Research Of P2P Worm Behavior Model And Its Quarantining Metheds

In recent years, P2P (Peer-to-Peer) techniques are booming and applications which based on P2P techniques range from file sharing to real time video and graphic transmission. At the same time, malicious attacks which aim at P2P software and P2P networks are springing up. Among kinds of P2P threats, P2P worm spreads fastest and is most destructive. P2P worm is a kind of malicious code which can spread itself automatically. It is able to speed up the propagation progress by P2P topology information. Moreover, P2P worm is inclined to camouflage in normal P2P traffic.Therefore, both P2P worm detection and quarantining are complicate jobs.The research of behavior model of P2P worm is beneficial to learn the spread strategies and infection mechanism of P2P worm. Furthermore, it obviously helps the research of P2P worm detection and containment. However, there is a common drawback lies in current P2P worm behavior models—excessively simplify the factors which evidently affect worm propagation. Hence, these current modes can not neither depict the spread behaviors nor forecast the spread trend of P2P worm accurately. In the research area of P2P worm quarantining, current techniques are not perfect in accuracy, real-time and efficiency.This paper focuses on the research of behavior model and quarantining methods of P2P worm. There are three major contributions of this paper:1. Proposing the CTDS model (C—Countermeasures, T—Topology, D—Diversity, S—Strategies) for depicting P2P worm's behaviors. The CTDS model insists that there are four factors which can obviously affect worm propagation—P2P topology, the countermeasures of common users and ISPs (Internet Services Providers), configuration diversity and attack&defense strategies. CTDS model is a discrete time difference equation set which takes the four factors into modeling. Quantitative analysis made by simulations represent that the CTDS model can depict worm propagation accurately. Further more, experients show that P2P worm can be contained by increasing the configuration diversity and protecting the most connected nodes from compromised beforehand. Reseach about the CTDS model is completed by author and author's graduate students.2. Proposing a benign P2P worm based method to contain malicious P2P worm. This paper introduces two kinds of benign P2P worms which are different in function and spread strategies, to battle againt malicious P2P worm cooperatively. At first, this paper assumes malicious P2P worm follows the CTDS model without the considering of benign worm. Then a serial of difference equation sets are derived for depicting the interplay progress of benign and malicious P2P worms. Compared with sheer manual countermeasures and random scanning benign worm, benign P2P worm proposed in this paper spreads faster and quarantines better. Moreover, experiments demonstrate that benign P2P worm consumes fewer bandwidth resources than random scanning counterpart.3. Proposing a distributed self-immune automated signature generation method for P2P worm with my students. In an attempt to contain P2P worm in real time, it is necessary to automatically generate and distribute worm signatures immediately after the detecion of P2P worm. The method introduced in this paper can generate accurate signatures for sophisticated polymorphic P2P worm. Furthuremore, this method is resistant to many attacks which aim at subverting ASG (Automated Signature Generation) systems such as Red herring attack, Correlated outlier attack, Suspicious pool poisoning attack, Innocuous pool poisoning attack and Allergy attack. Experiments represent that signatures produced by this method are accurate in containing P2P worm.