| The significant development of Internet and it's deeply permeating in society provide us much convenience, but the threats we face with are becoming more severe and complicated, such as virus, trojan and worm. As a self-propagation and self-replication program, worm would let to DDOS attack on both computers and the Internet if it has been put on the internet. So it is necessary to research how worm performs on internet and how to detect them. Now, Internet shows the feature of scale-free, since, the primary work in this dissertation focus on worm propagation and detection base on scale-free network.Firstly, several traditional worm propagation models established by differential equation under homogeneous network are introduced, including three classic epidemic disease models and two-factor model. Classic epidemic models are the basic models and they aren't suitable for describing the process of worm propagation. Two-factor model is better to tell the real action of worm, but it still misses some aspects about worm's behavior yet. Researching worm propagation model under homogeneous network can perform a guideline to scale-free network, Since, after analyzing the factors which affect the propagation process, a new model is proposed based on the two-factor model using differential equation, and experiment shows the new model can describe the max number of infected host and the trend of decline more precisely.Secondly, the characteristic of scale-free network is introduced, and the difference of worm propagation between homogeneous and heterogeneous network is compared. In order to analyze the behavior of worm under heterogeneous network, a BA scale-free network is constructed by Matlab, and has done some infection experiments based on the SI model and SIR model. For SI model, the processes of infection followed by random scan and likely topological scan are performed with different initial infectious node, and the result confirms that each node has different ability of propagation. For SIR model, experiments are performed in two aspects which are considering a fluctuated recovery rate depending on node's degree and selecting different node to immune in advance. Both of them tell that removing high degree node restrains the whole propagation process.Lastly, considering the character of heterogeneous in scale free network and the worm's function of self-propagation and self-replication which makes infected hosts show relevant behavior, a worm detection method is proposed based on TK algorithm, using connection failure, the quantity of each node's connection and the similarity of connections as primary detection indicators. Compared with TK model, the proposed algorithm covers more indicators, including the time interval between two connections and each node's traffic. Moreover, by means of changing the form of saving the information of chain and using Rabin fingerprint algorithm to transmit node's history information, our detection avoids to save the same information, besides, the length of each chain is controlled by adding a time threshold, after these improvements, a lot of precious storage space is saved. |
PDF Full Text Request