节点文献
主动P2P蠕虫的检测与防御技术研究
Research on Technologies of Detection and Defense Against Proactive P2P Worms
【作者】 张冶江;
【导师】 李芝棠;
【作者基本信息】 华中科技大学 , 计算机系统结构, 2009, 博士
【摘要】 当前,P2P网络的流量已超过互联网带宽的60%,由此带来的安全隐患也与日俱增。主动P2P蠕虫可以通过各种安全漏洞在P2P网络中传播,它通过获取感染节点的邻居信息,对部分或全部邻居发起直接攻击。与随机扫描蠕虫相比,它不需要通过随机生成IP地址进行嗅探以发现目标,也不会产生大量的失败连接,因而传播更快更隐蔽,更难以检测和防御。主动P2P蠕虫已成为制约P2P网络应用发展的严重安全威胁之一。构建了主动P2P蠕虫传播的离散递归模型(P2P Worm Discrete Recursive Model,PWDRM)。主动P2P蠕虫的传播是一种动态过程,在每个离散的时刻分析节点的状态和行为,归纳相邻时刻感染节点数量之间的关系,从而构建起递归数学模型。该模型引入P2P网络规模、节点在线概率、节点感染概率和节点拓扑度等P2P网络参数,以及攻击速率和hit-list规模等蠕虫参数。特别考虑了拓扑类型、节点平均拓扑度、无结构P2P网络的幂律指数、感染策略、hit-list拓扑度、邻居节点选择策略等对主动P2P蠕虫传播的影响。仿真表明该模型能有效描述主动P2P蠕虫在无结构P2P网络和结构化P2P网络中的传播现象,比现有的拓扑型传染病微分模型更能真实反映主动P2P蠕虫的传播。提出了基于网络、利用应用层知识的主动P2P蠕虫检测方法。1)基于连接变化点的检测方法(Connection Change-point based Detection,CCD)。使用随机序列表示拥有不同“源-目”对的连接总数,应用序列变化检测理论对数据流进行统计检测。2)基于异常多播特征的检测方法(Abnormal Multicast based Detection,AMD)。构建主动P2P蠕虫的多播树,将它的传播视为泊松过程,并检测其可能出现的异常多播现象以发现蠕虫。另外,该方法还可通过阻塞感染节点的蠕虫多播行为,实现对主动P2P蠕虫的防御。仿真表明上述方法能够在较短的时间内发现主动P2P蠕虫,并遏制它的传播。提出了主动P2P蠕虫的防御策略、防御方法,以及防御系统框架。1)选择性静态免疫方法(Selective Static Immunization,SSI)。通过对部分节点实施静态免疫,以减缓或遏制主动P2P蠕虫的传播速度。2)基于关键节点的本地隔离方法(Key Nodebased Local Containment,KNLC)。利用多层k路分区算法将P2P网络划分为大小基本相同的若干区域,通过对关键(蠕虫在不同区域之间传播必须经过的)节点进行免疫,蠕虫的传播将被限制在这些区域内,从而实现了与其它区域的隔离。另外,关键节点选择算法还可以作为选择性静态免疫节点的依据。3)基于连通控制集的动态免疫方法(Connected Dominating Set based Dynamic Imunization,CDSDI)。构建P2P网络的连通控制集,将疫苗推送至其中部分节点,在P2P网络中快速分发。仿真表明:通过采取合适的节点选择策略,SSI对于无结构P2P网络相当有效;KNLC和CDSDI的性能优于基准方法,它们对于P2P网络拓扑变化的容忍度也较高。4)设计了主动P2P蠕虫防御系统框架。该系统由安全服务器、志愿关键节点和连通控制集节点构成,在静态免疫的志愿关键节点上部署蠕虫检测组件,由安全服务器根据检测报告生成疫苗,并推送至连通控制集志愿节点,再由它分发至普通节点,从而实现对主动P2P蠕虫的系统防御。
【Abstract】 Nowadays, P2P network traffic possesses 60% of Internet bandwidth, and the hiddensecurity issues arising therefrom are steadily on the increase. Proactive P2P worm canpropagate in P2P network through all kinds of security holes, and it attacks partial or allneighbors directly by getting neighbor information of infected node. Compared withrandom scanning worm, it need not find target by probing randomly generated IP addresses,and it does not generate too many connection failures. Thus it can achive faster and moreconcealed propagation, and it is more difficult to detect and defend. Proactive P2P wormbecomes one of the most serious security threats that restrict the development of P2Pnetwork application.The discrete recursive propagations model of proactive P2P worm (P2P WormDiscrete Recursive Model, PWDRM) is constructed. As the propagation of proactive P2Pworm is a dynamic process, it analyzes the state and behavior of node in every discretemoment, concludes relation of infected node numbers in very neighboring time and therebybuild recursive mathematical model. The model introduces P2P network parameters such asP2P network size, online probability of node, vulnerable probability of node, topologicaldegree of node, etc. It also introduces worm parameters such as attack rate, hit-list size, etc.It especially considers other factors that may affect propagation of proactive P2P worm,such as topology type, average topology degree of node, power law exponent ofunstructured P2P network, infection tactics, topology degree of hit-list, selection strategy ofneighbor node, etc. Simulations indicate that the model can describe the propagationphenomenon of proactive P2P worm effectively in both unstructured and structured P2Pnetwork, and it can reflect real propagation of proactive P2P worm more than presenttopological epidemic differential model.Network-based detection methods against proactive P2P worm leveraging application level knowledge are proposed. 1) Connection Chang-point based Detection (CCD) method.It uses random sequence to denote the total number of connections with differentsource-destination pairs, and applies sequential change detection theory to conduct statisticdetection for data stream. 2) Abnormal Multicast based Detection (AMD) method. Itconstructs multicast tree of proactive P2P worm, considers the propagation as a Poissonprocess, and detects the abnormal multicast phenomenon which may appear to find worm.Moreover, it can also achieve defense against proactive P2P worm by blocking wormmulticast behavior of infected nodes. Simulations indicate that above methods can findproactive P2P worm in a short time and contain its propagation.The defense strategies, defense methods, and defense system framework are proposed.1) Selective Static Immunization (SSI) method. It slows down or contains propagationspeed of proactive P2P worm through immunizing partial nodes statically. 2) Key Nodebased Local Containment (KNLC) method. It utilizes multilevel k-way partitioningalgorithm to divide P2P network into a number of areas with a nearly equal size, andimmunizes key node (node that worm propagation between different areas has to gothrough). Then the worm propagation will be contained in these areas, and the separation toother areas is accomplished. Moreover, the key node selection algorithm can be used tochoose nodes that should be statically immunized. 3) Connected Dominating Set basedDynamic Immunization (CDSDI) method. It constructs connected dominating set of P2Pnetwork, and push vaccine to some nodes in the set for rapid disseminating in P2P networks.Simulations indicate that, SSI is quite effective for unstructured P2P network throughadopting appropriate strategy to select nodes; KNLC and CDSDI outperform the baselinemethod, and they are tolerant to the topology changes of P2P network. 4) Defense systemframework against proactive P2P worm is designed. The system is composed of securityservers, volunteer key nodes, and volunteer nodes of connected dominating set. Wormdetection component is deployed on statically immunized volunteer key node, and securityserver generates vaccine according to detection report, and pushes it to volunteer nodes of connected dominating set. The vaccine is then disseminated to normal nodes by volunteernodes of connected dominating set, and the framework defend proactive P2P wormsystematically.
【Key words】 P2P Network Security; P2P Worm; Propagation Model; Detection Method; Defense Method;