Worm Modeling And Defense Strategies For Large-Scale Networks

With the explosive growth of network applications and complexity, the network security is becoming increasingly serious with yearly growing security events, booming particularly in recent years. The population of malicious codes, especially, poses an essential part of these threat sources. Among the malicious codes, Internet worms, self-propagating without human intervention, have become one of the major threats to the Internet infrastructure for the sake of their horrendous propagating speed, large invasive scale, and significant damages. Internet worms have addressed a serious threat to confidentiality, integrity, and availability of computer resources on the Internet. They can damage the computer systems erasing data, stealing information, opening a backdoor listener, creating zombies with the worm generator, modifying the normal operation, or launching a distributed denial of service (DDoS). In recent years, the study on Internet worms has become one of the most active research topics in the field of network and information security. How to defend Internet worms is an urgent issue confronted by defenders.By studying scanning strategies used by Internet worms, establishing their propagation models, obtaining key factors of affecting them, it is possible to mitigate Internet worms effectively. This dissertation conducts an in-depth study on worm modeling and defense strategies for large-scale networks.Firstly, a simple worm propagation model based on a discrete time differential equation is provided. The different scanning strategies used by Internet worms, such as uniform scan, hit-list scan, routable scan, divide-and-conquer scan, local subnet scan, sequential scan, permutation scan are analyzed in detail based on the proposed model, and given their corresponding models.Secondly, inspired by the theory of good point set, we propose a new scanning strategy, referred to as good point set scanning (GPSS), for worms. Combined with group distribution, a static optimal GPSS is derived. Since the information can not be easily collected before a worm is released, a self-learning worm with GPSS is designed. Experimental results show that once the distribution of vulnerable hosts is accurately estimated, a self-learning worm can propagate much faster than other worms. We explore the interaction dynamics between a self-learning worm (prey) and a predator), using mathematical models. In order to combat self-learning worms, we propose several interesting combat scenarios of two fighting worms focusing on good point set scanning worm interactions. We obtain the basic reproduction number of each interaction model. The impact of different parameters of predators is studied. Simulation results show that the performance of our proposed models is effective in combating such worms, in terms of decreasing the prey infectives and reducing the prey propagation speed.Thirdly, inspired by worm vaccinations, we propose a novel epidemic model which combines both vaccinations and dynamic quarantine methods, referred to as SEIQV model. The impact of different parameters on this model is studied. Simulation results show that the performance of our model is significantly better than other models, in terms of decreasing the number of infected hosts and reducing the worm propagation speed.Fourthly, a delayed SEIRS epidemic model with death, offline and online rate is constructed based on the actual situation of P2P users. The basic reproductive number is obtained. The impact of different parameters on this model is studied with simulation results, especially the effect of time delay, which can provide an important guideline in the control of unstructured P2P networks as well as passive worm defense. Fifthly, we obtain the average delay for numerous peers in the entire transmitting process, and propose a mathematical model for simulating unstructured P2P networks-based passive worms' propagation taking into account network throughput.According to the file popularity which follows the Zipf distribution, we propose a new healthy file dissemination-based defense strategy. Some parameters related to the propagation of passive worms are studied based on the proposed model.