基于NIDS的多态蠕虫抑制策略研究

发布时间：2018-05-03 10:49

本文选题：多态蠕虫 + 传播模型　；参考：《东北大学》2014年硕士论文

【摘要】：网络蠕虫已经成为网络安全的重大威胁之一,近年来,多态蠕虫的出现以及大规模传播为网络安全带来更加严峻的挑战。多态蠕虫能够通过多种变形技术,在实现自我复制产生新的实例的同时改变新实例的字节序列,新的实例在传播、攻击过程中呈现出多种不同的形态,从而能够躲避单一的基于特征或基于异常的入侵检测系统的检测。如何有效抑制多态蠕虫的传播已经成为安全领域所面临的一大难题。为了有效抑制多态蠕虫的传播,就需要了解其传播机制,分析其传播特性。本文通过对多态蠕虫传播特性的抽象提取,建立多态蠕虫传播模型来分析其传播特点。根据多态蠕虫的变种特性,本文建立了多态蠕虫SIV免疫模型,用以分析多态蠕虫传播特性。入侵检测系统(IDS)是检测、抑制蠕虫传播的有力措施。由于基于主机的入侵检测系统需要全网部署,而多态蠕虫特性复杂多变,因此基于主机的入侵检测应对多态蠕虫代价太大。本文选用基于网络的入侵检测系统(NIDS)来检测多态蠕虫,NIDS通过分析网络流来提取所需信息,速度更快。基于NIDS,本文建立了采用滥用检测技术的多态蠕虫SIQV持续隔离模型。滥用检测能够有效检测已有的攻击,检测率高,误报率低,但是无法检测未知攻击,即存在较高的漏报率。另一方面,异常检测能够有效检测未知攻击以及已知蠕虫的变种,但其存在较高的误报率。为了充分利用滥用检测以及异常检测两者的优势,同时弥补两者的不足,本文将两种检测方法综合运用,基于NIDS,建立了多态蠕虫SIQV脉冲隔离模型,通过分析发现,脉冲隔离策略比持续隔离策略效果更好。本文对所建立的三种多态蠕虫传播模型进行理论分析,分析了系统的稳定性,推导出了系统保持稳定所需满足的稳定性条件,分析了影响系统稳定性的多种因素。通过数值分析,本文对理论分析做了有效证明,从不同角度分析了所采用的抑制策略的有效性。通过离散时间仿真实验模拟多态蠕虫在实际网络中的传播过程,通过对仿真实验数据分析,充分证明了本文所建立的多态蠕虫传播模型能够有效反映多态蠕虫的传播行为,所采用的相关抑制策略对抑制多态蠕虫传播具有积极有力的作用。
[Abstract]:Network worms have become one of the major threats to network security. In recent years, the emergence and large-scale spread of polymorphic worms have brought more serious challenges to network security. Polymorphic worms can generate new instances and change the byte sequences of new instances by means of a variety of deformational techniques. The new instances take on many different forms in the process of propagation and attack. In order to avoid a single feature-based or anomaly-based intrusion detection system detection. How to effectively suppress the spread of polymorphic worms has become a major problem in the field of security. In order to effectively suppress the propagation of polymorphic worms, it is necessary to understand its propagation mechanism and analyze its propagation characteristics. In this paper, a polymorphic worm propagation model is established to analyze the propagation characteristics of polymorphic worms by abstracting the propagation characteristics of polymorphic worms. According to the variation of polymorphic worm, a polymorphic worm SIV immune model is established to analyze the propagation characteristics of polymorphic worm. Intrusion Detection system (IDS) is a powerful measure to detect and suppress the spread of worms. Because the host-based intrusion detection system needs the whole network deployment and the polymorphic worm characteristics are complex and changeable, the host-based intrusion detection should be too costly for polymorphic worm. In this paper, a network-based intrusion detection system (NIDS-based) is used to detect polymorphic worm NIDS by analyzing the network flow to extract the required information, which is faster. Based on NIDSs, a persistent isolation model of polymorphic worm SIQV using abuse detection technique is established. Abuse detection can effectively detect the existing attacks, with high detection rate and low false alarm rate, but can not detect unknown attacks, that is, there is a higher false alarm rate. On the other hand, anomaly detection can effectively detect unknown attacks and known worm variants, but it has a high false alarm rate. In order to make full use of the advantages of abuse detection and anomaly detection and to make up for the shortcomings of the two methods, this paper establishes a polymorphic worm SIQV pulse isolation model based on NIDS-based, and finds out that, The pulse isolation strategy is more effective than the continuous isolation strategy. In this paper, three polymorphic worm propagation models are theoretically analyzed, the stability of the system is analyzed, the stability conditions of the system are derived, and the factors affecting the stability of the system are analyzed. Through numerical analysis, the theoretical analysis is proved to be effective, and the effectiveness of the suppression strategy is analyzed from different angles. The propagation process of polymorphic worm in real network is simulated by discrete time simulation experiment. By analyzing the simulation data, it is fully proved that the propagation model of polymorphic worm established in this paper can effectively reflect the propagation behavior of polymorphic worm. The related suppression strategies adopted have a positive and effective effect on the suppression of polymorphic worm propagation.
【学位授予单位】：东北大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】