【作者】 陈宇峰；

【导师】 潘云鹤； 鲁东明；

【作者基本信息】 浙江大学 ， 计算机科学与技术， 2006， 博士

【摘要】 由于危害严重、攻击范围大、爆发速度快,蠕虫已经成为目前互联网所面临的最为严重的安全威胁之一。目前有效的模拟环境的缺乏,影响了对蠕虫的深入研究;同时,检测技术的不准确性,影响了蠕虫预防、抑制和应急响应等技术的效果。鉴于本地网络(内部网络)内蠕虫的研究对蠕虫早期预警和传播控制所起到的关键作用,本文以本地网络为背景环境,研究了蠕虫模拟方法和检测技术;从而为深入研究蠕虫、蠕虫早期预警以及应急响应等奠定了基础。本文的研究不仅具有理论意义,而且具有广阔的应用前景。 本文首先研究了网络聚集层面和主机层面的流量模型。通过聚集层面的研究,建立了双向TCP流量模型,用于在蠕虫模拟中生成背景流量:该模型以TCP连接为研究对象,分别描述了TCP连接请求和响应在不同时间尺度的统计特性。通过主机层面的研究,建立了“延迟限制型”蠕虫主机的周期性突发流量模型,来描述蠕虫扫描流量的统计特征,用于蠕虫流量的准确模拟;并分析了蠕虫流量和正常主机流量的自相似性和有关统计指标在重尾特性方面的差异,进而提出蠕虫检测的备选指标,包括“第一次连接”的到达间隔、请求大小、响应大小、持续时间和RTT等。 其次,建立了蠕虫模拟环境,并研究了蠕虫流量对网络的影响。在蠕虫模拟环境中,采用“半结构化”TCP聚集流量模拟框架进行背景流量模拟,以平衡精度和效率;该框架利用双向TCP流量模型,将本地网络抽象为一个节点,分别研究了应用层聚集流量产生方法和传输层聚集流量控制方法;并验证了该框架的有效性、稳定性、可比性和高效性。在蠕虫流量模拟中,采用混合抽象层框架来模拟蠕虫传播过程,采用周期性突发流量模型来模拟蠕虫主机的扫描流量;与传统的固定速率蠕虫流量模型相比,该模型能够更好地刻画蠕虫的扫描流量及其对网络的影响。 再次,研究了蠕虫检测指标和检测技术。结合对蠕虫行为的分析,从备选指标中提取出“第一次连接”的失败概率、请求大小和到达间隔等检测指标。利用蠕虫流量在上述检测指标上的重尾特性异常,采用统计分类技术,提出了两个未知蠕虫异常检测算法。通过与目前主流蠕虫检测算法进行对比,表明两个检测算法均能够在同等漏报率的情况下,显著降低误报率。 最后,开发了蠕虫模拟环境和蠕虫检测系统,通过在某互联网交换中心更多还原

【Abstract】 Worms have been one of the most serious threats to Internet security due to the significant damage, large range of victims and fast spread. The lack of effective simulating environment limits the deep research of worms, and the deficiency of veracity in worm detection affects the validity of technologies involving worm defense, containment and response. Researches of worms in local networks (interior networks) are important to early warning and propagation control for worms. In this dissertation, worm simulation and detection are focused on with local networks. The simulation methods and detection technologies are proposed, and thus establish bases for deep research, worm early warning and worm emergency response. The research results in the dissertation have academic significance and promising application.Firstly, the traffic models have been focused on at network aggregating and individual host level. With analysis at aggregating level, the bi-direction TCP traffic model is proposed, which is used to generate the background traffic in worm simulation. With TCP connections, the traffic model distinguishes traffics of requests and responses, and describes the statistical characters of bi-direction traffics at several time scales. After analysis at individual host level, the periodic burst traffic model for "latency-limited" worms is proposed. The model can statistically describe the scanning behaviors of worms, and can be used to simulate worm traffic accurately. The difference of self-similarity and heavy-tailed properties of several statistical indices between worm and normal host traffics is analyzed. The statistical indices can be used as candidates for worm detection, including arrival interval, request size, response size, duration and RTT of "First Contact Connections".Secondly, the worm simulating environment is implemented, and the effects of worm traffic on network are analyzed. In worm simulating environment, the background traffic is simulated with the framework of "semi-structural" TCP aggregated traffic, which can balance the accuracy and performance. Based on the bi-direction TCP traffic model, the simulating framework regards local network as a node, and can be divided in two parts: aggregated traffic generator at application level and aggregated traffic controller at transmission level. The experiments results show that the framework is valid, stable, comparable and efficient. In worm traffic simulation, the worm propagation is simulated with themixed abstraction level simulation model, and the scanning traffic of worm host is simulated with the periodic burst traffic model. The experiments results show that the model can better depict the effects of worm traffic on network than traditional random const spread model.Thirdly, the detection indices and technologies are investigated. With considerations of worm behaviors, the effective detection indices are picked up from the candidates, including failed probability, request size and arrival interval of "First Contact Connections". According to the discrepancies of heavy-tailed properties of the detection indices, two anomaly detection algorithms for unknown worms are proposed based on the statistical classification technologies. Compared with the mainstream method, with same false negatives, the proposed two algorithms can decrease the false positives significantly.Last, the worm simulating environment and detection system are implemented. With deployments at a Network Access Point, the worm simulation methods and detection technologies above are validated.The main contributions are as follows: the bi-direction TCP traffic model, the periodic burst worm traffic model, simulation methods of "semi-structural" TCP aggregated traffic and the anomaly detection algorithms for unknown worms based on heavy-tailed property and statistical classification.The future works include: distributed simulating environment;fast detection technologies for other scanning strategies, especially Hit-list scanning;effective worm containments technologies;and better solutions with applications of results, ideas and methodologies in the dissertation for other large-scale network attacks;models for traffics of main application protocol and digital media, such as stream media, network performance analysis and QoS technologies.更多还原