On The Modeling Of Malicious Mobile Code Propagation And Monitoring

Modeling malicious mobile code (MMC) propagation and monitoring are fundamental researches to construct an effective MMC propagation control and network security defense system. The research in this thesis focuses on some questions in the MMC multiple vectors propagation (that is MMCs spread themselves by many ways at the same time) and the deployment of scan monitoring system, including the following four parts:First, aiming at current network models, such as random network, small world network and scale free network are not suitable to describe the topology of multiple vectors propagation network, the thesis proposes a new network model called Scale Free Network with Multi-local-worlds and Overlapping Nodes (SFmoN). This network consists of many scale free networks generated by single propagation vectors which form local worlds, groups of nodes connect densely within a local world but sparsely among local worlds. There are overlapping nodes exist between local worlds. Its average path length is shorter than the Scale Free Network with Multi-local-worlds (SFmN) and the local world strength is higher than the Scale Free Network (SFN). These features reduce the propagation limitation of local worlds in the network and help MMCs attain to the propagation capability of SFN but connection costs are smaller. Research results will provide key factors supports for propagation control.Second, aiming at current propagation models are not appropriate for describing MMCs'multiple vectors propagation and local propagation scenarios, the thesis proposes a novel propagation model called Two Dimensions Space Propagation Model Based on Multi-local-world (TDSP_MLW). Based on the multi-local-world's feature of propagation network, the model decomposes the whole propagation space into two dimensions: spreading width and spreading depth which describes MMCs'propagation procedure among and within local worlds respectively. On the basis of 2 space dimensions, all propagation connections can be divided into two types of connections: the local world's inner connection and the outer connection, thus the description differences between a single vector and multiple vectors propagation are unified. Based on 2 space dimensions, MMCs'different propagation scenarios can be characterized particularity, so TDSP_MLW is a more general model to describe MMCs'multiple vectors propagation and local propagation scenarios. According to this model, we explain real MMCs'multiple vectors breaking scenarios reasonably.Third, aiming at current situations that the deployment of scan monitoring system misses theory directing, this thesis presents a novel Scan Monitoring Model Based on BGP Route Distribution. On the basis of the model, we put forward a new concept of deployment threshold which describes the most economical matching value between the monitoring system's scale and the scanner's scanning width on the same detection probability demand. According to the model and the deployment threshold, we can design an effective monitoring system and propose appropriate detecting targets which match our practical deploying resources to avoid blind deployment as before.Finally, MMCs propagation model and scan detection model proposed in this thesis are applied to realize the deployment of a real scan monitoring system, a Honeypot based scan monitoring prototype system is designed and deployed.