摘要
P2P技术近年来发展迅猛,基于P2P技术的应用从最初的文件共享拓展到了实时语音、图像传输等领域。与此同时,针对P2P软件和P2P网络的恶意攻击也在逐渐增多,其中尤以P2P蠕虫的传播速度最快,破坏力最强。P2P蠕虫是一类利用P2P网络进行自动传播的恶意代码,比较容易隐藏在正常P2P流量中,通过获得P2P拓扑信息来加速传播,从而加大了检测及遏制的难度。
研究P2P蠕虫的行为模型不但可以帮助研究人员深入了解P2P蠕虫的传播原理以及感染机制,而且能够对P2P蠕虫检测和遏制提供直接的帮助。然而目前,研究所提出的P2P蠕虫行为模型都存在一个共同的问题,即将影响P2P蠕虫传播的因素过度简化,因而,不能很好地描述P2P蠕虫的传播行为和预测其传播趋势。在P2P蠕虫的遏制方面,当前也还没有一种理想的方法可以很好的解决准确性、实时性和效率这三个核心问题。
本文分别对P2P蠕虫行为模型和P2P蠕虫遏制技术两个方面进行了深入细致的研究,取得了以下三个方面的成果:
1.提出了描述P2P蠕虫行为的CTDS(C—Countermeasures,T—Topology,D—Diversity,S—Strategies)模型。本文认为,在P2P蠕虫传播过程中,有四个因素明显的影响了P2P蠕虫的传播速度和传播趋势。这四个因素是网络拓扑结构、普通用户和Internet服务提供者(ISPs)的遏制措施、网络结点配置的差异和攻防策略。本文根据这四因素,提出了一个P2P蠕虫的离散时间行为模型,并用模拟实验的方式对该模型进行了定量分析。实验表明,CTDS模型能够准确地描述P2P蠕虫的传播行为。此外,实验表明,通过增大网络结点配置差异和提前免疫连接数多的结点可以有效的遏制P2P蠕虫传播。此模型的研究由笔者和所指导的研究生共同完成。
2.提出了利用良性P2P蠕虫遏制恶性P2P蠕虫的方法。本文提出了两种在功能上和传播策略上都有所不同的良性P2P蠕虫来联合对抗恶性P2P蠕虫。本文首先假设在没有良性P2P蠕虫的前提下,恶性P2P蠕虫的传播遵循CTDS模型。在此基础上,本文推导出了一系列的离散差分方程用于描述良性蠕虫与恶性蠕虫的对抗过程。通过与纯粹人为遏制措施和基于随机扫描方式进行传播的良性蠕虫遏制方法的对比实验,得出结论:本文提出的良性P2P蠕虫方法对恶性P2P蠕虫的遏制速度更快、效果更好。同时,实验发现,良性P2P蠕虫比随机扫描的良性蠕虫消耗的网络带宽资源更少。
3.提出了一种分布式的蠕虫特征码自动提取方法。为了实时遏制P2P蠕虫,本文提出在实时检测到P2P蠕虫后,立即自动地提取出蠕虫特征码,并将该特征码用于P2P蠕虫的传播遏制。此方法能针对高度变形的蠕虫进行特征码提取,又可抵抗各种破坏自动提取的技术,比如:Red herring攻击、Correlated outlier攻击、Suspicious pool poisoning攻击、Innocuous pool poisoning攻击和Allergy攻击。实验结果表明,利用本方法提取出的蠕虫特征码,可以准确地进行P2P蠕虫遏制。
In recent years, P2P (Peer-to-Peer) techniques are booming and applications which based on P2P techniques range from file sharing to real time video and graphic transmission. At the same time, malicious attacks which aim at P2P software and P2P networks are springing up. Among kinds of P2P threats, P2P worm spreads fastest and is most destructive. P2P worm is a kind of malicious code which can spread itself automatically. It is able to speed up the propagation progress by P2P topology information. Moreover, P2P worm is inclined to camouflage in normal P2P traffic.Therefore, both P2P worm detection and quarantining are complicate jobs.
The research of behavior model of P2P worm is beneficial to learn the spread strategies and infection mechanism of P2P worm. Furthermore, it obviously helps the research of P2P worm detection and containment. However, there is a common drawback lies in current P2P worm behavior models—excessively simplify the factors which evidently affect worm propagation. Hence, these current modes can not neither depict the spread behaviors nor forecast the spread trend of P2P worm accurately. In the research area of P2P worm quarantining, current techniques are not perfect in accuracy, real-time and efficiency.
This paper focuses on the research of behavior model and quarantining methods of P2P worm. There are three major contributions of this paper:
1. Proposing the CTDS model (C—Countermeasures, T—Topology, D—Diversity, S—Strategies) for depicting P2P worm’s behaviors. The CTDS model insists that there are four factors which can obviously affect worm propagation—P2P topology, the countermeasures of common users and ISPs (Internet Services Providers), configuration diversity and attack&defense strategies. CTDS model is a discrete time difference equation set which takes the four factors into modeling. Quantitative analysis made by simulations represent that the CTDS model can depict worm propagation accurately. Further more, experients show that P2P worm can be contained by increasing the configuration diversity and protecting the most connected nodes from compromised beforehand. Reseach about the CTDS model is completed by author and author’s graduate students.
2. Proposing a benign P2P worm based method to contain malicious P2P worm. This paper introduces two kinds of benign P2P worms which are different in function and spread strategies, to battle againt malicious P2P worm cooperatively. At first, this paper assumes malicious P2P worm follows the CTDS model without the considering of benign worm. Then a serial of difference equation sets are derived for depicting the interplay progress of benign and malicious P2P worms. Compared with sheer manual countermeasures and random scanning benign worm, benign P2P worm proposed in this paper spreads faster and quarantines better. Moreover, experiments demonstrate that benign P2P worm consumes fewer bandwidth resources than random scanning counterpart.
3. Proposing a distributed self-immune automated signature generation method for P2P worm with my students. In an attempt to contain P2P worm in real time, it is necessary to automatically generate and distribute worm signatures immediately after the detecion of P2P worm. The method introduced in this paper can generate accurate signatures for sophisticated polymorphic P2P worm. Furthuremore, this method is resistant to many attacks which aim at subverting ASG (Automated Signature Generation) systems such as Red herring attack, Correlated outlier attack, Suspicious pool poisoning attack, Innocuous pool poisoning attack and Allergy attack. Experiments represent that signatures produced by this method are accurate in containing P2P worm.
引文
[1] N. Basher, A. Mahanti, C. Williamson, et al. A comparative analysis of web and Peer-to-Peer traffic. Proceedings of the 17th International Conference on World Wide Web (WWW’08), 2008, 287-296
[2] M. Engle, J. I. Khan. Vulnerabilities of P2P systems and a critical look at their solutions, Technical Report, 2006
[3] N. Khiat, Y. Charlinet, N. Agoulmine. The emerging threat of Peer-to-Peer worms. Proceedings of IEEE/Ist Workshop on Monitoring, Attack Detection and Mitigation, 2006
[4] W. Yu, S. Chellappan, X. Wang, D. Xuan. On defending Peer-to-Peer system-based proactive worm attacks. Proceedings of IEEE Global Telecommunications Conference, (GLOBECOM‘05), 2006, 1757-1761
[5] C. Xia, Y. Shi, X. Shi, et al. P2P worm detection based on application identification. Front. Comput. Sci. China, 2007, 1(1):114-122
[6] J. C. Frauenthal. Mathematical modeling in epidemiology. Springer-Verlag, 1980, 1-6
[7] Y. Wang, C. X. Wang. Modeling the effects of timing parameters on virus propagation. Proceedings of the ACM CCS Workshop on Rapid Malcode (WORM 2003), 2003, 61-66
[8] C. C. Zou, W. Gong, D. Towsley. Code red worm propagation modeling and analysis. Proceedings of 9th ACM Conference on Computer and Communication Security (CCS), 2002, 138-147
[9] W. P. Wen, S. H. Qing, J. C. Jiang, et al. Research and development of internet worms. Ruan Jian Xue Bao/Journal of Software, 2004, 15(8):1208-1219
[10]李德全.拒绝服务攻击.北京:电子工业出版社, 2007, 65-83
[11] W. Yu, C. Boyer, S. Chellappan, et al. Peer-to-Peer system based active worm attacks: modeling and analysis. Proceedings of 2005 IEEE International Conference on Communications, 2005, Vol.1:295-300
[12] W. Yu, S. Chellappan, X. Wang, et al. Peer-to-Peer system-based active worm attacks: Modeling, analysis and defense. Computer Communications, 2008, 31(17):4005-4017
[13] Y. J. Zhang, Z. T. Li, Z. B. Hu, et al. Evolutionary proactive P2P worm: propagation modeling and simulation. Proceedings of 2nd International Conference on Genetic and EvolutionaryComputing, 2008, 261-264
[14] C. S. Feng, Z. G. Qin, L. Cuthbet, et al. Propagation model of active worms in P2P networks. Proceedings of the 9th International Conference for Young Computer Scientists, 2008, 1908-1912
[15] H. Li, Z. Qin, X. H. Pan, et al. Propagation model of non-scanning active worm in unstructured P2P network. Proceedings of 1st International Conference on Multimedia Information Networking and Security, 2009, Vol.2:378-381
[16] M. Roesch. Snort: the lightweight network intrusion detection system, available at: www.snort.org/, 2001
[17] V. Paxson. Bro: a system for detecting network intruders in real-time. Computer Networks, 1999, 31:2435-2463
[18] S. E. Stuart, J. Jung, A. W. Berger. Fast detection of scanning worm infections. Proceedings of 7th International Symposium on Recent Advances in Intrusion Detection, 2004, 59-81
[19] J. Jung, V. Paxson, A. W. Berger, et al. Fast portscan detection using sequential hypothesis testing. Proceedings of the IEEE Symposium on Security and Privacy, 2004, 211-225
[20] R. Moskovitch, N. Nissim, D. Stopel, et al. Improving the detection of unknown computer worms activity using active learning. Proceedings of 30th Annual German Conference on AI, 2007, 489–493
[21] A. Pasupulati, J. Coit, K. Levitt, et al. Buttercup: on network-based detection of polymorphic buffer overflow vulnerabilities. 2004 IEEE/IEIP Network Operations and Management Symposim, 235-248
[22] K. Ikkyun, K. Koohong, C. YangSeo. A practical approach for detecting executable codes in network traffic. Proceedings of 10th Asia-Pacific Network Operations and Management Symposium, 2007, 354-363
[23] T. Toth, C. Kruegel. Accurate buffer overflow detection via abstract payload execution. 5th International Symposim on Recent Advances in Intrusion Detection, 2002, 274-291
[24] P. Akritidis, E. Markatos, M. Polychronakis, et al. STRIDE: polymorphic sled detection through instruction sequence analysis. 20th IFIP International Information Security Conference, 2005
[25] R. Chinchani, E. Berg. A fast static analysis approach to detect exploit code inside network flows. 8th International Symposium on Recent Advances in Intrusion Detection, 2005, 284-308
[26] M. Polychronakis, K. Anagnostakis, E. Markatos. Network-level polymorphic shellcode detection using emulation. 3rd International Conference on Detection of Intrusions and Malware and Vulnerability Assessment, 2006, 54-73
[27] M. Polychronakis, K. Anagnostakis, E. Markatos. Emulation-based detection of non-self-contained polymorphic shellcode. 10th International Symposium on Recent Advances in Intrusion Detection, 2007, 87-106
[28] C. Del Grosso, G. Antoniol, E. Merlo, et al. Detecting buffer overflow via automatic test input data generation. Computers and Operations Research, 2008, 35(10):3125-3143
[29] B. A. Kuperman, C. E. Brodley, H. Ozdoganoglu, et al. Detection and prevention of stack buffer overflow attacks. Communications of the ACM, 2005, 48(11):51-56
[30] L. Zhou, L. Zhang, F. McSherry, et al. A first look at Peer-to-Peer worms: threats and defenses. Lecture Notes in Computer Science, 2005, Vol.3640:24-35
[31] W. P. Wen, S. H. Qing, J. C. Jiang, et al. Research and development of internet worms. Chinese Journal of Software, 2004, 15(8):1208-1219
[32] C. Wang, S. H. Qing, J. B. He. Anti-worm based on hybrid confronting technology. Chinese Journal on Communication, 2007, 28(1): 28-34
[33] Y. Yao, L. Q. Wu, F. X. Gao, et al. A WAW model of P2P-based anti-worm. Proceedings of IEEE International Conference on Networking, Sensing and Control, 2008, 1131-1136
[34] J. Leyden. Code Red busting code gets cool reception. Available from http://www.theregister.co.uk/2001/09/05/code_red_busting_code_gets/ [Accessed on November 11, 2009], 2001
[35] B. Barber. Cheese worm: pros and cons of a friendly worm. Technical Report. SANS Institute InfoSec Reading Room, 2001
[36] D. Moore, C. Shannon, G. Voelker, et al. Internet quarantine: requirements for containing self-propagating code. Proceedings of IEEE INFOCOM, 2003, Vol.3:1901-1910
[37] N. Weaver, S. Staniford, V. Paxson. Very fast containment of scanning worms. Proceedings of USENIX Security Symposium, 2004, 29-44
[38] S. Vyas, Y. L. Xie, R. Michael, et al. A multi-resolution approach for worm detection and containment. Proceedings of the International Conference on Dependable Systems and Networks, 2006, 189-198
[39] C. Wong, C. X. Wang, D. Song, et al. Dynamic quarantine of Internet worms. Proceedings of the International Conference on Dependable Systems and Networks, 2004, 73-82
[40] M. M. Williamson. Design, implementation and test of an email virus throttle. Proceedings of ACSAC Security Conference, 2003, 76-85
[41] Y. Zhou, Z. Wu, H. Wang, et al. Breaking monocultures in P2P networks for worm prevention. Proceedings of International Conference on Machine Learning and Cybernetics, 2006, 2793-2798
[42] D. McIlwraith, M. Paquier, E. Kotsovinos. Di-jest: autonomic neighbour management for worm resilience in P2P systems. Proceedings of IEEE International Symposim on a World of Wireless, Mobile and Multimedia Networks, 2008
[43] F. Freitas, E. Marques, R. Rodrigues, et al. Verme: worm containment in overlay networks. Proceedings of IEEE/IFIP International Conference on Dependable Systems & Networks, 2009, 155-164
[44] S. R. Yang, H. Jin, et al. Worm containment in Peer-to-Peer networks. Proceedings of International Conference on Scalable Computing and Communications, 2009, 308-313
[45] L. Xie, S. C. Zhu. A feasibility study on defending against ultra-fast topological worms. Proceedings of International Conference on Peer-to-Peer Computing, 2007, 61-68
[46] R. Thommes, M. Coates. Epidemiological modeling of Peer-to-Peer viruses and pollution. Proceedings of 25th IEEE International Conferernce on Computer Communications, 2006, 181-192
[47] G. Chen, R. S. Gray. Simulating non-scanning worms on Peer-to-Peer networks. Proceedings of 1st International Conference on Scalable Information Systems, 2006, 29-41
[48] S. Ratnasamy, P. Francis, M. Handley, et al. A scalable content addressable network. ACM SIGCOMM Computer Communnicaiton Review, 2001, 31(4):161-172
[49] I. Stoica, R. Morris, D. Karger, et al. Chord: a scalable peer-to-peer lookup service for Internet applications. ACM SIGCOMM Computer Communnication Review, 2001, 31(4):149-160
[50] A. Rowstron, P. Druschel. Pastry: scalable, decentralized object location and routing for large-scale peer-to-peer systems. LNCS, 2001, 2218:329-350
[51] B. Zhao, L. Huang, J. Stribling, et al. Tapestry: a resilient global-scale overlay for service deployment. IEEE Journal on Selected Areas in Communications, 2004, 22(1):41-53
[52] T. Hong. In Peer-to-Peer: Harnessing the Benefits of a Disruptive Technology, 2001, Chap.14:203–241
[53] M. Ripeanu, I. Foster. Mapping the gnutella network: macroscopic properties of large-scale peer-to-peer systems, 2002, LNCS, 2429:85-93
[54] F. Casta?eda, E. C. Sezer, J. Xu. Worm vs. worm: preliminary study of an active counter-attack mechanism. Proceedings of 04 ACM Workshop on Rapid Malcode, 2004, 83-93
[55] B. Ediger. Simulating Network Worms. Available from http://www.stratigery.com/nws/, 2004
[56] J. Leyden. Code Red busting code gets cool reception. Available from http://www.theregister.co.uk/2001/09/05/code_red_busting_code_gets/, 2001
[57] B. Barber. Cheese worm: pros and cons of a friendly worm. Technical Report. SANS Institute InfoSec Reading Room, 2001
[58] T. M. Mullen. Defending your right to defend: considerations of an automated strike-back technology. Available from http:// www.hammerofgod.com/ strikeback.txt, 2002
[59] N. Provos. A virtual honeypot framework. CITI Technical Report 03-1, 2003
[60] C. Wang, S. H. Qing, J. B. He. Anti-worm based on hybrid confronting technology. Chinese Journal on Communication, 2007, 28(1): 28-34
[61] Y. Yao, L. Q. Wu, F. X. Gao, et al. A WAW model of P2P-based anti-worm. Proceedings of IEEE International Conference on Networking, Sensing and Control, 2008, 1131-1136
[62] Y. Yao, X. R. Luo, F. X. Gao, et al. A potential approach of internet worm propagation based on P2P. Wuhan University Journal of Natural Sciences, 2006, 11(6):1711-1725
[63] Y. X. Liu, X. C. Yun, B. L. Wang, et al. QBTP worm: an anti-worm with balanced tree based spreading strategy. Proceedings of International Conference on Machine Learning and Cybernetics, 2005, 3955-3964
[64] B. L. Wang, X. C. Yun, B. X. Fang. The propagation model and analysis of worms together with anti-worms. WSEAS Transactions on Information Science and Applications, 2004, 1(4):967-976
[65] Sourceforge. PeerSim P2P Simulator. Available from http://peersim.sourceforge.net/, 2009
[66] T. Bu, D. Towsley. On distinguishing between internet power law topology generators. Proceedings of IEEE Conference on Computer Communications, 2002, 638-647
[67] Matlab Simulink. The Mathworks, Inc.
[68] V. Paxson. Bro: a system for detecting network intruders in real-time, Computer Networks, 1999, 31:2435-2463
[69] M. Roesch, Snort: the lightweight network intrusion detection system, available at: www.snort.org/, 2001
[70] C. Kreibich, J. Crowcroft. Honeycomb: creating intrusion detection signatures usinghoneypots. Computer Communication Review, 2004, 34(1):51-56
[71] H. A. Kim, B. Karp. Autograph: toward automated, distributed worm signature detection, Proceedings of the 13th USENIX Security Symposium, 2004
[72] S. Singh, C. Estan, G. Varghese, et al. Automated worm fingerprinting. Proceedings of the 6th ACM/USENIX Symposium on Operating System Design and Implementation (OSDI), 2004, 45-60
[73] J. Newsome, B. Karp, D. Song. Polygraph: automatically generating signatures for polymorphic worms. Proceedings of IEEE Security and Privacy Symposium, 2005, 226-241
[74] L. Hui. Color set size problem with applications to string matching. Proceedings of 3rd Symposium on Combinatorial Patttern Matching, 1992, 230-243
[75] D. Gusfield. Algorithms on Strings, Trees and Sequences. Cambridge University Press, 1997
[76] Z. Li, M. Sanghi, Y. Chen, et al. Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience. Proceedings of the IEEE Symposium on Security and Privacy, 2006
[77] L. Cavallaro, A. Lanzi, L. Mayer, et al. LISABETH: automated content-based signature generator for zero-day polymorphic worms. Proceedings of 4th International Workshop on Software Engineering for Secure Systems (SESS’08), 2008, 41-48
[78] T. Smith, M. Waterman. Identification of common molecular subsequences. Journal of Molecular Biology, 1981, 147:195–197
[79] T. Toth, C. Kruegel. Accurate buffer overflow detection via abstract payload execution. Proceedings of 5th International Symposim on Recent Advances in Intrusion Detection (RAID’02), 2002, 274-291
[80] O. Kolesnikov, D. Dagon, W. Lee. Advanced polymorphic worms: evading IDS by blending in with normal traffic. Available at: www.cc.gatech.edu/?ok/w/ok_pw.pdf, 2004
[81] T. Detristan, T. Ulenspiegel, Y. Malcom, et al. Polymorphic shellcode engine using spectrum analysis, 2003, 11(61)
[82] S. Andersson, A. Clark, G. Mohay. Detecting network-based obfuscated code injection attacks using sandboxing. Proceedings of the AusCERT Asia Pacific Information Technology Security Conference, 2005
[83] R. Perdisci, D. Dagon, W. Lee, et al. Misleading worm signature generators using deliberate noise injection. Proceedings of the 2006 IEEE Symposim on Security and Privacy, 2006, 1-15
[84] J. Newsome, B. Karp, D. Song. Paragraph: thwarting signature learning by trainingmaliciously. Proceedings of 9th International Symposium on Recent Advances in Intrusion Detection (RAID’06), 2006, 81-105
[85] S. P. Chung, A. K. Mok. Allergy attack against automatic signature generation. Proceedings of 9th International Symposim on Recent Advances in Intrusion Detection (RAID’06), 2006, 61-80
[86] V. Yegneswaran, J. T. Giffin, P. Barford, et al. An architecture for generating semantics-aware signatures, Proceedings of the 14th USENIX Security Symposium, 2006
[87] J. Newsome, D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. Proceedings of 12th Annual Network and Distributed System Security Symposium (NDSS), 2005
[88] M. Costa, J. Crowcroft, M. Castro, et al. Vigilante: end-to-end containment of internet worms. Proceedings of the 20th ACM Symposim on Operating Systems Principles, 2005, 133-147
[89] T. Toth, C. Kruegel. Accurate buffer overflow detection via abstract payload execution. Proceedings of 5th International Symposium on Recent Advances in Intrusion Detection (RAID’02), 2002, 274-291
[90] P. Akritidis, E. Markatos, M. Polychronakis, et al. STRIDE: polymorphic sled detection through instruction sequence analysis, Proceedings of the 20th IFIP International Information Security Conference (SEC’05), 2005, 375-92
[91] M. Polychronakis, K. G. Anagnostakis, E. P. Markatos. Network-level polymorphic shellcode detection using emulation. Proceedings of 3rd International Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA’06), 2006, 54-73
[92] N. Weaver, S. Staniford, V. Paxson. Very fast containment of scanning worms. Proceedings of USENIX Security Symposium, 2004, 29-44
[93] J. Jaeyeon, V. Paxson, A. W. Berger, et al. Fast portscan detection using sequential hypothesis testing. Proceedings of IEEE Symposium on Security and Privacy, 2004, 211-225
[94] S. E. Schechter, J. Jung, A. W. Berger. Fast detection of scanning worm infections. In Recent Advances in Intrusion Detection (RAID), 2004, 59-81
[95] Metasploit. Metasploit - Ppenetration testing resources. Available at: http://www.metasploit.com/
[96] Metasploit. PeerCast <= 0.1216 URL handling buffer overflow (linux). Available at: http://www.metasploit.com/modules/exploit/linux/http/peercast_url
[97] Exploit-db. IPSwitch WS-FTP 5.05 (XMD5) remote buffer overflow exploit (meta). Availabelat: http://www.exploit-db.com/exploits/3335/
[98] Metasploit. MailEnable IMAPD (2.35) login request buffer overflow. Available at: http://staged.metasploit.com/modules/exploit/windows/imap/mailenable_login
[99] R. Pastor-Satorras, A. Vespignani. Epidemic dynamics in finite size scale-free networks. Physical Review E - Statistical, Nonlinear, and Soft Matter Physics, 2002, 65(3): 035108/1-4
[100] D. Volchenkov, L. Volchenkova, P. Blanchard. Epidemic spreading in a variety of scale free networks. Physical Review E - Statistical, Nonlinear, and Soft Matter Physics, 2002, 66(4):046137/1-9
[101] R. Pastor-Satorras, Al Vespignani. Epidemic spreading in scale-free networks. Physical Review Letters, 2001, 86(14):3200-3203
[102] M. E. J. Newman. Spread of epidemic disease on networks. Physical Review E - Statistical, Nonlinear, and Soft Matter Physics, 2002, 66(1):016128/1-11
[103] X. F. Nie, Y. W. Wang, J. W. Jing, et al. Understanding the impact of overlay topologies on Peer-to-Peer worm propagation. Proceedings of International Conference on Computer Science and Software Engineering, 2008, Vol.3:862-867
[104] J. M. Xu. Topological Structure and analysis of interconnection network. Kluwer Academic Publishers, 2001
[105] P. Erd?s, A. Rényi. On random graphs. Publications Mathematicae, 1959, 290-297
[106] D. J. Watts, S. H. Strogatz. Collective dynamics of‘small-world’network. Nature, 1998, 393(6684):440-442
[107] A. L. Barab?si, R. Allbert. Emergence of scaling in random networks, 1999, 286(5439):509- 512
[108] R. Albert, H. Jeong, A. Barabasi. Error and attack tolerance of complex networks. Letters to nature, 2000
[109] S. Staniford, V. Paxson, N. Weaver. How to own the internet in your spare time. Proceeding of USENIX Security, 2002
[110] R. Cohen, K. Erez, D. Avraham, et al. Resilience of the internet to random breakdowns. Physical Review Letters, 2000, 85(21): 4626-4628
[111] X. S. Zhang, T. Chen, J. Zheng, et al. Proactive worm propagation modeling and analysis in unstructured P2P networks. Journal of Zhejiang University-SCIENCE C (Computers & Electronics), 2010, 11(2):119-129
[112] X. S. Zhang, T. Chen, J. Zheng, et al. Active worm propagation modeling in unstructuredP2P networks. Proceedings of 2nd International Symposium Computer Science and Computational Technology, 2009, 35-38
[113] X. S. Zhang, T. Chen, R. D. Chen, et al. Complex network modeling with constant capacity restriction based on BA model. Proceedings of International Symposium on Computer Network and Multimedia Technology, 2009, 1-4
[114] X. H. Pan, X. S. Zhang, T. Chen. A novel hybrid method for polymorphic worm detection. Proceedings of 2009 International Conference on E-Business and Information System Security, 2009, Vol.1:50-55
[115] T. Chen, X. S. Zhang, Z. Liu. A hybrid detection approach for zero-day polymorphic shellcodes. Proceedings International Conference on E-Business and Information System Security, 2009, Vol.1:45-50