Study On Network Worm Propagation Model And Its Detection Techniques

Network worm is an independent malicious program which can reproduce and propagate by network. Due to its rapid propagation capability and destructiveness, network worm has caused great threat to network information security. Network information security is a current research hotspot and one of directions of future network development. It is very important in both theory and practice to study worm propagation model and discover its propagation law, formulate feasible and effective defense strategy. This dissertation is mainly concerned with worm propagation model and its detection technology. The thesis’s major contributions are outlined as follows:1. A differential model of worm propagation is proposed in order to study the period of network worm occurrence and the ending. By analyzing the model, it is theoretically explained that the worm outbreak is aperiodic. The singularities of the model are solved and their types are determined by the model linear approximate system, then phase plot is obtained. From phase plots the trendy of worm propagation is got and the prevalence area, buffer area and extinction area are given. Finally, the new idea of controlling worm propagation is given, that is, worm can be controlled by adjusting network parameters, because each area is changed with singularity types changing.2. Because increasing removable storage devices are becoming spreading channels, a worm propagation model which taking a removable storage device into consideration has been set up. The threshold of worm extinction-basic reproductive number is got by theoretical analysis. Worm-free equilibrium and endemic equilibrium are obtained by basic reproductive number and their local stability is proved.3. In order to get the time from each state to recovery state, a stochastic model of worm propagation is proposed based on the epidemiological model. Firstly, the differential equation of worm propagation is transformed into a state equation, and a Markov chain is obtained. Then by decomposing the state space of the Markov chain, the transition probability of each state, the time stayed on each state and the expected time from each state to recovery state are obtained. The expected time from each state to recovery state implies the best time for defending worm.4. A worm propagation model with time delay is proposed since there is a time delay from a host is infected to get infectious ability. The dynamics of the model is analyzed and the critical value is given in the paper. Local and global stability of worm-free equilibrium are studied with the help of the basic reproductive number. Then stability of the endemic equilibrium is analyzed. Conclusions are drawn that if delay time is less than the critical value the system is stable and it is the best chance to stop worm spreading further; if delay time is greater than the critical value, oscillation begins and the system is unstable, which is difficult to defend worm propagation. Simulation results show that the proposed model is effective for certain degree.5. Aiming at high dimensionality in packet payload feature in the processing of intrusive detection, an multi-tier intrusive detection method based on feature reduction is proposed. A simple classifier is designed to compare the performance of different dimensionality reduction algorithms. The proposed method consists of three parts:feature generation, feature reduction and making decision. Firstly, n-gram is used for transforming the packet payload into a 256-dimensionality feature vector. Secondly, the intrinsic dimension is estimated by maximum likelihood method and dimension reduction is conducted by Laplacian Eigenmap algorithm. Thirdly, attack is detected by comparing the Mahalanobis distance between incoming traffic profile and normal traffic profile. The experimental results show that our proposed method has better detection performance.6. Aiming at the triangle area method losing correlation information between features in the processing of intrusive detection, a feature polynomial method is proposed. An anomaly-based intrusive detetion framework which a feature polynomial extracting the correlation information is designed. In the proposed method, the normal and abnormal traffic is classified by Mahalanobis distance. Polynomial method can present the correlation between features intuitively and flexibly. The experimental results show that the proposed method got better detection performance than triangle area method.