【作者】 蒿敬波；

【导师】 殷建平；

【作者基本信息】 国防科学技术大学 ， 计算机科学与技术， 2008， 博士

【摘要】 计算机蠕虫是一种在网络中利用普遍使用的服务里存在的安全漏洞来进行自主传播的程序。对于蠕虫人们长期以来都存在不同的理解和认识,而缺乏完善的蠕虫模型是重要原因之一。蠕虫在传播控制方面具备良好的改进潜力,因此蠕虫决不会局限于现有的传播模式,一定会朝着更加优化的方向发展。蠕虫的自主传播能够为攻击者提供大量可以利用的主机节点,因此组建蠕虫网络就成了蠕虫传播的自然延续。普通蠕虫网络采用集中式网络结构,相对而言对等网络具有更加出色的隐蔽性和鲁棒性,资源利用率更高,因此对等结构的恶意蠕虫网络(简称对等蠕虫网络)比普通蠕虫网络更难检测和清除,在恶意应用方面极具潜力,代表了蠕虫网络的未来发展趋势,同时也给相关的防御工作带来了新的挑战。根据上述认识,本文从以下方面对蠕虫和对等蠕虫网络的相应问题进行了研究:1.目前虽然已有一些病毒/蠕虫计算模型,但是它们自身都存在值得推敲的地方,另外由于蠕虫技术的不断发展,迫切需要建立适应现时情况的蠕虫模型。本文通过剖析蠕虫的行为特征,并借鉴经典的Cohen蠕虫模型,提出了一种更为完善的基于持久图灵机的蠕虫模型——SIW模型,即顺序交互蠕虫模型。SIW模型包括两部分:一部分是基本蠕虫定义,用来描述现有蠕虫的典型特征;另一部分是扩展蠕虫定义,用来涵盖基本蠕虫定义所不能描述的特殊蠕虫类型。基于SIW模型,从理论上分析了蠕虫的自繁殖性和网络交互性这两种本质特征,证明了蠕虫检测问题的不可判定性,并讨论了限制条件下蠕虫检测的计算复杂性。2.由基于SIW模型的网络交互性分析可知,蠕虫在传播方面具备良好的优化潜力,而蠕虫的优化传播将使攻击者在构造蠕虫网络时能够更好地控制节点部署过程,而蠕虫网络也可以成为蠕虫进行优化传播的可靠支撑平台。本文总结蠕虫传播特点后根据搜索论原理定义了蠕虫传播问题,然后针对蠕虫传播问题分析了现有传播策略,进而从易感主机分布估计和蠕虫节点传播协同两个方面提出了蠕虫优化传播策略。通过理论分析和仿真实验,与现有传播策略进行比较后验证了优化传播策略的优越性。3.蠕虫是以未经授权的方式占有他人主机资源,并具有特殊的应用目的,因此对等蠕虫网络的构造必须隐蔽地进行,以减少暴露机率。本文从节点部署、连接配置和消息通信三个方面建立了对等蠕虫网络构造的技术框架,而且分别给出了一个有预设节点和一个无预设节点的对等蠕虫网络构造案例,并进行了仿真评估,证明了该构造框架的有效性。由于对等蠕虫网络的特殊应用目的,因此最后专门分析了对等蠕虫网络的隐蔽性和鲁棒性。4.对等蠕虫网络能够为攻击者提供一种良好的分布式资源平台,可供执行多种攻击任务。本文从资源组织与定位和应用类型两个方面建立了对等蠕虫网络的应用框架,并分析了对等蠕虫网络的几种典型应用案例,包括DDoS攻击、蠕虫传播、Phishing攻击、违禁内容发布和密钥暴力破解等。5.对等蠕虫网络的应用将会带来严重的安全威胁,而且对等蠕虫网络与普通蠕虫网络相比在隐蔽性和鲁棒性等方面优势明显,这就给相关的防御工作带来了新的挑战。本文根据对等蠕虫网络的生命周期特点,从漏洞防御、蠕虫防御和网络防御三个层次研究了对等蠕虫网络的防御技术。虽然由于发展时间较短,现有的对等蠕虫网络还存在不少缺陷,但是随着相关技术的不断进步,在不久的将来必然会出现适于应用的成熟系统,因此这方面的课题值得继续深入研究下去,以便能够有力地应对这一威胁。更多还原

【Abstract】 A computer worm is a program which self-propagates across a network exploiting security flaws in widely used services. Until now people have different understandings about worms partially because of the lack of a perfect worm model. Worms have much potential in propagation control, and so they must evolve to adopt more optimized propagation patterns without confining themselves to existing ones. Self-propagation of worms can provide attackers plenty of available host nodes, and therefore construction of worm networks will naturally follow after propagation of worms. With regard to centralized networks, peer to peer (P2P) networks possess more excellent stealth and robustness. Thus P2P worm networks are more difficult to detect and eliminate than general worm networks, and also have much potential in malicious application. P2P worm networks represent the future of worm networks and bring great challenges to relevant defense work. With respect to the above discussion, we research into worms and P2P worm networks from the following aspects:1. Although a few computational models of viruses/worms have been proposed at present, they all have their own shortages. Besides, due to the continuous progress of worm techniques, it is necessary to develop a worm model that adapts to current status of worms. In this paper we anatomize worms’behavior features, and develop a computational model of worms based on persistent Turing machines using the classical Cohen model for reference. The worm model is named as the SIW (Sequentially Interactive Worm) model. It includes two parts: the first one is the basic worm definition which is used to describe the typical features of current worms; the other one is the extended worm definition which is used to cover special worm types outside of the basic worm definition. Based on the SIW model, we analyze the essential self-reproduction and net-interaction of worms. We also prove the undecidability of the worm detection problem, and discuss the computing complexity of worm detection under some limitations.2. From the net-interaction analysis based on the SIW model, we can derive that worms have much potential in propagation optimization. With optimized propagation of worms, attackers can better control the processes of node deployment during construction of worm networks. Worm networks can also act as reliable platforms supporting optimized propagation of worms. In this paper we define the worm propagation problem based on the search theory by concluding propagation features of worms. Aiming at the worm propagation problem, we analyze current propagation strategies, and move forward to propose an optimized propagation strategy from two aspects: distribution estimation of vulnerable hosts and propagation coordination of worm nodes. Through theoretical analysis and simulation we verify the advantage of the optimized propagation strategy compared with current propagation strategies.3. Worms occupy user hosts’resources without authorization, and have special application aims. Therefore, construction of P2P worm networks should be stealthy in order to reduce exposure chances. In this paper we establish a construction framework of P2P worm networks with respect to node deployment, link configuration and message communication. After that we present a construction example with prepared nodes and a construction example without prepared nodes, and make simulation evaluation respectively. These two examples show the availability of the construction framework. Due to special application purposes of P2P worm networks, and so we analyze the stealth and the robustness of P2P worm networks finally.4. P2P worm networks can act as favorable distributed resource platforms for attackers to perform many types of attack tasks. In this paper we establish an application framework of P2P worm networks with respect to resource organization, location and application types. And then we analyze several typical application cases including DDoS attack, worm propagation, phishing attack, illegal content distribution, and brute force cryptanalysis.5. Application of P2P worm networks will pose serious threat to network security and P2P worm networks possess more excellent stealth and robustness than general worm networks, which bring great challenges to relevant defense work. According to the life circle of P2P worm networks, we study defense mechanisms against P2P worm networks from three aspects: vulnerability defense, worm defense and network defense.Existing P2P worm networks still have many faults since they appear just in recent years. But with the progress of correlative techniques, some mature systems will come into being in the near future. Therefore we should keep close watch on the problem continuously in order to defend against the threat effectively.更多还原