本文選題：多態(tài)蠕蟲 + 傳播模型�。� 參考：《東北大學(xué)》2014年碩士論文

【摘要】：網(wǎng)絡(luò)蠕蟲已經(jīng)成為網(wǎng)絡(luò)安全的重大威脅之一,近年來,多態(tài)蠕蟲的出現(xiàn)以及大規(guī)模傳播為網(wǎng)絡(luò)安全帶來更加嚴(yán)峻的挑戰(zhàn)。多態(tài)蠕蟲能夠通過多種變形技術(shù),在實現(xiàn)自我復(fù)制產(chǎn)生新的實例的同時改變新實例的字節(jié)序列,新的實例在傳播、攻擊過程中呈現(xiàn)出多種不同的形態(tài),從而能夠躲避單一的基于特征或基于異常的入侵檢測系統(tǒng)的檢測。如何有效抑制多態(tài)蠕蟲的傳播已經(jīng)成為安全領(lǐng)域所面臨的一大難題。為了有效抑制多態(tài)蠕蟲的傳播,就需要了解其傳播機(jī)制,分析其傳播特性。本文通過對多態(tài)蠕蟲傳播特性的抽象提取,建立多態(tài)蠕蟲傳播模型來分析其傳播特點。根據(jù)多態(tài)蠕蟲的變種特性,本文建立了多態(tài)蠕蟲SIV免疫模型,用以分析多態(tài)蠕蟲傳播特性。入侵檢測系統(tǒng)(IDS)是檢測、抑制蠕蟲傳播的有力措施。由于基于主機(jī)的入侵檢測系統(tǒng)需要全網(wǎng)部署,而多態(tài)蠕蟲特性復(fù)雜多變,因此基于主機(jī)的入侵檢測應(yīng)對多態(tài)蠕蟲代價太大。本文選用基于網(wǎng)絡(luò)的入侵檢測系統(tǒng)(NIDS)來檢測多態(tài)蠕蟲,NIDS通過分析網(wǎng)絡(luò)流來提取所需信息,速度更快。基于NIDS,本文建立了采用濫用檢測技術(shù)的多態(tài)蠕蟲SIQV持續(xù)隔離模型。濫用檢測能夠有效檢測已有的攻擊,檢測率高,誤報率低,但是無法檢測未知攻擊,即存在較高的漏報率。另一方面,異常檢測能夠有效檢測未知攻擊以及已知蠕蟲的變種,但其存在較高的誤報率。為了充分利用濫用檢測以及異常檢測兩者的優(yōu)勢,同時彌補(bǔ)兩者的不足,本文將兩種檢測方法綜合運(yùn)用,基于NIDS,建立了多態(tài)蠕蟲SIQV脈沖隔離模型,通過分析發(fā)現(xiàn),脈沖隔離策略比持續(xù)隔離策略效果更好。本文對所建立的三種多態(tài)蠕蟲傳播模型進(jìn)行理論分析,分析了系統(tǒng)的穩(wěn)定性,推導(dǎo)出了系統(tǒng)保持穩(wěn)定所需滿足的穩(wěn)定性條件,分析了影響系統(tǒng)穩(wěn)定性的多種因素。通過數(shù)值分析,本文對理論分析做了有效證明,從不同角度分析了所采用的抑制策略的有效性。通過離散時間仿真實驗?zāi)M多態(tài)蠕蟲在實際網(wǎng)絡(luò)中的傳播過程,通過對仿真實驗數(shù)據(jù)分析,充分證明了本文所建立的多態(tài)蠕蟲傳播模型能夠有效反映多態(tài)蠕蟲的傳播行為,所采用的相關(guān)抑制策略對抑制多態(tài)蠕蟲傳播具有積極有力的作用。
[Abstract]:Network worms have become one of the major threats to network security. In recent years, the emergence and large-scale spread of polymorphic worms have brought more serious challenges to network security. Polymorphic worms can generate new instances and change the byte sequences of new instances by means of a variety of deformational techniques. The new instances take on many different forms in the process of propagation and attack. In order to avoid a single feature-based or anomaly-based intrusion detection system detection. How to effectively suppress the spread of polymorphic worms has become a major problem in the field of security. In order to effectively suppress the propagation of polymorphic worms, it is necessary to understand its propagation mechanism and analyze its propagation characteristics. In this paper, a polymorphic worm propagation model is established to analyze the propagation characteristics of polymorphic worms by abstracting the propagation characteristics of polymorphic worms. According to the variation of polymorphic worm, a polymorphic worm SIV immune model is established to analyze the propagation characteristics of polymorphic worm. Intrusion Detection system (IDS) is a powerful measure to detect and suppress the spread of worms. Because the host-based intrusion detection system needs the whole network deployment and the polymorphic worm characteristics are complex and changeable, the host-based intrusion detection should be too costly for polymorphic worm. In this paper, a network-based intrusion detection system (NIDS-based) is used to detect polymorphic worm NIDS by analyzing the network flow to extract the required information, which is faster. Based on NIDSs, a persistent isolation model of polymorphic worm SIQV using abuse detection technique is established. Abuse detection can effectively detect the existing attacks, with high detection rate and low false alarm rate, but can not detect unknown attacks, that is, there is a higher false alarm rate. On the other hand, anomaly detection can effectively detect unknown attacks and known worm variants, but it has a high false alarm rate. In order to make full use of the advantages of abuse detection and anomaly detection and to make up for the shortcomings of the two methods, this paper establishes a polymorphic worm SIQV pulse isolation model based on NIDS-based, and finds out that, The pulse isolation strategy is more effective than the continuous isolation strategy. In this paper, three polymorphic worm propagation models are theoretically analyzed, the stability of the system is analyzed, the stability conditions of the system are derived, and the factors affecting the stability of the system are analyzed. Through numerical analysis, the theoretical analysis is proved to be effective, and the effectiveness of the suppression strategy is analyzed from different angles. The propagation process of polymorphic worm in real network is simulated by discrete time simulation experiment. By analyzing the simulation data, it is fully proved that the propagation model of polymorphic worm established in this paper can effectively reflect the propagation behavior of polymorphic worm. The related suppression strategies adopted have a positive and effective effect on the suppression of polymorphic worm propagation.
【學(xué)位授予單位】：東北大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2014
【分類號】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前4條

1 李高鋒;何聚厚;;Zero-day攻擊多態(tài)蠕蟲研究與進(jìn)展[J];計算機(jī)技術(shù)與發(fā)展;2011年09期

2 汪潔;王建新;陳建二;;基于彩色編碼的多態(tài)蠕蟲特征自動提取方法[J];軟件學(xué)報;2010年10期

3 徐曉萌;郭山清;徐秋亮;;多態(tài)蠕蟲的研究與進(jìn)展[J];計算機(jī)科學(xué)與探索;2008年02期

4 文偉平,卿斯?jié)h,蔣建春,王業(yè)君;網(wǎng)絡(luò)蠕蟲研究與進(jìn)展[J];軟件學(xué)報;2004年08期

，

本文編號：1838200