Worm Detection And Containment In Large Networks

With the fast development of network applications, the network security is threatened seriously. The population of malicious code, especially, poses an essential part of these threat sources. Of all the malicious codes, worms are capable of self-propagating without human intervention, which means more serious underlying disaster. Therefore, it became a pressing work to enforce worm containment in large scale networks.To solve the problem of worm population, we do research on the approaches to quarantine worms in large scale networks. On the basis of the analysis of worm propagation model, we believe that, the deployment of defense system and time to perform containment are two most important factors in the overall quarantine effect. Through deescalating the network scale by partition and shortening the containment time by automatic detection, the construction of large scale network worm defense system can constrict the worm propagation effectively. This paper is composed of four parts:First, in the discussion of worm propagating property, we propose the partition approach for worm containment. Analyzing worm's scanning stage, we find that worm's spreading speed is closely related to network scale. The SEM is aimed and analyzed deep, based on the model analysis, we do the quarantine work by dividing a large-scale network and perform the quarantine on the border. The worm propagation model related with network scale is constructed in this paper. Further, the subnet number, that is the whole large-scale network to be divided into, and the partition time are discussed as the two most influential factors in the overall quarantine effect. This discussion provides the theoretical evidence for partition-based quarantine approach.Second, time and space constraints will make user form certain habit after using the Internet for some period, and this user-habit limits the total access destination number. On the burst-out of massive worm, the overwhelming flow caused by scanning will temporarily alter the behavior representation of users. Therefore, it is consequently reasonable to conclude that the statistics and classification of network access will certainly help the detection of worm efficiently. The behavior of user was analyzed, we proposed a new approach to...