【作者】 张小松；

【导师】 许春香；

【作者基本信息】 电子科技大学 ， 信息安全， 2011， 博士

【摘要】 P2P技术近年来发展迅猛,基于P2P技术的应用从最初的文件共享拓展到了实时语音、图像传输等领域。与此同时,针对P2P软件和P2P网络的恶意攻击也在逐渐增多,其中尤以P2P蠕虫的传播速度最快,破坏力最强。P2P蠕虫是一类利用P2P网络进行自动传播的恶意代码,比较容易隐藏在正常P2P流量中,通过获得P2P拓扑信息来加速传播,从而加大了检测及遏制的难度。研究P2P蠕虫的行为模型不但可以帮助研究人员深入了解P2P蠕虫的传播原理以及感染机制,而且能够对P2P蠕虫检测和遏制提供直接的帮助。然而目前,研究所提出的P2P蠕虫行为模型都存在一个共同的问题,即将影响P2P蠕虫传播的因素过度简化,因而,不能很好地描述P2P蠕虫的传播行为和预测其传播趋势。在P2P蠕虫的遏制方面,当前也还没有一种理想的方法可以很好的解决准确性、实时性和效率这三个核心问题。本文分别对P2P蠕虫行为模型和P2P蠕虫遏制技术两个方面进行了深入细致的研究,取得了以下三个方面的成果:1.提出了描述P2P蠕虫行为的CTDS(C—Countermeasures,T—Topology,D—Diversity,S—Strategies)模型。本文认为,在P2P蠕虫传播过程中,有四个因素明显的影响了P2P蠕虫的传播速度和传播趋势。这四个因素是网络拓扑结构、普通用户和Internet服务提供者(ISPs)的遏制措施、网络结点配置的差异和攻防策略。本文根据这四因素,提出了一个P2P蠕虫的离散时间行为模型,并用模拟实验的方式对该模型进行了定量分析。实验表明,CTDS模型能够准确地描述P2P蠕虫的传播行为。此外,实验表明,通过增大网络结点配置差异和提前免疫连接数多的结点可以有效的遏制P2P蠕虫传播。此模型的研究由笔者和所指导的研究生共同完成。2.提出了利用良性P2P蠕虫遏制恶性P2P蠕虫的方法。本文提出了两种在功能上和传播策略上都有所不同的良性P2P蠕虫来联合对抗恶性P2P蠕虫。本文首先假设在没有良性P2P蠕虫的前提下,恶性P2P蠕虫的传播遵循CTDS模型。在此基础上,本文推导出了一系列的离散差分方程用于描述良性蠕虫与恶性蠕虫的对抗过程。通过与纯粹人为遏制措施和基于随机扫描方式进行传播的良性蠕虫遏制方法的对比实验,得出结论:本文提出的良性P2P蠕虫方法对恶性P2P蠕虫的遏制速度更快、效果更好。同时,实验发现,良性P2P蠕虫比随机扫描的良性蠕虫消耗的网络带宽资源更少。3.提出了一种分布式的蠕虫特征码自动提取方法。为了实时遏制P2P蠕虫,本文提出在实时检测到P2P蠕虫后,立即自动地提取出蠕虫特征码,并将该特征码用于P2P蠕虫的传播遏制。此方法能针对高度变形的蠕虫进行特征码提取,又可抵抗各种破坏自动提取的技术,比如:Red herring攻击、Correlated outlier攻击、Suspicious pool poisoning攻击、Innocuous pool poisoning攻击和Allergy攻击。实验结果表明,利用本方法提取出的蠕虫特征码,可以准确地进行P2P蠕虫遏制。更多还原

【Abstract】 In recent years, P2P (Peer-to-Peer) techniques are booming and applications which based on P2P techniques range from file sharing to real time video and graphic transmission. At the same time, malicious attacks which aim at P2P software and P2P networks are springing up. Among kinds of P2P threats, P2P worm spreads fastest and is most destructive. P2P worm is a kind of malicious code which can spread itself automatically. It is able to speed up the propagation progress by P2P topology information. Moreover, P2P worm is inclined to camouflage in normal P2P traffic.Therefore, both P2P worm detection and quarantining are complicate jobs.The research of behavior model of P2P worm is beneficial to learn the spread strategies and infection mechanism of P2P worm. Furthermore, it obviously helps the research of P2P worm detection and containment. However, there is a common drawback lies in current P2P worm behavior models—excessively simplify the factors which evidently affect worm propagation. Hence, these current modes can not neither depict the spread behaviors nor forecast the spread trend of P2P worm accurately. In the research area of P2P worm quarantining, current techniques are not perfect in accuracy, real-time and efficiency.This paper focuses on the research of behavior model and quarantining methods of P2P worm. There are three major contributions of this paper:1. Proposing the CTDS model (C—Countermeasures, T—Topology, D—Diversity, S—Strategies) for depicting P2P worm’s behaviors. The CTDS model insists that there are four factors which can obviously affect worm propagation—P2P topology, the countermeasures of common users and ISPs (Internet Services Providers), configuration diversity and attack&defense strategies. CTDS model is a discrete time difference equation set which takes the four factors into modeling. Quantitative analysis made by simulations represent that the CTDS model can depict worm propagation accurately. Further more, experients show that P2P worm can be contained by increasing the configuration diversity and protecting the most connected nodes from compromised beforehand. Reseach about the CTDS model is completed by author and author’s graduate students.2. Proposing a benign P2P worm based method to contain malicious P2P worm. This paper introduces two kinds of benign P2P worms which are different in function and spread strategies, to battle againt malicious P2P worm cooperatively. At first, this paper assumes malicious P2P worm follows the CTDS model without the considering of benign worm. Then a serial of difference equation sets are derived for depicting the interplay progress of benign and malicious P2P worms. Compared with sheer manual countermeasures and random scanning benign worm, benign P2P worm proposed in this paper spreads faster and quarantines better. Moreover, experiments demonstrate that benign P2P worm consumes fewer bandwidth resources than random scanning counterpart.3. Proposing a distributed self-immune automated signature generation method for P2P worm with my students. In an attempt to contain P2P worm in real time, it is necessary to automatically generate and distribute worm signatures immediately after the detecion of P2P worm. The method introduced in this paper can generate accurate signatures for sophisticated polymorphic P2P worm. Furthuremore, this method is resistant to many attacks which aim at subverting ASG (Automated Signature Generation) systems such as Red herring attack, Correlated outlier attack, Suspicious pool poisoning attack, Innocuous pool poisoning attack and Allergy attack. Experiments represent that signatures produced by this method are accurate in containing P2P worm.更多还原