Yufeng Chen,Yabo Dong,Dongming Lu,Zhengtao Xiang

DOI: https://doi.org/10.1007/978-3-540-25952-7_47

2004-01-01

Abstract:Worm is becoming a more and more serious issue because worm attacks can cause huge loss in short time due to the fast-spreading character. When breaking out, worms induce abnormal traffic unlike the normal traffic, which gives us a clue of worm detecting by analyzing the abnormal characteristics of traffic involving worms, i.e. lumped traffic. Worm detection based on analyzing abnormal traffic characteristics has the advantage that it can detect novel worms without understanding the nature of the worms. And worm detection at network level is one possible detecting path, especially for Network Intrusion Detection Systems(NIDS). In this poster, we present the diversity of traffic characteristics between the normal traffic and worm traffic from the self-similarity point of view, which can be a preparation for the further investigation of the diversity of traffic characteristics between the normal traffic and lumped traffic.

Lu Guang,Yu Fei,Guangxue Yue,Miaoliang Zhu

DOI: https://doi.org/10.1109/imsccs.2006.287

2006-01-01

Abstract:The research community is interested in finding effective methods to detect network traffic anomalies such as the propagation of a new worm, and to raise alarm in time. In this paper we research the principle that the number of network traffic can affect self-similarity of network traffics, and analyze the variety of self-similarity caused by abnormal network traffic. We propose a network traffic model on normal behaviors of users. An approach, which is applied to determine whether or not abnormal network traffic exists by comparing Hurst parameter with predefined threshold, is also presented. At last, implementation of network worm detecting agent in NP is described. Results of evaluation show that detecting agent performs very well in test-bed.

WANG Wei,LU Dongming,DONG Yabo,CHEN Yufeng

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.17.072

2006-01-01

Abstract:With the rapid development of computer technology,Internet applications are used more and more widely,computer networks are exposed to various threats,especially network worms.This paper introduces the definition and principle of network worms,and based on the mechanism of network worms,it proposes and implements a network worm detection system for Internal network,which is proved to be able to detect the network worm accurately.

Yufeng Chen,Yabo Dong,Dongming Lu,Yunhe Pan

DOI: https://doi.org/10.1007/11427995_50

2005-01-01

Abstract:Worms have been becoming a serious threat in web age because worms can cause huge loss due to the fast-spread property. To detect worms effectively, it is important to investigate the characteristics of worm traffic at individual source level. We model worm traffic with the multi-fractal process, and compare the multi-fractal property of worm and normal traffics at individual source level. The results show that the worm traffic possesses less multi-fractal property.

向郑涛,陈宇峰,董亚波,鲁东明

DOI: https://doi.org/10.16208/j.issn1000-7024.2009.05.037

2009-01-01

Abstract:The worm detection technologies are discussed. Anomaly detection will be a promising development because of the ability to detect unknown worms. For passive detection, the HoneyPot system designed deliberately with vulnerabilities is used to attract atta- ckers, collect attack information and process analysis. Active detection methods can process the mixed traffics of benign hosts and worm hosts, including the payload-based and behavior-based worm detection methods. The characters and applicability of each method are discussed. The viewpoint that more effective worm detection indices are needed for detection methods is proposed. Based on the diffe- rences of traffic self-similarity between benign hosts and worm hosts, the idea on how to select real-time detection indices is interpreted.

王勇超,谢永凯,朱之平,林怀忠

DOI: https://doi.org/10.3969/j.issn.1001-3695.2010.03.062

2010-01-01

Abstract:This paper raised a method detect the abnormal net-flow based on normal distribution,then estimated the existence of Internet worm in internal network.According to the normal distribution character of the history flow,this method computed the normal behavior trusted zone of data flow in network,judged the inspected flow abnormal flow if it went beyond the trusted zone,and alarmed the threat of Internet worm.Combined with this method,further analyzed how to use two-factor model ana-lysis of the number of Internet worms in network.

YF Chen,YB Dong,DM Lu,YH Pan,ZT Xiang

DOI: https://doi.org/10.1109/icnsc.2005.1461215

2005-01-01

Abstract:Worm detection system must detect worms efficiently and effectively. Current detection methods are mainly based on the property of low successful connections rate of worms. However, they may neglect worms if worms insert successful connections deliberately. Because the size in packets or bytes of normal TCP connections is heavy-tailed, we present a detection method by combining detection criteria of failed connections and heavy-tailed distribution of connection size for a given local host. It is more difficult for worms to evade. The method can decrease false negative and positive rates. The experiments show that our method can detect scanning worms with high efficiency and effectiveness.

Yufeng Chen,Zhengtao Xiang,Yabo Dong,Dongming Lu

DOI: https://doi.org/10.1109/ical.2008.4636301

2008-01-01

Abstract:Worms not only infect vulnerable hosts, but also occupy a large amount of network bandwidth, which affects the normal operation of the network seriously. To achieve the worm detection and automatic quarantine in real time, a cooperation system of worm detection and quarantine is designed and implemented. The worm detection subsystem is implemented based on Bro and can detect worms in real time with our algorithm, which based on the failure probability of FCC and of heavy-tailed property. The worm quarantine subsystem can quarantine worm hosts automatically with ARP-spoofing. The cooperation between detection subsystem, quarantine subsystem and manager is achieved based on SNMP protocol. The system can be deployed easily with little effect on LAN. Experimental results show that the system can detect and quarantine worm hosts effectively.

Yufeng Chen,Yabo Dong,Dongming Lu,Yunhe Pan,Honglan Lao

DOI: https://doi.org/10.1007/11760146_60

2006-01-01

Abstract:Worm research depends on simulation to a large degree due to worm propagation characters. In worm simulation, worm traffic generation is the base to analyze influences of worm traffic on network. The popular Random Constant Spread (RCS) model ignores the burstiness of “latency-limited” worm traffic, which will cause underestimation of the influences. According to worm scan behaviors, the Periodic Burst Scanning (PBS) model is proposed to model “latency-limited” worm traffic. Simulation results show that network performance decreases much more with PBS model than that with RCS model.

Ping Ren,Wu Liu,Ke Liu,Donghong Sun

DOI: https://doi.org/10.1109/IWCDM.2011.36

2011-01-01

Abstract:As the flooding of malicious codes such as worms, how to analyze large number of malicious samples quickly and effectively becomes a great issue for researchers in network security. This paper proposed an analysis algorithm for worm network behavior based on event sequence, which uses the data flow recombination and compression methods to process the pure malicious data. With this algorithm, one can quickly extract the network behavior profile and the signature of the worm. The application of this algorithm will greatly improve the efficiency of analyzing the worm network behavior, which will be significant for the deployment of firewalls and network invasion detection systems.

王勇超,谢永凯,朱之平,董亚波

DOI: https://doi.org/10.3969/j.issn.1001-3695.2010.01.070

2010-01-01

Abstract:This paper presented a method of analyzing the probability of Internet worm infection in internal network.Analyzed the packets through the switch in network by using the active of Internet worm,acquired the amount of abnormal packets,then analyzed the number of abnormal packets to get the abnormal packets rise rate by using AR model.Weighted the abnormal flow and abnormal packets rise rate in internal network,comprehensively estimated them and got the probability of Internet worm infection in internal network.The experiment results show that the method is effective and feasible.

Qianli Zhang,Jilong Wang,Xing Li

DOI: https://doi.org/10.1109/ICICIP.2010.5564187

2010-01-01

Abstract:The spreading worms have greatly affected the network infrastructure security. After the CodeRed, there have been many new worms reported. To take countermeasure against the spreading worms, in this paper, a correlation based method is proposed and applied in the analysis. Results indicate that the spreading worms could cause dramatic changes in the flow size distribution. This method provides new insight into the worm detection and traffic anomaly discovery.

Shi Mingjiang,Li Xiang,Wang Xiaofan

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.11.035

2006-01-01

Abstract:The dynamics of Instant Message(IM) Worm is investigated through numerical simulations,which spreads faster on scale-free networks than on other types of networks.We find that enhancing users' sense of security can only reduce the impact of IM worm,but can not slow down its propagation.Based on the complex network theories,several methods are proposed to slow down and control IM worm,and monitor its outbreak as well.The virus database is introduced to Instant Message software,with which IM software can be immune to the known IM worms.Finally,according to the characteristics of IM worms' propagation and the IM network,we introduce Client-Based and Server-Side-Based monitoring techniques,respectively.

ZHANG Jia,DUAN Hai-xin,GE Lian-sheng

DOI: https://doi.org/10.3969/j.issn.1671-9352.2007.09.008

2007-01-01

Abstract:As the updating speed of the worm and other malicious codes grows faster and faster,how to analyze large sum of mali-cious sample quickly and effectively becomes an issue of research on internet security.Therefore,an analysis algorithm for worm network behavior based on event sequence was proposed.This algorithm uses the data flow recombination and compression meth-ods to process the pure malicious data.With this procedure,it can get the network behavior profile and the signature of the worm.The application of this algorithm will greatly improve the efficiency of analyzing the worm network behavior,which will be significant for the deployment of firewalls and network invasion detection systems.

Zhengtao Xiang,Yufeng Chen,Yabo Dong,Honglan Lao

DOI: https://doi.org/10.1007/11760146_61

2006-01-01

Abstract:Scanning traffic is the majority of worm traffic. Gaining deep insight into worm traffic can do much help in detecting worm hosts. The distributions of vectors related with First Contact Connections (FCC) of legitimate hosts and worm hosts are analyzed. The vectors are arrival interval, request size, response size, duration and RTT. Distributions of these vectors of worm traffic show abnormalities of the lack of heavy-tailed character, which is hold by that of legitimate traffic. Besides high probability of failed FCC, arrival interval and request size can be used as additional vectors.

Yibo XUE,Dawei WANG,Luoshi ZHANG

DOI: https://doi.org/10.3778/j.issn.1673-9418.1306030

2014-01-01

Abstract:Along with the rapid development of Internet, the Internet service providers (ISPs) and network manage-ment departments are urgent to analyze the operating state of Internet, in order to guarantee the usability, stability and security of Internet. However, due to the rapidly growing user number, the ever increasing Internet bandwidth, the continuous change of traffic characteristics and the more and more complexity of the new emerging applications, it is facing with more and more challenges for network analysis. Therefore, in order to solve these issues, this paper proposes a novel analysis theory and method, named as network flow field. Network flow field not only concerns the“solid”metrics such as network packets and flows, but also pays more attention to the distribution and trend of network traffic, so it can reveal the traffic distribution and the relationship among network hosts, thus can reflect the social attributes of Internet. Based on the qualitative and quantitative analysis, network flow field theory and method can analyze the network deeply by using a new kind of view, it can not only obtain the basic statistical information of network traffic, bus also dig out its secret and implication information, such as timing relationship, state transition relationship, private network topology, key paths and key nodes, etc. The experimental results show that network flow field theory and method can achieve a good performance. Therefore, network flow field theory can provide the efficient framework and model for network traffic analysis, so as to guide the further research of network manage-ment, analysis and measurement field.

WEN Shi-qiang,DUAN Hai-xin,WU Jian-ping

DOI: https://doi.org/10.3969/j.issn.1000-7024.2005.05.007

2005-01-01

Abstract:New internet worm including many attack measures, such as virus, trojan and DDDS, will cause network block even paralysis, when it breaks out. A detection algorithm is brought forward which can find abnormity in the forepart of worm eruption by detection on variable rate of network flux, and then network administrators and emergency response teams can gain more time to take measures before worm blocks the network. This algorithm is evaluatedby DARPA98 intrusion detection evaluation system and has applied to real flux data of worm (Blaster、Nachi、slammer) eruption.

zhen chen,chuang lin,jia ni,donghua ruan,bo zheng,yixin jiang,xuehai peng,yang wang,anan luo,bing zhu,yao yue,fengyuan ren

DOI: https://doi.org/10.1109/LCN.2005.31

2005-01-01

Abstract:TCP/IP protocol suite carries most application data in Internet. TCP flow retrieval has more security meanings than the IP packet payload. Hence, monitoring the TCP flow has more strength than only monitoring the IP packet payload in the AntiWorm system. The main idea of this paper is to use the flexibility and high performance of network processors to scan TCP flow for locating worm's binary codes, and cut off their propagation. A stateful TCP flow inspection engine is implemented based on IXP network processor, which can monitor about 512K flows. The performance issues about IXP network processors are evaluated and collected, and an analysis is made for further optimizing the system performance. The system is also demonstrated and proved by using the Internet traces and real assaults of Worms. Software Package TCPScanner 1.0 is also given as a software release of the research

Guanhua Yan,Zhen Xiao,Stephan J. Eidenbenz

2008-01-01

Abstract:Instant messaging (IM) systems have gained a lot of popularity in recent years. The increasing number of IM users has lured malware authors to develop more worms and viruses that spread in IM networks. In response to such growing security threat to IM systems, it is imperative to develop a fast and responsive IM worm detection system. In this paper, we apply change-point detection techniques to catch two families of IM worms, one aimed at infecting all vulnerable machines as quickly as possible and the other aimed at spreading slowly in a stealthy fashion to evade detection. Experimental results demonstrate that the proposed solutions are very effective in detecting both families of IM worms.

Jinhuan Hou,Fuqiang Ding

DOI: https://doi.org/10.1155/2022/8587906

2022-01-25

Scientific Programming

Abstract:This study analyzes and designs a network security management system based on the K-means algorithm. Through the investigation of network security managers, this article uses structured modeling technology to derive the system’s logical business functions, which are data acquisition function, data analysis function, and post-processing function. This study uses a three-tier architecture to design the system, describes the system data business processing flow, and gives the key flow of the K-means algorithm application. In addition, the system database is designed to provide support for system data processing. This study proposes a dual-network text matching model based on local interactive components. This model composes two modalities of single-modal short text data: a positional structural modal for describing local interactions and a global semantic understanding modal for extracting global semantic information. Two heterogeneous networks are used to extract two modalities. The principle of complementarity of modalities is realized by constructing the differences of each modal. At the same time, through the attention mechanism, the position information of the position structure modal is transferred to the global semantic understanding modal to obtain consistent comprehensive information so as to realize the principle of modal consistency. On this basis, by designing low-order interaction functions and high-order interaction functions, and using long- and short-term memory networks, we have, respectively, improved the position structure modal and global semantic understanding modal. The theoretical analysis and simulation results of the model show that the propagation characteristics of the network worm are completely determined by the threshold R0 required for its existence. When R0 >1, the network worm will become popular even with a small initial infection number; conversely, even if the initial infection machine is large, the network worm will eventually become extinct. The research results of this article also show that the introduction of mobile devices has an important impact on the defense technology of network worms. To curb network worms that use both the network and mobile devices to spread, and to increase the proportion of machines that have never been infected with the virus, the most effective method is to control the number of mobile devices and reduce the possibility of cross-infection between mobile devices and machines. The simulation results show that, regardless of whether dynamic isolation and antivirus software are considered, the local area network-based choke method given in this study can effectively curb intelligent network worms that have slow scanning rates and clear scanning targets. In addition, the choke method presented in this article can determine the choke threshold without affecting the normal network scanning behavior of users in the local area network.

computer science, software engineering