良性蠕虫的数据隐藏及传播模型研究
|
摘要
随着网络在社会生活中占据越来越重要的地位,恶意蠕虫的危害影响越来越严重,其对社会造成的危害影响程度大大超越传统的病毒。但是传统的对抗恶意蠕虫的安全技术对之已经不适应,要使恶意蠕虫的传播扩散得到基本控制,需要采用不同于以往的针对单个恶意蠕虫进行防治的方法,因为恶意蠕虫种类成千上万,且每种又衍生许多变体,更甚的是,恶意蠕虫编写者越来越采用人工智能技术使恶意蠕虫得到更好的隐蔽。所以,针对恶意蠕虫的研究刻不容缓,且只有在技术上走在其前面,才能当相关的恶意蠕虫出现时,对其进行有效防治。而在恶意蠕虫的防治方面,良性蠕虫的研究较少。尤其是针对良性蠕虫的传播扩散方面,大多研究没有考虑良性蠕虫在对抗恶意蠕虫的过程中对网络系统和用户系统的影响。因此研究良性蠕虫的扩散传播和资源占用在恶意蠕虫防治方面具有积极的理论意义和实践参考价值。
本文的研究工作主要集中于以下方面:
1、首次对被良性蠕虫渗透的主机进行分类:被渗透类主机和探测类主机,从而为减少良性蠕虫扩散过程中产生的网络通信量提供了新的视角。
2、提出了反馈式的轮转探测扩散模型以及基于B+地址树(BAT)的扩散算法。并且对扩散算法进行了仿真和对比测试。仿真结果显示:根据恶意蠕虫的疫情和应用需求,良性蠕虫可以选择不同的探测主机数进行扩散。对比测试显示:在探测主机数达到预设值后基于BAT的扩散算法网络通信量一直处于平稳状态,且相比基于ET扩散算法的网络通信量要小。
3、设计和实现了一个用于支持本文扩散模型的基于xml的应用层网络协议和良性蠕虫系统,并且进行了测试,结果表明:基于xml的应用层网络协议在良性蠕虫扩散过程中能够很好地被解析,对本文扩散模型起到了支撑作用,且良性蠕虫交互流程设计思路符合实际情况也满足本文的要求。
4、设计和实现了数据隐藏功能。暂时需要的数据可以进行隐藏,减少了对用户系统的资源占用。
As the network plays a more and more important part in the social life, the malicious worm does more harm to our life than traditional virus. But, traditional security technologies can't deal with malicious worms well any more, in order to make the spread of a malicious worm spreading under control, we need to take method which is different from the past method that carried out only to prevent a single malicious worm, as we know there are thousands of types of malicious worm, and each type worm can derive many variants, and even more, the malicious worm writers are using artificial intelligence to make the malicious worms to be hidden better. the research about malicious worms is needed urgently, and only we prepare well in technology, effective prevention and treatment can be adopted to deal with the malicious worms.
There is few studies on benign worms for the preventive treatment of malicious worm, and most studies on benign worms do not consider the influence to the network system and user systems that the benign worm made in the process of fighting against malicious worms. So the study of proliferation and resources to take up of the benign worm there is positive theoretical and practical reference value for preventive treatment of malicious worm.
The contribution of this article is as follow:
Fisrtly, classifying the computers infected by benign worm to infected computer and scanning computer, which offers another viewpoint for reducing network flux in the proliferation of benign worm.
Secondly, proposed a rotating scanning model based on feedback and a propagation algorithm based on B+ Address Tree(BAT). Simulated the propagation algorithm and compared it to the propagation algorithm based on Exponential Tree(ET). The result of simulation turns out that according to the malicious worm propagation in, we can choose different number of the scan hosts to spread benige worm. The result of the comparison demonstrates after the number of scan host attained the given number the network flux of the algorithm based on BAT is stable and was less than that of the algorithm based on ET.
Thirdly, design and implement an application layer network protocol, which can be adopted to the model of the article, and a benign worm system, then test them. The results of these tests turn out the network protocol can be resolved correctly and can support the model very well and the design about the interactive process about benign worm system accorded with the fact and met the article.
Lastly, Design and implement a data hiding feature. The temporary needed data can be hidden, which can reduce occupancy of the user's system resources.
本文的研究工作主要集中于以下方面:
1、首次对被良性蠕虫渗透的主机进行分类:被渗透类主机和探测类主机,从而为减少良性蠕虫扩散过程中产生的网络通信量提供了新的视角。
2、提出了反馈式的轮转探测扩散模型以及基于B+地址树(BAT)的扩散算法。并且对扩散算法进行了仿真和对比测试。仿真结果显示:根据恶意蠕虫的疫情和应用需求,良性蠕虫可以选择不同的探测主机数进行扩散。对比测试显示:在探测主机数达到预设值后基于BAT的扩散算法网络通信量一直处于平稳状态,且相比基于ET扩散算法的网络通信量要小。
3、设计和实现了一个用于支持本文扩散模型的基于xml的应用层网络协议和良性蠕虫系统,并且进行了测试,结果表明:基于xml的应用层网络协议在良性蠕虫扩散过程中能够很好地被解析,对本文扩散模型起到了支撑作用,且良性蠕虫交互流程设计思路符合实际情况也满足本文的要求。
4、设计和实现了数据隐藏功能。暂时需要的数据可以进行隐藏,减少了对用户系统的资源占用。
As the network plays a more and more important part in the social life, the malicious worm does more harm to our life than traditional virus. But, traditional security technologies can't deal with malicious worms well any more, in order to make the spread of a malicious worm spreading under control, we need to take method which is different from the past method that carried out only to prevent a single malicious worm, as we know there are thousands of types of malicious worm, and each type worm can derive many variants, and even more, the malicious worm writers are using artificial intelligence to make the malicious worms to be hidden better. the research about malicious worms is needed urgently, and only we prepare well in technology, effective prevention and treatment can be adopted to deal with the malicious worms.
There is few studies on benign worms for the preventive treatment of malicious worm, and most studies on benign worms do not consider the influence to the network system and user systems that the benign worm made in the process of fighting against malicious worms. So the study of proliferation and resources to take up of the benign worm there is positive theoretical and practical reference value for preventive treatment of malicious worm.
The contribution of this article is as follow:
Fisrtly, classifying the computers infected by benign worm to infected computer and scanning computer, which offers another viewpoint for reducing network flux in the proliferation of benign worm.
Secondly, proposed a rotating scanning model based on feedback and a propagation algorithm based on B+ Address Tree(BAT). Simulated the propagation algorithm and compared it to the propagation algorithm based on Exponential Tree(ET). The result of simulation turns out that according to the malicious worm propagation in, we can choose different number of the scan hosts to spread benige worm. The result of the comparison demonstrates after the number of scan host attained the given number the network flux of the algorithm based on BAT is stable and was less than that of the algorithm based on ET.
Thirdly, design and implement an application layer network protocol, which can be adopted to the model of the article, and a benign worm system, then test them. The results of these tests turn out the network protocol can be resolved correctly and can support the model very well and the design about the interactive process about benign worm system accorded with the fact and met the article.
Lastly, Design and implement a data hiding feature. The temporary needed data can be hidden, which can reduce occupancy of the user's system resources.
引文
[1]CERT/CC. CERT/CC statistics 1988-2008. http://www.cert.org/stats/cert_stats.html
[2]http://www.cnnic.net.cn/html/Dir/2010/01/15/5767.htm
[3]刘乃琦,郭建东,张可.系统与数据恢复技术.成都:电子科技大学出版社,2008.6
[4]Shoch, John F, Jon A. Hupp. The Worm Programs Early Experience with a Distributed Computation. Communications of the ACM,1982,25(3),172-180
[5]Eugene H. Spafford. The Internet worm program:an analysis. ACM Computer Communication Review,1989,19(1):17-57
[6]Kienzle D. M., Elder M. C. Recent worms:A Survey and Trends. In:Proceedings of the ACM CCS Workshop on Rapid Malcode (WORM 2003), Washington,2003.1-10
[7]Jack R. Collins. RAMEN-A Linux Worm, http://rr.sans.org/malicious/ramen3.php
[8]http://wiki.ccw.com.cn/WINUX
[9]David Moore,Colleen Shannon, K daffy.Code-Red:a case study on the spread and victims of an Internet worm. In:Proceedings of the second ACM SIGCOMM Workshop on Internet Measurement,2002.273-284
[10]C. C. Zou, W Gong and D. Towsley. Code Red Worm Propagation Modeling and Analysis. In:Proceedings of 9th ACM Conference on Computer and Communication Security, Washington, DC, USA,2002.138-147
[11]CERT/CC. CERT Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL. Tech. rep., Carnegie Mellon University, 2001.
[12]D. Moore, C. Shannon, and J. Brown. Code-Red:a case study on the spread and victims of an Internet Worm. In:Proc. ACM/USENIX Internet Measurement Workshop, France,2002:273-284
[13]何文.网络病毒Nimda的特性及防范方法.重庆工商大学学报(自然科学版),2004,21(4):396-398
[14]A. Machie, J. Roculan, R. Russell, and MV Velzen. Nimda Worm Analysis-Incident Analysis Report Version Ⅱ. Tech. rep., SecurityFocus.2001
[15]CERT/CC. CERT Advisory CA-2001-26 Nimda Worm. Tech. rep., Carnegie Mellon University,2001
[16]David Moore, Vern Paxson, Stefan Savage, et al. Inside the Slammer worm. IEEE Security&Privacy,2003,1(4):33-39
[17]Bailey M., Cooke E., Jahanian F., et al. The Blaster Worm:Then and Now. IEEE Security&Privacy Magazine,2005,3(4):26-31
[18]Symantec Security Response W32. Mydoom. A@mm, http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.a@mm.h tml
[19]R. C. Linger, N. R. Mead, H. F. Lipson. Reqirements definition for survivable network system. In:Proc. of the Third International Conference on Requirements Engineering. Colorado,1998:14-23
[20]JW. Lockwood, J. Moscola, M. Kulig, D. Reddick, T. Brooks. Internet Worm and Virus Protection in Dynamically Reconfigurable Hardware. In Military and Aerospace Programmable Logic Device (MAPLD). Washington DC, USA,2003:1-8
[21]唐振江,何慧,云晓春.基于多特征相似度的蠕虫检测.高技术通讯.2005,8(15)11-17
[22]George Bakos, Vincent Berk. Early Detection of Internet Worm Activity by Metering ICMP Destination Unreachable Messages. In:Proceedings of the SPIE Aerosense,2002.89-101
[23]Shigang Chen, Yong Tang. Slowing Down Internet Worms. In:Proceedings of 24th International Conference on Distributed Computing and Systems, Tokyo, Japan,2004.117-124
[24]M. M. Williamson. Throttling Viruses:Restricting Propagation to Defeat Malicious Mobile Code. In:Proceedings of the 18th Annual Computer Security Applications Conference, Las Vegas, Neveda, USA,2003.41-49
[25]Twycross J., Williamson M. M.. Implementing and testing a virus throttle. In:the 12th USENIX Security Symposium,2003.285-294
[26]S. Singly C. Estan, G Varghese, et al. Automated worm fingerprinting. In: Proceedings of the 6th ACM/USENIX Symposium on Operating System Design and Implementation (OSDI),2004.45-60
[27]N. Weaver, V Paxson, S. Staniford, R. Cunningham. Lame Scale Malicious Code:A Research Agenda. International Computer Science Institute, Berkeley Univercity,2003:11-16
[28]李胜利,王杰,韩宗芬,陶智飞.一种新的蠕虫检测和控制方法.华中科技大学学报(自然科学版).2007,3(35):38-41
[29]王杰.局域网蠕虫检测和控制技术研究.华中科技大学硕士论文.2006
[30]郑辉,李冠一.Google Hacking与智能蠕虫防治.信息安全与通信保密.2005(8):70-73
[31]王德广,李新水.P2P系统中非扫描型蠕虫研究.计算机安全.2008,11:112-114
[32]www.scilab.org.cn(中文)和www.scilab.org(英文)
[33]王素军.基于良性蠕虫的P2P蠕虫防御机制及其仿真分析研究.电子科技大学硕士论文.2006
[34]郑辉,孙彬,郑先伟,段海新.大规模网络中Internet蠕虫主动防治技术研究——利用DNS服务抑制蠕虫传播.计算机工程与应用.2004,08:110-113
[35]M. M. Williamson. Throttling Viruses:Restricting Propagation to Defeat Malicious Mobile Code. In:Proceedings of the 18th Annual Computer Security Applications Conference, Las Vegas, Neveda, USA,2003.41-49
[36]N. Provos. A Virtual Honeypot Framework. Tech. rep., Center of Information Technology Integration, University of Michigan,2003
[37]L. Spitzner. Honeypots:Tracking Hackers. Boston:Addison-Wesley, 2002:277-309
[38]L. Oudot. Fighting Worms with Honeypots:Honeyd vs Msblast. exe. Tech. rep., Center for Information Technology Integration, University of Michigan,2003
[39]D. Moore, C. Shannon, G Voelker, S. Savage. Internet Quarantine: Requirements for Containing Self-propagating Code. In:Proc. of the 2003 IEEE Infocom Conference. San Francisco, CA, USA,2003,3:1901-1910
[40]M.M. Williamson. Throttling Viruses:Restricting Propagation to Defeat Mobile Malicious Code. HP Labs Tech. rep.:HPL-2002-172. In:Proc. of ACSAC Security Conference,2002:61-68
[41]W. Gong, D. Towsley, C. C. Zou. Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense. ACM CCS Workshop on Rapid Malcode, Washington DC, USA,2003:51-60
[42]P. Porras, L. Briesemeister, K. Skinner, et al. A Hybrid Quarantine Defense. In:Proc. ACM CCS Workshop on Rapid Malcode, Washington DC, USA,2004:73-82
[43]S. Staniford. Countermalice worm containment. Tech. rep.,Silicon Defense,2003
[44]N. Weaver, S. Staniford, V Paxson. Very Fast Containment of Scanning Worms. In:Proc. of the 13th USENIX Security Symposium. San Diego, CA, USA,2004: 29-44.
[45]S. Staniford. Containment of scanning worms in enterprise networks. Whitepaper, Silicon Defense, October 2003
[46]文伟平,卿斯汉,蒋建春,王业君.网络蠕虫研究与进展.软件学报.2004,15(8):1208-1219
[47]卿斯汉,文伟平,蒋建春,马恒太,刘雪飞.一种基于网状关联分析的网络蠕虫预警新方法.通信学报.2004,25(7):62-70
[48]李星,杨峰,段海新.网络蠕虫扩散中蠕虫和良性蠕虫交互过程建模与分析.中国科学E辑.2004,34(8):841-856
[49]郑辉.主动Internet蠕虫防治技术-接种疫苗.计算机工程与应用.2004,25:5-7
[50]S. Staniford, D. Moore, V Paxson, et al. The Top Speed of Flash Worms. In:Proc. ACM CCS Workshop on Rapid Malcode, Washington DC, USA,2004:33-42
[51]张维,郑辉.通用Internet蠕虫查杀控制系统设计与实现.南开大学计算机系本科生毕业论文.2003
[52]H. Kim, I. Kang. On the Functional Validity of The Worm-killing Worm. IEEE Communications Society,2004:1902-1906
[53]H. Toyoizumi, A. Kara. Predators:Good Will Mobile Codes Combat Against Computer Viruses. New Security Paradigms Workshop. Virginia Beach, USA, 2002:13-21
[54]H. Kim, I. Kang. Demystifying the Killer Worm. Tech. rep.,Korea University,2003
[55]B. Barber. Cheese Worm Pros and Cons of a "Friendly" Worm. Tech. rep. SANS Institute,2001
[56]Austin Kasarda. The Lion Worm:Kind of the Jungle. Tech. rep.,SANS Institute,2001
[57]左晓栋,戴英侠.”狮子”蠕虫分析及相关讨论.计算机工程.2002,28(1):16-17
[58]Der Hexxer. CodeGreen beta release. Tech. rep., Neohapsis,2001
[59]eEye Digital Security. ANALYSIS:Code RedⅡ Worm. Tech. rep., eEye Digital Security,2001
[60]CERT/CC. "Code Red Ⅱ":Another Worm Exploiting Buffer Overflow In IIS Indexing Service DLL. Tech. rep., Carnegie Mellon University,2001
[61]Marcus Kem. CRClean. Tech. rep., Neohapsis,2001
[62]ISS X-Force. "MS Blast" MSRPC DOOM Worm Propagation. Tech. rep. Internet Security Systems,2003
[63]eEye Digital Security. ANALYSIS:Blaster Worm. Tech. rep., eEye Digital Security,2003
[64]Frank Castaneda, Emre Can Sezer, Jun Xu. Worm vs. worm:Preliminary Study of an Active Counter-Attack Mechanism. In:Proc. ACM CCS Workshop on Rapid Malcode, Washington DC, USA,2004:83-93
[65]G Allen, D. Angulo, I. Foster, et al. The Cactus Worm:Experiments with Dynamic Resource Discovery and Allocation in a Grid Environment. International Journal of High Performance Computing Applications.2001,15(4): 345-358
[66]D. A. Ellis. Potency Relation for Worms and Next Generation Attack Tools. Tech. rep., MITRE,2002
[67]C. Wand, J. C. Knight, M. C. Elder. On Computer Viral Infection and the Effect of Immunization. ACSAC Annual Computer Security Applications Conference. New Orleans, USA,2000:246-256
[68]C.C. Zou, W. Gong, D. Towsley. Code Red Worm Propagation Modeling and Analysis. In:Proc. of the 9th ACM Symp. on Computer and Communication Security. Washington DC, USA,2002:138-147
[69]D. J. Meltzer. The Coming Ale of Defensive Worms. Tech. rep., InfoSec Writers,2003
[70]王佰玲.基于良性蠕虫的网络蠕虫主动遏制技术研究.哈尔滨工业大学博士论文.2006
[71]罗卫敏.基于良性蠕虫的蠕虫防御机制的研究.电子科技大学硕士论文.2006
[72]周翰逊,赵宏.主动良性蠕虫和混合良性蠕虫的建模与分析.计算机研究与发展.2007,44(6):958-964
[73]周翰逊,赵宏.基于CDC的良性蠕虫对抗蠕虫的建模与分析.东北大学学报(自然科学版).2007,28(11):1540-1543
[74]刘勇,周翰逊,刘铁,孙东红.基于CDC的良性蠕虫的离散传播模型.通信学报.2007,28(12):85-89
[75]Staniford S, Paxson V, Weaver N. How to own the Internet in your spare time [C]//Proc of the 11th Usenix Security Symp. San Francisco:Usenix 2002:149-167.
[76]Zou C C, G ong W, Towsley D. Code red worm propagation modeling and analysis [C]//Proc 9th ACM Conference on Computer and Communication Security (CCS'02),Washington DC:ACM,2002:138-147.
[77]Chen Z, Gao L, Kwiat K. Modeling the spread of active worms[C]//Proc of the IEEE INFOCOM. San Francisco:IEEE,2003:1890-1900.
[78]张祥德,丁春燕,朱和贵.基于选择性随机扫描的蠕虫传播模型[J].东北大学学报:自然科学版,2006,27(11):1200-1203
[79]Kesidis G, Hamadeh I, Jiwasurat S. Coupled Kermack2 Mckendrick models for randomly scanning and bandwidth2 saturating Internet worms [C]//Proceedings of 3rd International Workshop on QoS in Multiservice IP Networks QoS-IP. Rome:Springer,2005:101-109.
[80]Moore D, Paxson V, Savage S, et al. Inside the slammer worm[J]. IEEE Magazine of Security and Privacy,2003,1 (4):33-39.
[80]奕新民,廖闻剑."Nimda"虫分析与防范.计算机应用研究.2002,(11)1920+31
[81]Wu D, Long D Y, Wang C J, et al. Modeling and analysis of worm and killer2worm propagation using the divide2and2 conquer st rategy [C]//Proc of the 6th International Conference on Algorithms and Architectures for Parallel Processing. Melbourne:Springer,2005:370-375.
[82]J. C. Franenthal, " Mathematical Modelling in Epidemiology " Springer-Verlag, New York,1980.
[83]Sihan Qing, Weiping Wen. A survey and trends on Internet worms. Computers&Security.2005 24,334-346.
[84]彭俊好.信息安全风险评估及网络蠕虫传播模型.北京邮电大学博士论文.2008
[85]Z. Chen, L. Gao and K. Kwiat. Modeling the Spread of Active Worms. In: Proc. of IEEE INFOCOM 2003. California, USA,2003,1:1890-1900
[86]Ofir Arkin. ICMP Usage in Scanning. Version 3.0.Tech. rep.,Sys-Security Group,2001
[87]Fyodor. The Art of Port Scanning. Phrack Magazine,1997,7(51):11-17
[88]CERT/CC. CERT Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL. Tech. rep., Carnegie Mellon University, 2001.
[89]eEye Digital Security. Microsoft SQL Sapphire Worm Analysis. Tech. rep. eEye Digital Security,2003
[90]C. C. Zou, W. Gong, D. Towsley, L. Gao. Monitoring and Early Detection of Internet Worms.10th ACM Conference on Computer and Communication Security, Washington DC, USA,2003:190-199
[91]C. C. Zou, W. Gong, D. Towsley. On the performance of Internet worm scanning strategies. Tech. rep.:TR-03-CSE-07, Electrical and Computer Engineering Department, University of Massachusetts,2003
[92]C. C. Zou, D. Towsley, W. Gong, and S. Cai. Routing Worm:a Fast, Selective Attack Worm based on IP Address Information. ACM/IEEE/SCS Workshop on Principles of Advanced and Distributed Simulation. Monterey, USA, 2005:199-206
[93]J.0. Kephart, S. R. White. Measuring and Modeling Computer Virus Prevalence. In:Proc. of the IEEE Symp. on Security and Privacy. Oakland, 1993:2-15
[94]J. Wu, S. Vangala, L. Gao, K. Kwia. An Effective Architecture and Algorithm for Detecting Worms with Various Scan Techniques. In:Proc. Network and Distributed System Security Symposium. San Diego, California,2004:12-21
[95]Volt T. Simulating and Optimizing Worm Propagation Algorithms. Security Focus,2003,10:132
[96]N. Weaver. Potential Strategies for High Speed Active Worms:A Worst Case Analysis. White paper, UC Berkeley,2002
[97]王佰玲,方滨兴,云晓春,张宏莉,陈博,刘乙璇.基于平衡树的良性蠕虫扩散策略.计算机研究与发展.2006,43(9):1593-1602
[2]http://www.cnnic.net.cn/html/Dir/2010/01/15/5767.htm
[3]刘乃琦,郭建东,张可.系统与数据恢复技术.成都:电子科技大学出版社,2008.6
[4]Shoch, John F, Jon A. Hupp. The Worm Programs Early Experience with a Distributed Computation. Communications of the ACM,1982,25(3),172-180
[5]Eugene H. Spafford. The Internet worm program:an analysis. ACM Computer Communication Review,1989,19(1):17-57
[6]Kienzle D. M., Elder M. C. Recent worms:A Survey and Trends. In:Proceedings of the ACM CCS Workshop on Rapid Malcode (WORM 2003), Washington,2003.1-10
[7]Jack R. Collins. RAMEN-A Linux Worm, http://rr.sans.org/malicious/ramen3.php
[8]http://wiki.ccw.com.cn/WINUX
[9]David Moore,Colleen Shannon, K daffy.Code-Red:a case study on the spread and victims of an Internet worm. In:Proceedings of the second ACM SIGCOMM Workshop on Internet Measurement,2002.273-284
[10]C. C. Zou, W Gong and D. Towsley. Code Red Worm Propagation Modeling and Analysis. In:Proceedings of 9th ACM Conference on Computer and Communication Security, Washington, DC, USA,2002.138-147
[11]CERT/CC. CERT Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL. Tech. rep., Carnegie Mellon University, 2001.
[12]D. Moore, C. Shannon, and J. Brown. Code-Red:a case study on the spread and victims of an Internet Worm. In:Proc. ACM/USENIX Internet Measurement Workshop, France,2002:273-284
[13]何文.网络病毒Nimda的特性及防范方法.重庆工商大学学报(自然科学版),2004,21(4):396-398
[14]A. Machie, J. Roculan, R. Russell, and MV Velzen. Nimda Worm Analysis-Incident Analysis Report Version Ⅱ. Tech. rep., SecurityFocus.2001
[15]CERT/CC. CERT Advisory CA-2001-26 Nimda Worm. Tech. rep., Carnegie Mellon University,2001
[16]David Moore, Vern Paxson, Stefan Savage, et al. Inside the Slammer worm. IEEE Security&Privacy,2003,1(4):33-39
[17]Bailey M., Cooke E., Jahanian F., et al. The Blaster Worm:Then and Now. IEEE Security&Privacy Magazine,2005,3(4):26-31
[18]Symantec Security Response W32. Mydoom. A@mm, http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.a@mm.h tml
[19]R. C. Linger, N. R. Mead, H. F. Lipson. Reqirements definition for survivable network system. In:Proc. of the Third International Conference on Requirements Engineering. Colorado,1998:14-23
[20]JW. Lockwood, J. Moscola, M. Kulig, D. Reddick, T. Brooks. Internet Worm and Virus Protection in Dynamically Reconfigurable Hardware. In Military and Aerospace Programmable Logic Device (MAPLD). Washington DC, USA,2003:1-8
[21]唐振江,何慧,云晓春.基于多特征相似度的蠕虫检测.高技术通讯.2005,8(15)11-17
[22]George Bakos, Vincent Berk. Early Detection of Internet Worm Activity by Metering ICMP Destination Unreachable Messages. In:Proceedings of the SPIE Aerosense,2002.89-101
[23]Shigang Chen, Yong Tang. Slowing Down Internet Worms. In:Proceedings of 24th International Conference on Distributed Computing and Systems, Tokyo, Japan,2004.117-124
[24]M. M. Williamson. Throttling Viruses:Restricting Propagation to Defeat Malicious Mobile Code. In:Proceedings of the 18th Annual Computer Security Applications Conference, Las Vegas, Neveda, USA,2003.41-49
[25]Twycross J., Williamson M. M.. Implementing and testing a virus throttle. In:the 12th USENIX Security Symposium,2003.285-294
[26]S. Singly C. Estan, G Varghese, et al. Automated worm fingerprinting. In: Proceedings of the 6th ACM/USENIX Symposium on Operating System Design and Implementation (OSDI),2004.45-60
[27]N. Weaver, V Paxson, S. Staniford, R. Cunningham. Lame Scale Malicious Code:A Research Agenda. International Computer Science Institute, Berkeley Univercity,2003:11-16
[28]李胜利,王杰,韩宗芬,陶智飞.一种新的蠕虫检测和控制方法.华中科技大学学报(自然科学版).2007,3(35):38-41
[29]王杰.局域网蠕虫检测和控制技术研究.华中科技大学硕士论文.2006
[30]郑辉,李冠一.Google Hacking与智能蠕虫防治.信息安全与通信保密.2005(8):70-73
[31]王德广,李新水.P2P系统中非扫描型蠕虫研究.计算机安全.2008,11:112-114
[32]www.scilab.org.cn(中文)和www.scilab.org(英文)
[33]王素军.基于良性蠕虫的P2P蠕虫防御机制及其仿真分析研究.电子科技大学硕士论文.2006
[34]郑辉,孙彬,郑先伟,段海新.大规模网络中Internet蠕虫主动防治技术研究——利用DNS服务抑制蠕虫传播.计算机工程与应用.2004,08:110-113
[35]M. M. Williamson. Throttling Viruses:Restricting Propagation to Defeat Malicious Mobile Code. In:Proceedings of the 18th Annual Computer Security Applications Conference, Las Vegas, Neveda, USA,2003.41-49
[36]N. Provos. A Virtual Honeypot Framework. Tech. rep., Center of Information Technology Integration, University of Michigan,2003
[37]L. Spitzner. Honeypots:Tracking Hackers. Boston:Addison-Wesley, 2002:277-309
[38]L. Oudot. Fighting Worms with Honeypots:Honeyd vs Msblast. exe. Tech. rep., Center for Information Technology Integration, University of Michigan,2003
[39]D. Moore, C. Shannon, G Voelker, S. Savage. Internet Quarantine: Requirements for Containing Self-propagating Code. In:Proc. of the 2003 IEEE Infocom Conference. San Francisco, CA, USA,2003,3:1901-1910
[40]M.M. Williamson. Throttling Viruses:Restricting Propagation to Defeat Mobile Malicious Code. HP Labs Tech. rep.:HPL-2002-172. In:Proc. of ACSAC Security Conference,2002:61-68
[41]W. Gong, D. Towsley, C. C. Zou. Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense. ACM CCS Workshop on Rapid Malcode, Washington DC, USA,2003:51-60
[42]P. Porras, L. Briesemeister, K. Skinner, et al. A Hybrid Quarantine Defense. In:Proc. ACM CCS Workshop on Rapid Malcode, Washington DC, USA,2004:73-82
[43]S. Staniford. Countermalice worm containment. Tech. rep.,Silicon Defense,2003
[44]N. Weaver, S. Staniford, V Paxson. Very Fast Containment of Scanning Worms. In:Proc. of the 13th USENIX Security Symposium. San Diego, CA, USA,2004: 29-44.
[45]S. Staniford. Containment of scanning worms in enterprise networks. Whitepaper, Silicon Defense, October 2003
[46]文伟平,卿斯汉,蒋建春,王业君.网络蠕虫研究与进展.软件学报.2004,15(8):1208-1219
[47]卿斯汉,文伟平,蒋建春,马恒太,刘雪飞.一种基于网状关联分析的网络蠕虫预警新方法.通信学报.2004,25(7):62-70
[48]李星,杨峰,段海新.网络蠕虫扩散中蠕虫和良性蠕虫交互过程建模与分析.中国科学E辑.2004,34(8):841-856
[49]郑辉.主动Internet蠕虫防治技术-接种疫苗.计算机工程与应用.2004,25:5-7
[50]S. Staniford, D. Moore, V Paxson, et al. The Top Speed of Flash Worms. In:Proc. ACM CCS Workshop on Rapid Malcode, Washington DC, USA,2004:33-42
[51]张维,郑辉.通用Internet蠕虫查杀控制系统设计与实现.南开大学计算机系本科生毕业论文.2003
[52]H. Kim, I. Kang. On the Functional Validity of The Worm-killing Worm. IEEE Communications Society,2004:1902-1906
[53]H. Toyoizumi, A. Kara. Predators:Good Will Mobile Codes Combat Against Computer Viruses. New Security Paradigms Workshop. Virginia Beach, USA, 2002:13-21
[54]H. Kim, I. Kang. Demystifying the Killer Worm. Tech. rep.,Korea University,2003
[55]B. Barber. Cheese Worm Pros and Cons of a "Friendly" Worm. Tech. rep. SANS Institute,2001
[56]Austin Kasarda. The Lion Worm:Kind of the Jungle. Tech. rep.,SANS Institute,2001
[57]左晓栋,戴英侠.”狮子”蠕虫分析及相关讨论.计算机工程.2002,28(1):16-17
[58]Der Hexxer. CodeGreen beta release. Tech. rep., Neohapsis,2001
[59]eEye Digital Security. ANALYSIS:Code RedⅡ Worm. Tech. rep., eEye Digital Security,2001
[60]CERT/CC. "Code Red Ⅱ":Another Worm Exploiting Buffer Overflow In IIS Indexing Service DLL. Tech. rep., Carnegie Mellon University,2001
[61]Marcus Kem. CRClean. Tech. rep., Neohapsis,2001
[62]ISS X-Force. "MS Blast" MSRPC DOOM Worm Propagation. Tech. rep. Internet Security Systems,2003
[63]eEye Digital Security. ANALYSIS:Blaster Worm. Tech. rep., eEye Digital Security,2003
[64]Frank Castaneda, Emre Can Sezer, Jun Xu. Worm vs. worm:Preliminary Study of an Active Counter-Attack Mechanism. In:Proc. ACM CCS Workshop on Rapid Malcode, Washington DC, USA,2004:83-93
[65]G Allen, D. Angulo, I. Foster, et al. The Cactus Worm:Experiments with Dynamic Resource Discovery and Allocation in a Grid Environment. International Journal of High Performance Computing Applications.2001,15(4): 345-358
[66]D. A. Ellis. Potency Relation for Worms and Next Generation Attack Tools. Tech. rep., MITRE,2002
[67]C. Wand, J. C. Knight, M. C. Elder. On Computer Viral Infection and the Effect of Immunization. ACSAC Annual Computer Security Applications Conference. New Orleans, USA,2000:246-256
[68]C.C. Zou, W. Gong, D. Towsley. Code Red Worm Propagation Modeling and Analysis. In:Proc. of the 9th ACM Symp. on Computer and Communication Security. Washington DC, USA,2002:138-147
[69]D. J. Meltzer. The Coming Ale of Defensive Worms. Tech. rep., InfoSec Writers,2003
[70]王佰玲.基于良性蠕虫的网络蠕虫主动遏制技术研究.哈尔滨工业大学博士论文.2006
[71]罗卫敏.基于良性蠕虫的蠕虫防御机制的研究.电子科技大学硕士论文.2006
[72]周翰逊,赵宏.主动良性蠕虫和混合良性蠕虫的建模与分析.计算机研究与发展.2007,44(6):958-964
[73]周翰逊,赵宏.基于CDC的良性蠕虫对抗蠕虫的建模与分析.东北大学学报(自然科学版).2007,28(11):1540-1543
[74]刘勇,周翰逊,刘铁,孙东红.基于CDC的良性蠕虫的离散传播模型.通信学报.2007,28(12):85-89
[75]Staniford S, Paxson V, Weaver N. How to own the Internet in your spare time [C]//Proc of the 11th Usenix Security Symp. San Francisco:Usenix 2002:149-167.
[76]Zou C C, G ong W, Towsley D. Code red worm propagation modeling and analysis [C]//Proc 9th ACM Conference on Computer and Communication Security (CCS'02),Washington DC:ACM,2002:138-147.
[77]Chen Z, Gao L, Kwiat K. Modeling the spread of active worms[C]//Proc of the IEEE INFOCOM. San Francisco:IEEE,2003:1890-1900.
[78]张祥德,丁春燕,朱和贵.基于选择性随机扫描的蠕虫传播模型[J].东北大学学报:自然科学版,2006,27(11):1200-1203
[79]Kesidis G, Hamadeh I, Jiwasurat S. Coupled Kermack2 Mckendrick models for randomly scanning and bandwidth2 saturating Internet worms [C]//Proceedings of 3rd International Workshop on QoS in Multiservice IP Networks QoS-IP. Rome:Springer,2005:101-109.
[80]Moore D, Paxson V, Savage S, et al. Inside the slammer worm[J]. IEEE Magazine of Security and Privacy,2003,1 (4):33-39.
[80]奕新民,廖闻剑."Nimda"虫分析与防范.计算机应用研究.2002,(11)1920+31
[81]Wu D, Long D Y, Wang C J, et al. Modeling and analysis of worm and killer2worm propagation using the divide2and2 conquer st rategy [C]//Proc of the 6th International Conference on Algorithms and Architectures for Parallel Processing. Melbourne:Springer,2005:370-375.
[82]J. C. Franenthal, " Mathematical Modelling in Epidemiology " Springer-Verlag, New York,1980.
[83]Sihan Qing, Weiping Wen. A survey and trends on Internet worms. Computers&Security.2005 24,334-346.
[84]彭俊好.信息安全风险评估及网络蠕虫传播模型.北京邮电大学博士论文.2008
[85]Z. Chen, L. Gao and K. Kwiat. Modeling the Spread of Active Worms. In: Proc. of IEEE INFOCOM 2003. California, USA,2003,1:1890-1900
[86]Ofir Arkin. ICMP Usage in Scanning. Version 3.0.Tech. rep.,Sys-Security Group,2001
[87]Fyodor. The Art of Port Scanning. Phrack Magazine,1997,7(51):11-17
[88]CERT/CC. CERT Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL. Tech. rep., Carnegie Mellon University, 2001.
[89]eEye Digital Security. Microsoft SQL Sapphire Worm Analysis. Tech. rep. eEye Digital Security,2003
[90]C. C. Zou, W. Gong, D. Towsley, L. Gao. Monitoring and Early Detection of Internet Worms.10th ACM Conference on Computer and Communication Security, Washington DC, USA,2003:190-199
[91]C. C. Zou, W. Gong, D. Towsley. On the performance of Internet worm scanning strategies. Tech. rep.:TR-03-CSE-07, Electrical and Computer Engineering Department, University of Massachusetts,2003
[92]C. C. Zou, D. Towsley, W. Gong, and S. Cai. Routing Worm:a Fast, Selective Attack Worm based on IP Address Information. ACM/IEEE/SCS Workshop on Principles of Advanced and Distributed Simulation. Monterey, USA, 2005:199-206
[93]J.0. Kephart, S. R. White. Measuring and Modeling Computer Virus Prevalence. In:Proc. of the IEEE Symp. on Security and Privacy. Oakland, 1993:2-15
[94]J. Wu, S. Vangala, L. Gao, K. Kwia. An Effective Architecture and Algorithm for Detecting Worms with Various Scan Techniques. In:Proc. Network and Distributed System Security Symposium. San Diego, California,2004:12-21
[95]Volt T. Simulating and Optimizing Worm Propagation Algorithms. Security Focus,2003,10:132
[96]N. Weaver. Potential Strategies for High Speed Active Worms:A Worst Case Analysis. White paper, UC Berkeley,2002
[97]王佰玲,方滨兴,云晓春,张宏莉,陈博,刘乙璇.基于平衡树的良性蠕虫扩散策略.计算机研究与发展.2006,43(9):1593-1602