| With the development of Internet's application, the network worm increases by gradually to computer system's security and the safe threat of network. Especially under environment of network, the diverse dissemination's way and complex applicative environment makes the network worm's occurrence frequency to increase, ambush stronger, coverage broader, creating the loss is also bigger. The domestic and outside government, the network worm studying organization take great importance extremely to study the network worm, the American government invests 5,460,000 dollars in the near future, for giving UC Berkeley and Southern California university to establish a network attacking testing bed, are used for the aspect research such as worm, virus and so on, the equipment of testing bed reaches thousand main engine. In October, 2003, the topic seminar of network worm convenes in Washington DC, discussed the Internet worm's development course and the future tendency, the computer worm's classification, the worm rate of flow simulate, worm early warning system's designs and the testing , the simulation of worm's dissemination, the worm model analyses and isolated the technology and so on. In domestic, the study of network worm research is taken seriously gradually, the government and the security company work are doing the network worm's preventing and controlling work positively.Worm's large-scale eruption is a relatively rare security problem, it can cause that the aggressor controls the massive mainframe in the very short time, starts DDoS to attack, steals the secret information and destructs essential data, thus the worm is able to erupt surely the enormous influence each time. Presently, the researcher improves unceasingly to worm's examination and the limited algorithm research. Obtaining worm's dissemination sequence (namely reverse tracing worm's attack way) is a very important direction, it not only may extrapolate earliest the pitch point which infects, but also may extrapolate creates other pitch points in the spreading process the dissemination sequence which infects, obtained the result to restraint the worm's dissemination and the investigation and collecting evidence have the great significance.Conducts the tracing research for the large-scale network worm and needs a reliable algorithm of experimental environment. The real-time tracing algorithm, first, must carry on the theoretical analysis, and under supposition and prerequisite, algorithm of proof tracing is accuracy. Then through the algorithm in certain parameters'explanations and usage, establishes not the same as a tracing model. But the theoretical calculation cannot real respond true situation of execution for the algorithm. Many researchers use network emulational platform such as ns2 or parallel ns2 for establishing the emulational and reverse tracing of testing environment, and emulating over a thousand pitch points under the different network of topology and the movement of broad band. But the emulation is more suitable for the modeling, certainly is not really disseminates, the emulational process is too idealized to unable to response real situation of the emulational operating system, and for using in the requirement of mainframe's performance which tests to be extremely high. It is also not feasible that the use of physics mainframe carries on the large-scale network worm's tracing experiment. First, in the quantity of thousands physical mainframe is not able to guarantee; secondly, destructiveness is bigger in the worm's experiment, the use of the multitudinous mainframe which experiments is not to be able fast to resume the use, the working load of management and the collocation is enormous.In recent years, the development of dummy technology promoted its application in the area of network security research. Have the researcher to start in the network worm's examination and the defense using the dummy technology to carry on the experiment. It can circulate certain dummy mainframe of the installment real operating system on a physical mainframe, and connect above network. Besides the performance, exterior visitor cannot realize the internal difference. Like this may use the technology of dummy machine to establish dummy experimental environment that altitude conform an real situation, may nimbly controling, the seal and the reuse. Through carring on the optimization to dummy machine and the operating system, it may reduce to the requirement of host physics mainframe's performance. The use of the dummy machine of optimized technology can be allowed in dozens of physics mainframe's environment hypothesize over a thousand pitch point of operating system , it can clearly discovered the network worm that observes further intruder's motive, the tool and the method in the operating system and the network spreading process,.This paper proposed the experimental environment that the large-scale worm's dissemination which uses in reverse trace, and can carry on the correlated experiment of the isolated environment. The experimental environment uses the technology of dummy machine, hypothesizes massive main engines and the network equipment's participation, conforms with the network reality as far as possible. According to the actual worm, controllable scope in the people, begins to the large-scale worm's eruption, the observation worm's spreading process, the experimental examination and the defensive measure, and discoveries the characteristic of worm's dissemination, such as scanning, infection process, real-time collecting network current capacity data and infectant process. To the network, current capacity carries out investigation, runs the route guessing that the algorithm discovers the source of propagation and the path of propagation. It can gain the spreading process of real worm, and compare with the algorithm of experimental result. |
PDF Full Text Request