Research On Key Technologies Of Malicious Code And Emergency Response In Communication Networks

Communications network services digitization, network technology IP packetization,wireless network access, network gradually opening up, together with network constantintegrated development, which has become the mainstream direction of communicationnetwork evolution. With the rapid development and increasingly openning of communicationnetworks, network security issues are increasingly prominently. The thesis summarizes thepotential security threats in the communication network mainly from the following fouraspects: service layer security, control layer security, transmission layer security, and accesslayer security. It elaborates technical framework of communications network malicious code,and furthermore it proposes complete disposal process of key technical issues involved in themalicious code and emergency response in communication networks. The main contributionsof the research work include the following five aspects:(1) It proposes the technology framework of communication network malicious code aswell as emergency response.The thesis summarizes the security risks of communication network and malicious codedeveloping trends. And it designs and implements communication network malicious codeattacks platform, which aims to enhance the destructive effect of the malicious code, toimprove the spread mechanisms of malicious code, and to realize the intelligence attack ofmalicious code, and it is applied to softswitch technology used in communications networks.Destructive effect of the malicious code is regarded as the core, and malicious code isimplemented by atomic functions. The thesis focuses on the following malicious codes: thedesign of Shellcode, heap-based overflow attacks, format string attack techniques, kernelintrusion hidden technology, antivirus software counter technology, as well as the the SIPsniffering and DoS services technology. Meanwhile, the platform also applies to test thefunctionality and performance of the emergency response system.Based on the analysis of the key technical issues of malicious code attacks and orientedcommunication network environment, it proposes the framework of communication networkmalicious code emergency response, which aims to build the overall architecture of maliciouscode prevention, to develop technologies and means of effective communication networkmalicious code detection and prevention, to research on malicious code immune technology,and to reasonablely assess and evaluate the malicious code attacks and defensive effects. (2) It proposes new methods of malicious code static and dynamic detection.As the static analysis method of malicious code, it proposes unknown malicious codeautomatic detection based on space relevance features. According to the characteristicsquantitative vectors of character space, malicious code samples are divided into spacerelevance blocks based on the intelligence region growing segmentation algorithm. In eachblock of malicious code sample, the spatial relations of character moment, informationentropy, and correlation coefficient are calculated, the feature vectors are extracted, and thenormalization processes are manipulated. Then, then reference of spatial relational featurevectors have been set up through the analysis of general spatial properties of malicious codesamples. And the similarity preferred matching algorithm which is based on comprehensiveanalysis of multiple features is adopted to identify the unknown malicious code subordinatetype. And as dynamic analysis method of malicious code, it introduces self similarcharacteristics into the dynamic analysis of malicious code process and computes the Hurstindex by the series respectively through the use of R/S method, aggregated variance methodand higuchi method, and matches the similarity of the same type malicious programs. Itcomes to the conclusion that malicious programs have some differences in calling APIfunction with normal procedure, and the same type of malicious programs are self-similar, sothat it identifies malicious programs with dynamism. Morever, it proposes Rootkit dynamicdetection based on fuzzy pattern recognition and support virtual machine technology. It formsfeature vectors by counting up the generating elements important degree of system call series,and comes to the fuzzy pattern recognition conclusion with the use of weighted averagingmethod. Then, it exactly locates the types of Rootkit malicious code based on the analysismethod of layered multi-attributes support virtual machine.Finally, it determines the dynamicbehaviour properties by calculating of hamming distance.(3) It proposes malicious code attack evaluation based on synthetic entropy method.It combines cross entropy and network character entropy method and proposes designscheme to evaluate the malicious code attack effect. It captures the related indicators in realtime and normalized the data so as to evaluate them at the same level; then adopts crossentropy method to preprocesses the indicators adaptively; further more, it calculates theweight coefficient and exploits network character entropy method to evaluate the attack withaccuracy according to the importance of the indicators in the evaluation system. And it carries out the follow-up assessment feedback based on the previous network attack assessment. Itdraws a conclusion that we can not only visually recognize the presence of network attacksand determine the network attack effect, but also accurately locate the beginning and end timewith the network character entropy method.(4) It proposes immune model and algorithm improvements of communication networkmalicious code.It implements network malicious code immune model. And the malicious codeimmunization program is mainly composed of four major components, which are immuneinformation collection program, immune information filtering processing program,immunization information discrimination program, and immune response program. Accordingto the significant impact on the accuracy rate of detection of current immune algorithmsbrought by incorrect classification of signal, it proposes network malicious code dendritic cellimmune algorithm based on fuzzy weighted support vector machine. It introduces fuzzyweighted support vector machine clustering method within immune algorithm proposed, soas to bring down the number of immunization strategies and reduce the immune response time,as a result it improve the efficiency and performance of the immune system. In addition,imbalanced support vector machine is applied to optimize output results of malicious codeimmunization program, and uncertainty malicious code immune outputs are removed. As aresult, it facilitates precise determination time of the emergence of immune response.(5) It designs and implements prototype system of malicious code and emergencyresponse.In order to verify the communication network malicious code and emergency responsetechnology, the prototype system is implemented. As to the malicious code prototype system,it carries out five steps, which are setting up softswitch platform, preparatory work of wormsand webpage Trojan horse, the formulation of attack strategy, the execution of the maliciouscode, and feedback of malicious code attacks. And as to the emergency response prototypesystem, it covers monitoring of suspicious programs, malicious code static and dynamicdetection, malicious code damage assessment, as well as malicious code immune process.