viruses. Based on the ideas of classifying the population into different species or patches, we categorized all vulnerable hosts into two species and separated all dual-stack hosts into several patches to model the propagation of this worm by differential equations. Simulation is performed to validate the worm propagation model and to study the propagation of the worm in various dual-stack networks with different patch parameters. The simulation results show that the worm is able to spread much faster in IPv4-IPv6 dual-stack network than that in the pure IPv4 Internet. It is also noted that the dual-stack links may influence the propagation of the worm in the Internet

Qian Wang,Zesheng Chen,Chao Chen

DOI: https://doi.org/10.48550/arXiv.1001.1195

2010-07-18

Abstract:Internet worm infection continues to be one of top security threats and has been widely used by botnets to recruit new bots. In this work, we attempt to quantify the infection ability of individual hosts and reveal the key characteristics of the underlying topology formed by worm infection, i.e., the number of children and the generation of the worm infection family tree. Specifically, we first apply probabilistic modeling methods and a sequential growth model to analyze the infection tree of a wide class of worms. We analytically and empirically find that the number of children has asymptotically a geometric distribution with parameter 0.5. As a result, on average half of infected hosts never compromise any vulnerable host, over 98% of infected hosts have no more than five children, and a small portion of infected hosts have a large number of children. We also discover that the generation follows closely a Poisson distribution and the average path length of the worm infection family tree increases approximately logarithmically with the total number of infected hosts. Next, we empirically study the infection structure of localized-scanning worms and surprisingly find that most of the above observations also apply to localized-scanning worms. Finally, we apply our findings to develop bot detection methods and study potential countermeasures for a botnet (e.g., Conficker C) that uses scan-based peer discovery to form a P2P-based botnet. Specifically, we demonstrate that targeted detection that focuses on the nodes with the largest number of children is an efficient way to expose bots. For example, our simulation shows that when 3.125% nodes are examined, targeted detection can reveal 22.36% bots. However, we also point out that future botnets may limit the maximum number of children to weaken targeted detection, without greatly slowing down the speed of worm infection.

Cryptography and Security

Chao-sheng Feng,Jun Yang,Zhi-guang Qin,Ding Yuan,Hong-rong Cheng

DOI: https://doi.org/10.1016/j.simpat.2014.11.004

IF: 4.199

2015-01-01

Simulation Modelling Practice and Theory

Abstract:A number of worms, named P2P (peer-to-peer) passive worms, have recently surfaced, which propagate in P2P file-sharing networks and have posed heavy threats to these networks. In contrast to the majority of Internet worms, it is by exploiting users’ legitimate activities instead of vulnerabilities of networks in which P2P passive worms propagate. This feature evidently slows down their propagation, which results in them not attracting an adequate amount of attention in literature. Meanwhile, this feature visibly increases the difficulty of detecting them, which makes it very possible for them to become epidemic. In this paper, we propose an analytical model for P2P passive worm propagation by adopting epidemiological approaches so as to identify their behaviors and predict the tendency of their propagation accurately. Compared with a few existing models, dynamic characteristics of P2P networks are taken into account. Based on this proposed model, the sufficient condition for the global stability of the worm free equilibrium is derived by applying epidemiological theories. Large scale simulation experiments have validated both the proposed model and the condition.

Bo CHEN,Bin-Xing FANG,Xiao-Chun YUN

2007-01-01

Abstract:After many Internet-scale worm incidents in recent years, it is clear that a simple self-propagation worm can quickly spread across the Internet. And every worm incidents can cause severe damage to our society. So it is necessary to build a system that can detect the presence of worm as quickly as possible. This paper first analyzes the worm’s framework and its propagation model. Then, we describe a new monitoring algorithm. Based on the monitoring result, we present an adaptive method to detect un-known worm by using recursive least squares estimation. The experiment result proves that our approach can be effectively, quickly and robust to detect unknown worm.

Hui He,Ming-Zeng Hu,Wei-Zhe Zhang,Hong-Li Zhang

2005-01-01

Abstract:Internet worms are becoming a major threat to the security of today's large-scale networks. The fast spreading nature of worms calls for a worm monitoring and early detection system. In this paper, an effective algorithm for early detection of the active worms and the corresponding detection system are proposed. The detection engine is the key components to the system, and the early detection algorithm based on multi-similarity is discussed in detail, which is the core of the engine, that integrates the worms' behavior attributes with their traffic distribution and detects abnormal behavior by their similarity distribution change of some attributes. Our simulation experiments show that the system can detect the presence worms intrusion when attacks don't arouse the sharp changes of the network traffic. It can detect the worm attack ahead of its overspreading on the large-scale network.

Chen Bo,Yu Xiangzhan,Fang Binxing,Yun Xiaochun

DOI: https://doi.org/10.1007/s11460-007-0087-7

2007-01-01

Frontiers of Electrical and Electronic Engineering in China

Abstract:There appear many Internet-scale worm incidents in recent years, which have caused severe damage to the society. It is clear that a simple self-propagation worm can quickly spread across the Internet. Therefore, it is necessary to implement automatic mitigation which can detect worm and drop its packet. In this paper, the worm’s framework was first analyzed and its two characteristics were detected. Based on the two characteristics, a defending algorithm was presented to protect network. Experimental results verify that our algorithm is very effective to constrain the worm propagation and meanwhile it almost does not interfere in normal activity.

C Bo,BX Fang,XC Yun

DOI: https://doi.org/10.1109/icmlc.2005.1527351

2005-01-01

Abstract:In recent years, Internet-scale worm incidents occurred many times. People wonder at the speediness of the worm spread and the severe damage to the Internet. So people began to find methods to detect worms as quickly as possible. The paper first describes a worm behavior and propagation model. And then based on it, a new approach for early detection of Internet worms is proposed. This approach determines whether a worm incident has occurred by the change of the computers' connection degree. The approach is proved to be effective on early detection of unknown worms by experiments.

Hua Li,Zheng Qin,Xiaohui Pan,Xiaosong Zhang

DOI: https://doi.org/10.1109/MINES.2009.109

2009-01-01

Abstract:Nowadays, P2P network has been used by millions of internet subscribers because of its convenience in sharing and exchanging files. But non-scanning active worms which propagation by making use of the topology of the P2P network make P2P network facing heavy threaten. This kind of worms can propagate much faster than non-P2P worms since they needn't waste time for randomly searching for attack targets and can cause much more harm to network. So in this paper we study the propagation of this kind of worms in unstructured P2P network, propose a new non-scanning active worm propagation model and describe the impact of the related parameters, such as the size of the P2P network, the size of the hit list etc, on the propagation speed of the non-scanning active worm. We believe our model can be a guideline in the defense and control of non-scanning active worm propagation in unstructured P2P network to some extent

Ting Liu,Xiaohong Guan,Qinghua Zheng,Yu Qu

DOI: https://doi.org/10.1109/mnet.2009.5274918

IF: 10.294

2009-01-01

IEEE Network

Abstract:It is commonly believed that the IPv6 protocol can provide good protection against network worms that try to find victims through random address scanning due to its huge address space. However, we discover that there is serious vulnerability in terms of worm propagation in IPv6 and IPv4-IPv6 dual-stack networks. It is shown in this article that a new worm can collect the IPv6 addresses of all running hosts in a local subnet very quickly, leading to accelerated worm propagation. Similar to modeling the self-replicating behaviors of biological viruses, a Species-Patch model and a discrete-time simulator are developed to study how the dual-stack worm spreads in networks with various topologies. It is shown that the worm could propagate in the IPv6 and IPv4-IPv6 dual-stack networks much faster than in the current IPv4 Internet. Several effective defense strategies focusing on network deployment are proposed.

Xiao Ying,Yun Xiaochun,Xin Yi

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.07.035

2006-01-01

Abstract:Nowadays,the worm becomes the biggest threat in the Internet,the method of propagation of worm is becoming more intelligent and enshrouded.Search engines are used to retrieve interesting things,meanwhile,they can be used by worm for propagation.Worms based on search engines implement enshrouded,precise propagation with small network traffic.In this paper,we introduce the feature of this kind of worm,and then we propose a client search model and an anomalous detection algorithm.This method is proved to be of high efficiency by experiments.

J. Luo,B. Xiao,Q. Xiao,J. Cao,M. Guo

DOI: https://doi.org/10.1145/2567925

2014-01-01

ACM Transactions on Autonomous and Adaptive Systems

Abstract:BitTorrent (BT) is one of the most common Peer-to-Peer (P2P) file sharing protocols. Rather than downloading a file from a single source, the protocol allows users to join a swarm of peers to download and upload from each other simultaneously. Worms exploiting information from BT servers or trackers can cause serious damage to participating peers, which unfortunately has been neglected previously. In this article, we first present a new worm, called Adaptive BitTorrent worm (A-BT worm), which finds new victims and propagates sending forged requests to trackers. To reduce its abnormal behavior, the worm estimates the ratio of infected peers and adaptively adjusts its propagation speed. We then build a hybrid model to precisely characterize the propagation behavior of the worm. We also propose a statistical method to automatically detect the worm from the tracker by estimating the variance of the time intervals of requests. To slow down the worm propagation, we design a safe strategy in which the tracker returns secured peers when receives a request. Finally, we evaluate the accuracy of the hybrid model, and the effectiveness of our detection method and containment strategy through simulations.

Xiao-song Zhang,Ting Chen,Jiong Zheng,Hua Li

DOI: https://doi.org/10.1631/jzus.c0910488

2010-01-01

Journal of Zhejiang University SCIENCE C

Abstract:It is universally acknowledged by network security experts that proactive peer-to-peer (P2P) worms may soon engender serious threats to the Internet infrastructures. These latent threats stimulate activities of modeling and analysis of the proactive P2P worm propagation. Based on the classical two-factor model, in this paper, we propose a novel proactive worm propagation model in unstructured P2P networks (called the four-factor model) by considering four factors: (1) network topology, (2) countermeasures taken by Internet service providers (ISPs) and users, (3) configuration diversity of nodes in the P2P network, and (4) attack and defense strategies. Simulations and experiments show that proactive P2P worms can be slowed down by two ways: improvement of the configuration diversity of the P2P network and using powerful rules to reinforce the most connected nodes from being compromised. The four-factor model provides a better description and prediction of the proactive P2P worm propagation.

ZM Cai,TH Qin,X Guan,XB Ma,XM Zhou

2006-01-01

Abstract:Internet is perhaps the most complex man-made system. Its complexity makes internet security a very hard problem which attracts a lot of research interests. Recent large-scale and fast spreading internet worms led to researches in automated containment against self-propagating worms and early worm detection is widely believed as the essential choke point of worm containment. In this paper, two new concepts, flow intensity and flow distribution intensity, are proposed to capture fundamental characteristics of network traffic. Although raw network traffics are non-stable, we find that the calculated flow intensity and flow distribution intensity are stable processes with non-zero means. We also find that the abnormal network behavior, e.g. occurrences of worms, will lead to significant changes of the stable process's mean and variance. EWMA (Exponential Weighted Moving Average) control charts are applied to the detection of the change point and in turn the detection of early worm propagation. The extensive experimental results show that our method detects early worm propagation in local networks both quickly and accurately.