Research On Worm Simulation Methods And Detection Technologies

Worms have been one of the most serious threats to Internet security due to the significant damage, large range of victims and fast spread. The lack of effective simulating environment limits the deep research of worms, and the deficiency of veracity in worm detection affects the validity of technologies involving worm defense, containment and response. Researches of worms in local networks (interior networks) are important to early warning and propagation control for worms. In this dissertation, worm simulation and detection are focused on with local networks. The simulation methods and detection technologies are proposed, and thus establish bases for deep research, worm early warning and worm emergency response. The research results in the dissertation have academic significance and promising application.Firstly, the traffic models have been focused on at network aggregating and individual host level. With analysis at aggregating level, the bi-direction TCP traffic model is proposed, which is used to generate the background traffic in worm simulation. With TCP connections, the traffic model distinguishes traffics of requests and responses, and describes the statistical characters of bi-direction traffics at several time scales. After analysis at individual host level, the periodic burst traffic model for "latency-limited" worms is proposed. The model can statistically describe the scanning behaviors of worms, and can be used to simulate worm traffic accurately. The difference of self-similarity and heavy-tailed properties of several statistical indices between worm and normal host traffics is analyzed. The statistical indices can be used as candidates for worm detection, including arrival interval, request size, response size, duration and RTT of "First Contact Connections".Secondly, the worm simulating environment is implemented, and the effects of worm traffic on network are analyzed. In worm simulating environment, the background traffic is simulated with the framework of "semi-structural" TCP aggregated traffic, which can balance the accuracy and performance. Based on the bi-direction TCP traffic model, the simulating framework regards local network as a node, and can be divided in two parts: aggregated traffic generator at application level and aggregated traffic controller at transmission level. The experiments results show that the framework is valid, stable, comparable and efficient. In worm traffic simulation, the worm propagation is simulated with themixed abstraction level simulation model, and the scanning traffic of worm host is simulated with the periodic burst traffic model. The experiments results show that the model can better depict the effects of worm traffic on network than traditional random const spread model.Thirdly, the detection indices and technologies are investigated. With considerations of worm behaviors, the effective detection indices are picked up from the candidates, including failed probability, request size and arrival interval of "First Contact Connections". According to the discrepancies of heavy-tailed properties of the detection indices, two anomaly detection algorithms for unknown worms are proposed based on the statistical classification technologies. Compared with the mainstream method, with same false negatives, the proposed two algorithms can decrease the false positives significantly.Last, the worm simulating environment and detection system are implemented. With deployments at a Network Access Point, the worm simulation methods and detection technologies above are validated.The main contributions are as follows: the bi-direction TCP traffic model, the periodic burst worm traffic model, simulation methods of "semi-structural" TCP aggregated traffic and the anomaly detection algorithms for unknown worms based on heavy-tailed property and statistical classification.The future works include: distributed simulating environment;fast detection technologies for other scanning strategies, especially Hit-list scanning;effective worm containments technologies;and better solutions with applications of results, ideas and methodologies in the dissertation for other large-scale network attacks;models for traffics of main application protocol and digital media, such as stream media, network performance analysis and QoS technologies.