Research On The Propagation Model And Detection Technology Of Internet Worms

With the rapid development of information technology, Internet worms have threatened the computer system security and network security persistently. Diverse propagation strategies and complicated application environment make Internet worms with a high frequency and potential and a broad coverage, and the outbreak of Internet worms also causes huge economic losses.But the behavior of worms is still not fully understood, and current worm detection technology always lags behind Internet worm attacks.This thesis makes a systematic and in-depth research on the propagation model and detection technology of Internet worms. In the field of Internet worm propagation model, the propagation of benign worms, mass-mailing worms and hybrid worms which comprehensively use the strategies of both scanning and mass-mailing worms is modeled. In the area of Internet worm detection, an Internet worm detection approach based on the entropy, an automatic extraction approach of worm signatures based on behavioral footprint analysis and an adaptive distributed worm detection approach are proposed.The specific contents are as follows:(1) Propagation models of benign worms are proposed.Firstly, the taxonomy of benign worms is researched. Secondly, the propagation models of each category are derived under the circumstance of no time delay and time delay.Finally, the simulation validated the models.These models of benign worms lead to a better understanding and prediction of the scale and speed of benign worms countering against the propagation of worms.(2) The discrete propagation models of mass-mailing worms and hybrid worms are presented.Since the epidemical model is not suitable for modeling mass-mailing worms, the discrete propagation model is proposed to model the propagation of mass-mailing worms.Moreover,the propagation of a hybrid worm, which comprehensively uses the strategies of both scanning and mass-mailing worms, is modeled based on this model.The simulation validated the propagation models of both mass-mailing worms and hybrid worms. The model of mass-mailing worms is not only suitable for worms that propagate in E-mail service, but also suitable for topological worms that propagate in a similar topology. Thus, it is a general Internet worm model.(3) A worm detection approach based on entropy which is deployed in routers is presented. Chebyshev's inequality is utilized during the training phase to calculate the normal bound of entropy values with a low probability of a false positive. In the process of realtime worm detection, the detector generates an alert when the new input exceeds the normal bound. The experimentation indicated that this approach can accurately and effectively detect Internet worms.(4) An automatic extraction approach of worm signatures based on behavioral footprint analysis is proposed. To begin with, the suspicious worm flow is detected based on CUSUM(Cumulative Sum) algorithm.Then the chronicle formalism is applied to analyze the behavioral footprints in suspicious worm traffic. Finally, worm signatures are extracted and ascertained by the evaluation function. The prototype system, which is based on the presented algorithm, is designed and implemented.The experiment shown that the approach can extract worm signatures effectively and accurately. And there is a conclusion that the behavioral footprints of the worm can't identify a worm accurately, but it helps to locate worm signatures, and then signatures can be extracted effectively.(5) An adaptive distributed worm detection approach is proposed. The framework is composed of worm detection agents and the control center administrator.The detection approach based on worm behavior is utilized by the worm detection agent to generate a worm warning. Based on detection results from worm detection agents, the control center administrator adjusts worm detection agents adaptively. The adaptive adjustability function of the control center administrator is derived under the ideal condition. In reality, the adaptive distributed worm detection algorithm, which is based on a Simulated Annealing Genetic Algorithm (SAGA), is designed. The experiment shown that the adaptive distributed worm detection algorithm based on a Simulated Annealing Genetic Algorithm could generate early warning of worms accurately and effectively.