Research On Worm Propagation And Detection In IPv6

With the rapid development of the computer technologies and communication networks and especially the extensive application of the Internet services, issue of network security is becoming increasingly serious with yearly growing security events, booming particularly in recent years. Internet worm has become one of the major threats to Internet for the sake of its severe destructive impact, large invasive scale and rapid pervasive speed. Therefore, it is pressing to hamper Internet worm's prevalence in network. Nowadays, widely used Internet builds on the basis of IPv4 protocol, traditional worm only infects the host in IPv4 network environment. IPv6 has dramatically increased IP address space from 32-bit addresses of IPv4 to 128-bit addresses. The vast address space of IPv6 can prevent a worm from spreading through random scanning. For this reason, an effective defense against random scanning worms is to upgrade the current IPv4 Internet to IPv6. However, we believe that future worms are likely to use other more effective scanning strategies in identifying likely targets. In order to defend against IPv6 worm attacks, we need to anticipate and study how attackers will improve their attacking techniques in an IPv6 Internet. We hope to illustrate that simple reliance on the IPv6 address space for protection against worms is not a wise defensive strategy, and we believe that further research is needed in developing mechanisms for detecting and responding to IPv6 worms aiming at restraining network worm propagation and destruction. At the present time, the study of the IPv6 worm is still at the primary stage so inevitably there exist some problems. These problems need further study and analysis.This paper has deeply analyzed and studied the IPv6 worm propagation and detection and has proposed the propagation models and detection system. The originalities and contributions of this paper are as follows:1) In IPv6 network environment, this paper deeply analyzes and studies the scanning strategy and propagation of random-scanning worms and proposes WormIPv6, a new type of worm. Simple Epidemic Model (SEM) and Kermack-Mckendrick Model (KM) are established for simulating the propagation of WormIPv6. The results of simulation experiment show that IPv6 network could defend against random-scanning worms due to its huge address space.2) In IPv6 network environment, this paper deeply analyzes and studies the routing worm propagation and proposes RoutingWorm-V6, a new type of routing worm. Two-Factor Model was established for simulating the propagation of RoutingWorm-V6. The results of simulation experiment show that IPv6 subnet could defend against routing worms due to its huge address space.3)This paper proposes DNSWorm-V6, a new type of DNS worm. The worm applies two different layers scanning strategy. It means that the worm apply subnet scanning strategy in local subnet and apply DNS scanning strategy in inter-subnet. Based on the two layers scanning strategy, a Two-Level worm propagation model, TLM is presented. The results of simulation experiment show that DNSWorm-V6 is a worm that can propagate fastly in the large-scale in IPv6 network, at the same time we can predict the threat probably posed by the new worm in IPv6 network.4) In MIPv6 network environment, this paper proposes MIPv6-Worm, a new type of worm. A method is presented to calculate contact rate of MIPv6 nodes. In MIPv6 networks, propagation strategy of MIPv6-Worm is analyzed and researched. MWM(MIPv6 Worm Model) is constructed, an epidemic model of MIPv6 networks worm. Simulation experiments of MIPv6-Worm propagation show the model can simulate the spread process of worm correctly in MIPv6 network. MWM is applied to MIPv4 and wireless networks environment.5) This paper presents an DNS integrated system for the detection and automatic containment of worm propagation in an IPv6 local area network. This paper proposes a worm detection algorithm based on user habit of sending DNS queries in an IPv6 Internet. Experiment results show that the algorithm is able to detect worms propagation accurately at its early stage in real-time.