网络恶意代码传播动力学模型(IJCNIS-V5-N10-3)
计算机专业论文:恶意代码分析
恶意代码分析目录摘要: (2)关键词: (2)1.概要介绍 (3)2.恶意代码综述 (3)2.1 恶意代码的特征 (4)2.2 恶意代码的传播 (4)2.2.1 恶意代码的传播手法 (4)2.2.2 恶意代码的趋势 (4)2.3 恶意代码的类型 (5)2.4 恶意代码的发展 (7)2.5 恶意代码攻击机制 (10)3. 恶意代码实例 (11)4. 恶意代码分析实验操作 (13)5. 恶意代码侦测 (19)5.1 现行恶意代码侦测情况 (19)5.2 应有恶意代码侦测机制 (21)5.2.1 恶意代码传播的不易控性 (21)5.2.2 路径跟踪的新方法:沾染图 (22)5.2.3 沾染图的基础 (23)5.2.4 Panorama (25)6. 小组感想 (28)7. 小组分工 (30)8. 参考文献 (32)摘要:恶意代码(Malicious Code)是指没有作用却会带来危险的代码,其最主要特征是目的的恶意性、程序的执行性与执行的传播性。
在探索了恶意代码的基本属性与特征后,我组进而对一个真实的恶意代码实例进行了较为详细的分为,并在真实代码旁均作了详实的批注。
除此,为了进一步跟踪恶意代码的破坏途径,我组在我们的笔记本电脑中装入了VWare虚拟机,并试图运行TEMU软件,进行此方面研究。
最后,在完成上述工作后,我们产生了这样的观点,即:仅仅了解恶意代码的实质与恶性并不足以产生对现实生活有益的效果,为了能学有所用,我们更应了解的是如何对恶意代码进行侦测和防治。
因而,我组最后的研究内容是与探索一条侦测途径,即:Panorama系统,以遍更有效地抵消恶意代码的进攻。
关键词:恶意代码(恶意软件),TEMU,恶意代码侦测,Panorama1.概要介绍生活质量的提高、信息的海量增加、科技的日益普及等无一不使电脑的泛化与网络的兴荣呈现愈演愈烈的趋势。
随着这种趋势的日益明显,人们愈发地离不开电脑的应用与网络所呈现出的便利与快捷。
如何进行恶意代码的传播路径分析(一)
恶意代码(Malware)是指具有破坏、入侵或者控制他人设备的恶意意图的计算机程序。
它们通过各种传播途径传达到目标设备上,从而对个人隐私、企业安全以及整个网络生态产生巨大威胁。
因此,对于恶意代码的传播路径进行分析是保护个人和组织资源的重要一环。
下文将从多个角度论述如何进行恶意代码的传播路径分析。
1. 传统途径分析恶意代码的传播途径众多,其中包括电子邮件附件、下载和安装可靠性较低的软件、USB设备、社交媒体链接等。
为了进行有效的传播路径分析,我们需要识别不同传播途径并分析其特征。
2. 恶意代码分析工具针对恶意代码进行传播路径分析,我们需要使用专业的分析工具。
这些工具能够对已知和未知的恶意代码进行识别和分析,提供详细的传播路径信息,帮助我们理解恶意代码的工作原理和传播模式。
3. 高级威胁情报平台高级威胁情报平台是一种能够收集、分析并提供实时威胁信息的平台。
通过访问这些平台,我们可以获得来自全球各地的恶意代码传播事件,了解新兴的恶意代码传播路径,以及相关的应对策略。
4. 社交工程与钓鱼攻击分析社交工程与钓鱼攻击是恶意代码传播的常见手段。
对于这些攻击手法,我们需要分析其特点,例如利用人性心理、冒充可信实体等,以保护自己免受诈骗和恶意代码传播的威胁。
5. 网络流量分析通过对网络流量进行分析,可以发现恶意代码传播路径中的异常行为。
利用入侵检测和入侵防御系统,我们可以实时监测流量特征,检测可疑传播行为,及时采取防御措施。
6. 恶意代码传播模型分析恶意代码传播模型是进行传播路径分析的重要方法。
通过分析恶意代码的行为和目标,我们可以构建传播模型,帮助预测其传播路径和行为。
7. 安全意识教育与培训传播路径分析不仅仅是分析科技手段,也包括加强个人和组织的安全意识。
通过定期的安全意识教育与培训,我们可以提高个人和组织对恶意代码传播路径的警觉性,减少因不慎点开恶意链接而导致恶意代码传播的风险。
8. 恶意代码传播社会影响分析恶意代码传播不仅对个人和组织的安全造成威胁,也对整个社会网络生态产生负面影响。
社会网络中虚假信息扩散动力学建模与抑制策略
社会网络中虚假信息扩散动力学建模与抑制策略简介随着社会网络的快速发展,虚假信息的传播现象也逐渐增加。
虚假信息的传播对社会、个体及整个网络体系都产生了负面影响。
为了减少虚假信息的传播,我们需要深入了解虚假信息在社会网络中的扩散动力学,并提出相应的抑制策略。
一、社会网络中虚假信息传播的动力学模型1.信息传播模型在社会网络中,人们通过交流、分享和转发等行为传播信息。
研究表明,传播过程可以用传染病传播模型来描述。
虚假信息的传播可以视为一种“传染”,蔓延至其他用户。
2.传播特征参数为了建立虚假信息传播的动力学模型,需要考虑以下特征参数:a) 传播速度:虚假信息在社会网络中传播的速度;b) 影响力:节点对其邻居的影响程度;c) 感染概率:传播过程中个体接受信息并相信其真实性的概率;d) 抑制率:社会网络中针对虚假信息传播采取的抑制措施。
3.网络拓扑模型社会网络结构对虚假信息传播具有重要影响。
根据具体情况选择适当的网络拓扑模型,如小世界网络、无标度网络等。
二、抑制虚假信息传播的策略1.加强信息的真实性确保信息提供者真实可信,对信息进行严格审核以减少虚假信息的产生和传播。
2.提高个体对虚假信息的识别能力加强对虚假信息的识别培训,教育用户如何辨别真实信息和虚假信息,提高其抵御虚假信息的能力。
3.限制信息传播速度设置信息传播速度上限,延缓虚假信息在社会网络中的传播速度,给用户更多时间进行信息判断。
4.加大惩罚力度对故意散布虚假信息的行为进行处罚,加大法律打击力度以起到威慑作用。
5.社交网络平台的监管社交网络平台应加强对用户发布内容的管理和监控,及时删除虚假信息,防止其在网络上扩散。
6.用户参与的扩散抑制策略鼓励用户主动参与抑制虚假信息的传播,设立奖励机制,对积极举报虚假信息的用户给予奖励。
三、虚假信息传播模型的实证研究通过大规模的数据分析和实证研究,可以对社会网络中虚假信息传播动力学进行深入研究。
研究结果可以为设计有效的抑制策略提供科学依据。
系统安全漏洞与恶意代码介绍
征
35
恶意代码分类
照恶意代码运行平台 按照恶意代码传播方式 按照恶意代码的工作机
制 按照恶意代码危害
罗伯特.莫里斯
1995年—首次发现macro virus
31
恶意代码发展
1996年—netcat的UNIX版发布(nc) 1998年—第一个Java virus(StrangeBrew) 1998年—netcat的Windows版发布(nc) 1998年—back orifice(BO)/CIH 1999年—melissa/worm(macrovirus by email) 1999年—back orifice(BO) for WIN2k 1999年—DOS/DDOS-Denial of Service TFT/
恶意代码的发展趋势?从传播速度上来看恶意代码爆发和传播速度越来越快?从攻击意图来看恶意代码的开发者越来越与业化其意图也从游戏炫耀与向为恶意牟利?从功能上来看恶意代码的分工越来越细?从实现技术来看恶意代码实现的关键技术丌断变化?从传播范围来看恶意代码呈现多平台传播的特征35恶意代码分类36?照恶意代码运行平台?按照恶意代码传播斱式?按照恶意代码的工作机制?按照恶意代码危害分类蠕虫病毒后门木马有害工具流氓软件风险程序其他恶意代码分类37?丌传染的依附型恶意代码?流氓软件逡辑炸弹恶意脚本?丌传染的独立型恶意代码?木马rootkit风险程序?传染的依附型恶意代码?传统的病毒cih等?传染的独立型恶意代码?蠕虫病毒?可以丌依附亍所谓的数组而独立存在
了解安全漏洞的静态与动态挖掘方法的基本原理 了解补丁分类及修复时应注意的问题
12
漏洞的发现
从人工发现阶段发展到了依靠自动分析工具辅助 的半自动化阶段
社会网络中信息传播模式与动力学仿真方法
社会网络中信息传播模式与动力学仿真方法社会网络的迅猛发展使得信息传播成为社会变革和个体行为的重要驱动力。
了解信息在社会网络中传播的模式和动力学规律,对于社会科学和网络科学的发展具有重要意义。
本文将探讨社会网络中信息传播的模式以及仿真方法,以期提供有关社会网络研究的实用指导。
一、社会网络中的信息传播模式1.扩散模型扩散模型是研究社会网络中信息传播最基础的模型之一。
它描述了信息从一个节点传播到整个网络的方式。
最简单的扩散模型是基于病毒传播的SIR模型,将社会网络中的节点分为易感染者(Susceptible)、感染者(Infected)和康复者(Recovered)三类。
该模型通过建立差分方程或微分方程系统来描述人与人之间的传染关系和康复过程。
通过分析这些方程的解,可以得出关于信息传播的重要性质,如传播速度、传播范围等。
2.影响力模型影响力模型是研究社会网络中信息传播的另一种方式。
它涉及到节点之间的相互作用和影响关系。
经典的影响力模型之一是独立级联模型(Independent Cascade Model),它认为每个节点有一定的概率接受其邻居节点的信息,并以一定的概率将信息传播给它的邻居节点。
该模型基于概率论和图论,通过模拟信息在网络中的传播过程,研究社会网络中信息的扩散规律和影响力。
3.传播路径模型传播路径模型是研究社会网络中信息传播路径的一种模型。
它主要关注信息在网络中的传播路径和传播路径对信息传播效果的影响。
例如,层次模型认为信息在社会网络中是通过不同的层次传播的,不同层次的节点对信息的影响力也不同。
采用传播路径模型可以更加准确地分析信息在社会网络中的传播效果,并提供针对性的策略。
二、社会网络中信息传播的动力学仿真方法1.基于代理人的仿真方法基于代理人的仿真方法是一种常用的研究社会网络中信息传播动力学的方法。
该方法将网络中的个体视为独立的代理人,并通过定义各种行为规则和交互规则,模拟个体之间的相互作用和信息传播过程。
一种防止移动模式认证系统安全攻击的新方法(IJCNIS-V10-N5-3)
I. J. Computer Network and Information Security, 2018, 5, 18-27Published Online May 2018 in MECS (/)DOI: 10.5815/ijcnis.2018.05.03A Novel Approach to Thwart Security Attacks onMobile Pattern Authentication SystemsBh PadmaDepartment Computer Applications, Gayatri Vidya Parishad College for PG Courses, Rushikonda, Visakhapatnam-45,AP, INDIA.E-mail: padma.bhogaraju@GVS Raj KumarDepartment of Information Technology, GITAM, Rushikonda, Visakhapatnam-45, AP, INDIA.E-mail: gvsrajkumar@Received: 24 December 2017; Accepted: 09 February 2018; Published: 08 May 2018Abstract—Providing security to mobile devices by means of password authentication using robust cryptographic techniques is vitally important today, because they protect sensitive data. Especially for pattern locking systems of Android, there is a lack of security awareness in the people about various pre-computation attacks such as dictionary attacks, rainbow tables and brute-forcing. Hash functions such as SHA-1 are not secure for pattern authentication, because they suffer from dictionary attacks. The latest OS versions of Android such as Marshmallow make use of salted hash functions for pattern locks, but they do need additional hardware support such as TEE (Trusted Execution Environment) and a Gatekeeper function. If random salts are used for pattern passwords, they are also vulnerable, because the stored salt may be compromised and consequently the passwords can be speculated using brute-forcing. To avoid such a security breaches on pattern passwords, many methodologies have been proposed so far such as an elliptic curve based salt generation techniques. But security is never easy to obtain 100%. The attacker may perform brute-forcing successfully on pattern password hashes by gaining some information about the application. Brute-forcing becomes harder always by using longer salts and passwords and by stretching the execution time of hash generation. Therefore the current research addresses these difficulties and finds a solution to these problems by extending the existing salt generation scheme, by generating a dynamic 128-bit pepper (or a long salt) value for SHA-1 hashes to avoid such attacks without using an added hardware, for mobile computers using elliptic curves. The current scheme employs genetic algorithms to generate the pepper and finally makes brute-forcing even harder for the cryptanalysts. A comparison of this new hashing technique, with the existing techniques such as SHA-1 and salted SHA-1 with respect to brute-force analysis, Strict Avalanche Criterion and execution times is also presented in this paper.Index Terms—Android, dictionary attacks, salt, pepper, brute-forcing, Strict Avalanche Effect, TEE, SHA-1.I.I NTRODUCTIONIn Android mobile systems, a 3x3 lattice of the pattern lock is offered to the user to select a pattern such as (1-4-5-6-9) as shown in fig 1, to serve as a password to access the device.This graphical password[1] is hashed using SHA-1 and the hash code“8cb2237d0679ca88db6464eac60da96345513964”is stored in a file called “gesture.key” in the device folder of Android[2]. But this hash value is not safe from the attackers as users normally leave their mobiles USB enabled and rooted. If the phone is rooted or USB enabled, the attacker may utilise android forensic tools and existing SHA-1 dictionaries[3] and gets the corresponding pattern of the hash and makes a passive attack on the pattern. The SHA-1 predefined dictionaries and rainbow tables contain hash value for each combination of pattern which ranges from 1234 to 987654321. Since the number of patterns is limited in number, it is not difficult to crack or bypass the pattern.Fig.1. Pattern locks for AndroidAfter the user selects the pattern password, device hashes it with SHA-1 hash function and saves result into the password file. At any time when the user tries to unlock the device compares the stored SHA-1 hash with newly calculated hash value to give access or not. The problem with Android pattern locks is, it stores pattern lock data as an unsalted hash value. If we select a pattern 14569, this pattern is stored with a 20-byte SHA-1 hash. So the SHA-1 hash for 14569 is“5be3abe776eaf5f251122aba6f291eb40b65aa3d”which is stored in a file called gesture.key in /data/system folder in Android’s internal memory of the device. Android patterns are not salted hashes. It is possible to crack SHA-1 hash in no time and reveal the original pattern using android gesture.key file. These attacks are possible when the mobiles devices are left either rooted or USB enabled. Since SHA-1 is a one-way encryption function, there is no reverse function to convert hash code to original message sequence. To restore the code, the attacker will need to generate a hash table of patterns with hashed strings. He can download the SHA-1 dictionaries[24] and without difficulty finds hash to recover the original pattern sequence. If you have full access to a mobile, you can just remove or replace the file containing the SHA-1 pattern password. An attacker uses forensic tools such as Andriller(shown in fig 2) to achieve the password using a dictionary that can be downloaded and using a forensic tool such as SqLite browser, the attacker can easily find the original pattern by running the query,“Select * from Rainbow Table where hash = “6a062b9b3452e366407181a1bf92ea73e9ed4c48”.Fig.2. Android Forensic Tools that Attack PasswordsNow after gaining the password he can keep on attempting passive attack on the device. But adding a salt value to the hash solves this problem. Salts always prevent dictionary attacks. Even after using salts the security is not ensured because salts are stored in the device databases, and if salt is hacked, the attacker can exercise brute-force[21] attack using the salt value to crack the password, and such forensic tools also are available widely.After KitKat 4.4, Android brought some changes in the authentication systems, which contain salts for hashing particularly in Lollipop and Android latest (Marshmallow) versions. But salts will not solve the problem completely because we store them in database, if compromised the attacker may brute force the password using the salt value. Once the salt is compromised, because having 100% security for any security system is not achievable, the attacker finds some way to gain the salt value and he can still try the brute force attack, to gain the password. Many researchesIn this paper we focus on how to get rid of pre-computations on patterns. We need to have a solution to amend pattern authentication systems so that they can withstand to dictionaries. Here we made the representation of the pattern totally different from the existing one, and it alters from user to user depending on his identities. We have incorporated the application of elliptic curves in pattern representation. In the current research, we generate a dynamic pepper values for the hash to be stored in the databases, and as the pepper is dynamic in nature, they stretch the passwords and brute-forcing becomes impossible for opponents. Obviously peppers prevent dictionaries and rainbow tables.In this work, we generate a dynamic pepper, which if added to pattern passwords, the patterns become resistant to dictionaries and rainbow tables and brute-forcing as this value is unknown. Elliptic curve [4] based cryptosystems provide more security with less amount of memory and hardware and key sizes, when compared to other cryptographic techniques, so elliptic curve cryptosystem may be accepted for mobile devices. Genetic algorithms[5] such as mutation and crossover[6] are used to generate the pepper value, which serves as improved encoding of data for pattern password hashes.II.R ELATED W ORKSThis research mainly concentrates on the solution to the pre-computations on the modern android pattern locks. As pattern locks are prone to dictionaries, rainbow tables and brute forcing, a more secured authentication system is needed to make them strong enough to withstand these attacks. A detailed study on the Android SHA-1 hashes, adding salts and peppers, elliptic curves and cryptography is made.A. Salts and PeppersA salt is a randomly produced value generally stored in the database and is designed to make it impossible toutilize dictionaries to crack passwords. If each passwordhas its own salt, they must all shall be brute-forced individually to crack them. However the salt is stored in the database along with the password hash. A pepper is an unknown salt value, usually hard-coded or generated in the application's source code, which is supposed to be secret. It is used so that a compromise of the database would not reason the entire application's password table to be brute-forceable. A pepper is a secret key. It is an unknown salt and is a random salt that you are not storing in the databases. The pepper is different for each user like a salt. It is not stored at all. Peppers and salts stretch the length of the passwords and consequently improve security with regard to brute-forcing. They also save passwords from rainbow tables and dictionaries.B. Elliptic CurvesElliptical curve cryptography (ECC) is an asymmetric key encryption technique based on elliptic curves that can be used to produce faster, smaller, and efficient cryptographic keys. Secured keys created using ECC through the properties of the elliptic curve equation as a wonderful alternative of the traditional technique i.e. generating the product of very large prime numbers. The technology can be used in a combination with most public key encryption methods, such as RSA, and Diffie-Hellman Key Exchange.According to some research ideas and researchers, ECC can provide a level of security with a 164-bit key that other systems require a 1,024-bit key to attain. Because ECC helps to set up equivalent security with lower computing power and battery resource usage, it is attracting the people widely to be best used for mobile applications.An elliptic curve is a set of points described by the equation: y2 mod p=x3+ax+b mod p where 4a3+27b2≠0. The fig 3 show such a curve where a=1 and b= -2. Based on the values of a and b, elliptic curves may presume diverse shapes on the plane. A point at infinity (also known as ideal point) is a part of the curve and is denoted by the symbol 0 (zero). The points on the curve form a group with point addition. Let P(x1, y1) and Q(x2, y2) be the points on the curve and (x3,y3) is sum of these two points, then the formulae for point addition (P+Q) and point doubling (2P) are shown in the equations (1-4).Fig.3. Elliptic Curvem = (y2 - y1)/ (x2 - x1)if x1 ≠ x2. (1)m = (3x12 + p)/ 2y1 if x1 = x2. (2)x3 = m2 - x1 - x2 (3)y3 = - (y1 + m (x3 - x1) ). (4) Given a point P and a scalar n, computing np=P+P+…+P (n times) is called as scalar multiplication, and given points P and Q, finding n such that P=nQ is called discrete logarithm problem of elliptic curves which makes this cryptosystem strong.C. Koblitz’s EncodingThe main disadvantage with elliptic curve cryptography[7] is encrypting or hashing a plaintext is difficult. The text should be encoded to points on the curve before we apply any elliptic curve based techniques on it. Koblitz[8] proposed a technique to encode a character to a point on the curve like this: a supporting base parameter, k, is selected. For a single character, m, its x value is calculated by x = mk + 1.If there exists a matching value of y on the curve, this (x, y) point on the curve is treated as the corresponding point to represent the message character m. Else, iteratively spot the value y by changing x from [(mk) + 2] to [(mk) + (k-1)]. If substituting x = [(mk) + (k-1)] also will not solve the problem, and there exists no y value, then increment the base parameter, k, by 1 until we solve it for y. For decoding consider each point (x,y) and place m to be the greatest integer less than (x-1)/k. Then the point (x,y) translates as the symbol m. Koblitz’s technique is most efficient and very frequently used technique to map the text to points of the curve. We can directly map a character to a point on the curve as a one-to-one mapping technique, but this method is not much secured.Fig.4. Representing Pattern using Elliptic Curve PointsIII.E XISTING S YSTEM (S ALTED SHA-1)The existing system dynamically generates a salt[18] value based on user’s Device-Id and Gmail-Id. This saltis not needed to be stored in the system’s directory, and thus eliminates brute-forcing and other re-computation attacks such as dictionaries and rainbow tables as well. The salt value is distinctive to each password. So a more protected password storing technique can be achieved. A salted hash has an advantage that even though the hash is cracked you cannot get the password.Step 1:Represent the pattern using points on the elliptic curves shown in fig 4(the process isclearly given in the proposed system).Step 2:Generate an integer n by performing series of XOR operations on the character of theDevice-Id.Step 3:Choose a user pattern p to authenticate.Step 4:Now all the points on this chosen pattern are multiplied by n using Scalar Multiplication[12]giving different points on the same curve. Step 5:Now concatenate these points after converting them into hexadecimals to represent to amessage.Step 6:Break this message into two halves and XOR with each other.Step 7:Perform step 2 twice to produce an intermediate message m.Step 8:To make this message a 64-bit value, reverse the two halves and concatenate them to pad thestring.Step 9:Mark this message as a Salt value for SHA-1. Step 10:Concatenate the salt with the original pattern selection i.e. P.Step 11:Generate SHA-1 hash of this message.Step 12:Store this hash value in the device root directory to authenticate the user.For example, the salt generated using the above algorithm having elliptic curve parameters as a=9, b=7, p=2011 and Device id= “20013fea6bvv820c” Gmail-Id is “account_name@”.Then the salt generated by using above algorithm for a pattern is 7-4-1-5-9-6-3 is ‘0260641073426714’ and finally the SHA-1 hash produced for0260641073426714:7415963 is‘6ab60a0bd7369ca825655da7471147e700be242a’which is stored in the in gesture.key file in device folder in Android root. As salt is added this scheme prevents the password from dictionaries and rainbow tables, as brute-forcing is also becomes harder as well.IV.F OCUS OF THE W ORKBrute-forcing is the finest password cracking methods. The success of this attack depends on several factors. However, factors that affect are password length and combination of characters. This is why forensic experts always talk about strong passwords; they generally suggest users to have longer passwords. It does not make brute-force unfeasible but it makes brute-force more difficult and makes it needs a longer time to reach the password by brute-forcing. All hash cracking algorithms utilise the brute-force to hit and try. This attack is best when attackers try it offline.A. Problems with Shorter SaltsWe have already seen that salts will stretch the password length and prevent dictionaries and make brute-forcing harder. If the salt is too short, an attacker can create a lookup table for every possible salt. To make it impractical for an attacker to create a lookup table for each and every possible salt, the salt must be longer. A good rule of thumb is to create a salt that is the same size as the output of the hash function. For example, the output of SHA-1 is 160 bits, so the salt should be at least 20 random bytes. Moreover, there are many popular tools for brute-forcing are available in the marketGPU (Graphical Processing Units) can be best used in brute force attacks. GPUs are very good in performing parallelising mathematical operations, which is the basis of both cryptography and computer graphics. As GPUs perform massively parallel computations, they are good for brute-force attacks. Therefore our motivation in this paper by modifying the current system is to generate a pepper or a longer salt so that brute-forcing attack may become more and harder for the cryptanalyst to crack the passwords. The current system shows a better improvement regarding brute-force security for pattern passwords as compared to the existing system.V.P ROPOSED S YSTEMThe proposed algorithm Peppered SHA-1) is different from existing algorithm by generating a pepper values to be prepended or appended to the pattern password[9] to generate a hash. This process utilises elliptic curves[10] to generate the grid and to represent the grid points. The steps of this algorithm are described below with the help of a flowchart in figure 5.Step 1:Select Android-Id and Gmail-Id of the user. For example, Device-Id = "67fda43cc1010bca", Gmail-Id = “accountname@”.Step 2:Concatenate the user’s Gmail-Id and Android-Id giving a long string STR.In the current example, it is“67fda43cc1010bcaaccountname@”Step 3:Now select elliptic curve parameters togenerate the grid.Let’s su ppose a= 9; b=7; p=2011;The elliptic curve equation isy2 (mod 2011) = x3+9x + 7 (mod 2011). (5)Fig.5. Flowchart of Salt and Pepper Dynamic Generation SchemeStep 4:Now represent all the characters in the above string STR, with a point on the curve of equation(5) u sing Koblitz’s Encoding.Table 1. Representation of Characters of the String using Elliptic CurvePointsStep 5:Randomly select 9 unique points from the above using any criteria. Here we sorted the points in ascending order according to y-coordinate and selected the first 9 uniquepoints. So, we get (1741,16) (1441,30) (481,91) (1462,123) (421,149) (363,173) (1721,195) (1341,250) (441,445)Step 6:Now the pattern grid is represented using the selected points. Let us say, points and the pattern selected by user is “123569” which shown in fig 6.Step 7:Now select the points for the input pattern ‘12345’. We get the points (1741,16), (1441,30), (481,91), (421,149), (363,173), (441,445) to represent the pattern “123569”. Step 8:Now derive an integer value from the Device-Id by performing a series of Exclusive-OR operations after converting each character to corresponding ASCII value We get 54⊕55⊕102⊕100⊕97⊕52⊕51⊕99⊕99⊕49⊕48⊕49⊕48⊕98⊕99⊕97 = 5.Step 9:Now perform a scalar multiplication of the selected pattern points with the integer derived using Device-Id. We get different points on the curve to represent the pattern password. Here by performing the following scalar multiplication[11] operations.5(1741,16) = (1349,1265)5(1441,30) = (1792,1884)5(481,91) = (1217,1022)5(421,149) = (1171,281)5(363,173) = (1671,1250)5(441,445) = (457,931)Fig.6. Pattern representation of 1-2-3-5-6-9Step 10: Represent the pattern input using the points wehave got after scalar multiplication and concatenate them after converting to hexadecimal. So the hexadecimal points (545,4F1), (700,75C), (4C1,3FE), (493,119), (687,4E2), (1C9,3A3) are concatenated and produce a string:‘5454F170075C4C13FE4931196874E21C93A3’.Step 11: Now break this string into 2 halves and perform Exclusive-OR operation with each other. and repeat this twice to finally get a string. 5454F170075C4C13FE ⊕ 4931196874E21C93A3 =1D65778187370715080776.The above string is again divided into two halves: (pad with 1’s if string length is odd)1D657781873 ⊕ 0715080776 = 674142701F05.Step 12: To make this string a 64-bit value, we need to pad this string. For that we break the string into 2 halves, reverse them separately, we get 241476, 50F107. By concatenating these two strings, we get 24147650F107. Add this stringto the string derived in Step 11, and take thefirst 16 bits to represent the final dynamic message. After choosing the first 16-bits of 674142701F0524147650F107, we get String-1 = “674142701F052414”. Step 13: Generate a second dynamic message string applying genetic crossover and mutation [12] on the string we have got in Step 12. The string we got in Step 12 is ‘674142701F0524147650F107’. Now make this string into 2 halves and perform 1-point crossover. Crossover:Perform 1-point crossover:701F05 67414250F107 241476The string we get after crossover is-> 67414250F107701F05241476. Complementary Mutation:Perform complementary mutation[13] by converting this string to binary and invert them for complementary mutation and again convert the binary string to hexa decimal we get a string,‘98BEBDAFCEF88FECFADBEB89’.Now take the 16-bit bit pepper from the above string as “98BEBDAFCEF88FEC”.So String-2 = “98BEBDAFCEF88FEC ”.Step 14: Now concatenate the above two strings togenerate a dynamic pepper of 128-bits.Step 15: Pepper = String-1 + String 2= “674142701F052414 98BEBDAFCEF88FEC “SHA-1[PEPPER: PASSWORD] gives the final hash. The pattern input is: 123569. Now the peppered input is674142701F05241498BEBDAFCEF88FEC:123569.Calculate SHA-1 hash of “674142701F05241498BEBDAFCEF88FEC:123569“is “D109611DC681E8CB393E31EE0804246172429C2F ”, is stored in device database. This salt and pepper alwaysprevent the pattern passwords[14] from pre-computations such as dictionaries, rainbow tables and brute-forcing. VI. B RUTE -FORCE S ECURITY A NALYSIS In this paper, we are presenting a scheme for pattern passwords to prevent dictionary attacks and brute-forcing. Assailants can extract the hash value from the device database and experiment offline brute-force attack toguess the pattern. But here a pepper is dynamicallygenerated and this dynamic pepper (long salt) of 128-bits makes the system stronger to withstand to pre-computations. Here we can see the effect of prepending the pepper value as they increase the brute-force search space and consequently increases the effort needed by the attackers to crack the passwords compared to the existingmethod i.e. Salted SHA-1. There are nearly 4 lakhscombinations for the pattern locks which can be selected by users.Fig.7. Brute-force Search Space Comparison of the Current System andProposed SystemAs we can observe in the above graph in fig 7, the brute-force search space for the proposed scheme is increased by 264 times that of the existing system. This shows the proposed enhances security with respect to brute-forcing.VII. E XPERIMENTAL R ESULTS AND P ERFORMANCEE VALUATION The performance the proposed scheme i.e. patternauthentication[15] using Peppered-SHA-1 can be estimated using any criteria of hash[17] algorithms like collisions and hashing time and avalanche effect. Here as it is not practical to estimate the number of collisions of the proposed scheme as they are nearly 4 lakhs of combinations of pattern passwords for a 3X3 grid. So, we have tested the performance of the system with respect to time complexities and avalanche effect and search space for brute-forcing. Avalanche Criterion in cryptography refers to one of the significant properties of cryptographic hash functions. The avalanche effect is fulfilled if, theoutput changes considerably as a result of a slight change in input. Here the experimental results and comparison of the existing system and proposed system for pattern passwords is presented.A. Strict Avalanche EffectStrict avalanche Effect is a formalization of the avalanche effect The Strict Avalanche Criterion (SAC) is a property that satisfies the following criteria of the hash functions[16], “if, whenever a single input bit is complemented, every output bit should change with a probability of one half.” SHA-1[23] exhibits Strict Avalanche Criterion. Here, as the input of the pattern is and peppered, after the modifying the initial input data for hashing, we can test the diversions in avalanche effect of the current scheme. We have tested the SAC for the existing systems SHA-1, Salted SHA-1, and the proposed scheme Peppered SHA-1 on a computer with 4GB RAM, i3 Intel core processor, 1.90 GHz processor and a 64-bit OS. We have taken the results and calculated the SAC for these schemes, by taking 100 pairs of input plaintext messages.We have observed the Avalanche Effect by collecting casual input pattern pairs of 4-point, 5-point, 6-point, 7-point and 8-point patterns respectively, where the inputs vary in one single bit. We have plotted the graphs for all the above combinations of patterns to observe the avalanche criterion of the proposed system and current system.The following figures 8-12 show the SAC between the proposed and current schemes. We took the pattern number on x-axis and Avalanche Effect of that input pattern on y-axis.Fig.8. 4-point Pattern SAC Fig.9. 5-point Pattern SAC Fig.10. 6-point Pattern SAC Fig.11. 7-point Pattern SACFig.12. 8-point Pattern SACTable 2. Average SAC Statistics of Different PatternsThe results prove that the time complexities are getting increased more than twice that of the current system as shown in table 2. These observations are taken with a computer system with 4GB RAM, i3 Intel core processor, 1.90 GHz processor and a 64-bit Operating System. The above graphs reveal the performance of the proposed scheme with respect to SAC as compared to SHA-1 and the Salted SHA-1 schemes, for various sizes of the pattern. We can also observe the overall SAC for various pattern sizes as given in the table-2 and figure 13.Fig.13. Average SAC of the 3 MethodsFigure 13 shows the presentation of Strict Avalanche Effect of the three methods. From the results obtained, we can deduce that the proposed method i.e. Peppered SHA-1 exhibits the SAC irrespective of the pattern sizes as like SHA-1 and Salted-SHA-1. B. Time ComplexitiesThe time complexity of an algorithm measures the amount of time taken by an algorithm to run as a function of the size of the input. We always need efficient algorithms as processor time is expensive. Computation has no use if it takes exceedingly long time to solve a problem.But slow hash functions do have some advantages if they run in less amount of time. Brute-forcing consumes much time for slow hash functions. So we have calculated the time complexity of the proposed algorithm to test the performance. Figures 14 and table 3 show the average running times for the hash generation of the current and proposed systems for various pattern sizes after results are observed after execution.Table 3. Average Execution Times of the 3 MethodsFig.14. Average Execution Times in MillisecondsWe can observe from the above graph that the time complexity of the proposed system is increased as this scheme is an extension of the SHA-1 algorithm. The results prove that the time complexities are getting increased more than twice that of the original system i.e SHA-1. But there is no much difference between the CPU times of the salted SHA-1 and peppered SHa-1 systems. These observations are taken with a computer system with 4GB RAM, i3 Intel core processor, 1.90 GHz processor and a 64-bit Operating System. Here the scalar multiplication algorithm, crossover and mutation algorithms take additional amount of CPU time. There are always security and time efficiency trade-offs for any cryptography algorithm, but here we provided security to the existing hash generation system of pattern authentication[22] schemes at the cost of increasing the time complexity for generating the hash value. However a slow hash functions increases security against brute-forcing.VIII. C ONCLUSONSecurity and usability are treated as the most important factors of the system design that augment the user responsiveness of the system. Android mobile requires high user friendliness. Because of several attacks on android mobiles have increased in present times, highly sheltered authentication techniques have become essential. There is no much difficulty in hacking orbypassing the pattern authentication schemes for Android mobile users, the only real obstacle is that we can make it not practical to directly access the “ /data/system/ folder “ and gesture.key file except when we are dealing with a USB enabled or a rooted device. We need new security approaches that keep away from undesired taps on the mobiles and presents better authorization schemes than the existing one with respect to rainbow and dictionary attacks. Further security enhancement of these security schemes is very much crucial to withstand to the pre-computation security threats. When hashing passwords, the two most momentous considerations are the computational cost and security measure. The more computationally costly the。
2022年职业考证-软考-信息安全工程师考试全真模拟全知识点汇编押题第五期(含答案)试卷号:6
2022年职业考证-软考-信息安全工程师考试全真模拟全知识点汇编押题第五期(含答案)一.综合题(共15题)1.单选题恶意代码是指为达到恶意目的而专门设计的程序或者代码。
常见的恶意代码类型有:特洛伊木马、蠕虫、病毒、后门、Rootkit、僵尸程序、广告软件。
以下恶意代码中,属于宏病毒的是()。
问题1选项A.Trojan.BankB.Macro.MelissaC.Worm.Blaster.gD.Trojan.huigezi.a【答案】B【解析】本题考查恶意代码方面的基础知识。
常见恶意代码前缀类型如下所示:系统病毒 Win32、Win95网络蠕虫 Worm特洛伊木马程序 Trojan脚本病毒 Script宏病毒 Macro后门程序 Backdoor答案选B。
2.单选题()是指采用一种或多种传播手段,将大量主机感染bot程序,从而在控制者和被感染主机之间形成的一个可以一对多控制的网络。
问题1选项A.特洛伊木马B.僵尸网络C.ARP欺骗D.网络钓鱼【答案】B【解析】本题考查恶意代码和僵尸网络相关知识。
特洛伊木马:是恶意代码的一种类型,具有伪装能力、隐蔽执行非法功能的恶意程序。
简单来说就是伪装成有用的软件,诱骗用户下载执行。
僵尸网络:指采用一种或多种传播手段,将大量主机感染bot程序,从而在控制者和被感染主机之间所形成的一个可一对多控制的网络。
ARP欺骗:攻击者可以随时发送虚假ARP包更新被攻击主机上的ARP缓存,进行地址欺骗,干扰交换机的正常运行。
网络钓鱼:是一种通过假冒可信方(银行、信用卡公司等)提供上网服务,以欺骗手段获取敏感个人信息(如信用卡详细信息等)的攻击方式。
故本题选B。
点播:僵尸网络是指攻击者利用入侵手段将僵尸程序植入目标计算机上,进而操控受害机执行恶意活动的网络。
僵尸网络的工作过程分为传播阶段、加入阶段、控制阶段。
Normal 0 7.8 磅 0 2 false false false EN-US ZH-CN X-NONE Normal 0 7.8 磅 0 2 false false false EN-US ZH-CN X-NONE3.案例题阅读下列说明和C语言代码,回答问题1至问题4,将解答写在答题纸的对应栏内。
基于安全算法缓解无线自组网中的私有和共享根节点攻击(IJCNIS-V5-N10-1)
I. J. Computer Network and Information Security, 2013, 10, 1-10Published Online August 2013 in MECS (/)DOI: 10.5815/ijcnis.2013.10.01Security Algorithms for Mitigating Selfish and Shared Root Node Attacks in MANETsJ.SengathirResearch Scholar, Department of Computer Science and Engineering,Pondicherry Engineering College, Pondicherry, India,j.sengathir@R.ManoharanAssociate Professor, Department of Computer Science and Engineering,Pondicherry Engineering College, Pondicherry, India,rmanoharan@Abstract—Mobile ad hoc network is a type of self configurable, dynamic wireless network in which all the mobile devices are connected to one another without any centralised infrastructure. Since, the network topology of MANETs changes rapidly. It is vulnerable to routing attacks than any other infrastructure based wireless and wired networks. Hence, providing security to this infrastructure-less network is a major issue. This paper investigates on the security mechanis ms that are proposed for Selfish node attack, Shared root node attack and the Control packet attack in MANETs with the aid of a well known multicast routing protocol namely Multicast Ad hoc On Demand Distance Vector (MAODV). The security solutions proposed for each of the above mentioned attacks are evaluated with the help of three evaluation parameters namely packet delivery ratio, control overhead and total overhead. The algorithmic solutions thus obtained are analysed in the simulation environment by using ns-2 simulator.Index Terms— MANETs, Selfish nodes, Shared root node, MADOV, Control packet, Sequence numbersI.I NTRODUC TIONA mobile ad hoc network is a self-organizing distributed network in which each and every mobile node performs routing autonomously without any centralized authority [1]. In this Wireless network, the packets are relayed in a multi-hop fashion from the source node to the multicast group members based on the reliability of the nodes present in the routing path. Thus, routing in MANETs necessitates the cooperation of each and every node for successful packet delivery [2]. But the presence of non co-operating nodes i.e., selfish nodes reduces the throughput of the entire network, so an algorithm has to be devised for handling selfish nodes [3]. In this paper, we propose a reactive mechanis m called Secure Destined Packet algorithm which can detect and prevent the selfish behaviour based on the calculation of both the cut off ratio and the packet delivery ratio computed on each of the mobile nodes in the network.In MANETs, the transmissions of data between the groups of hosts are identified through a unique group destination address. But still, the security issues of MANETs in group communications are more challenging because of the commitment of multiple senders and multiple receivers [4]. Although several types of security attacks in MANETs have been studied in the literature, the focus of earlier research was only on unicast (point-to-point) applications [5-7]. The impact of security attacks on multicast scenario of MANETs has not yet been explored. Especially in case of MAODV protocol, the reliability of the data transfer depends on the shared root node or the rendezvous point of each multicast group. Hence securing shared root node becomes a necessary task. In order to make the shared root node more secure, the group leader election algorithm becomes essential.The protocol used for our study is the MAODV Protocol. Some of the striking features of the protocol are enumerated below. Multicast Ad hoc On-demand distance vector protocol (MAODV) is an enhanced multicast version of A ODV Protocol, where all the members of the multicast group are formed into a multicast shared tree [8]. The tree formation includes the non-members and the root of the tree is called the group leader. Multicast data packets are relayed among the tree nodes [9]. The salient feature of the MAODV protocol is about how they form the tree, repair the tree when link break occurs and to join the existing is disconnected tree into a new tree. The four types of packets supported by MAODV are RREQ, RREP, MACT and GRPH [10]. A node broadcasts a RREQ only when it is a member node and if it wants to join the tree or when it is a non-member node but has a data2Security Algorithms for Mitigating Selfish and Shared Root Node Attacks in MANETspacket to be delivered to the group [11]. When the node receives the RREQ, it sends the reply by sending the RREP using unicast routing. GRPH is the group hello packet, which is send periodically by group leader to know whether the group members are within the range of communication [12]. MA CT packet originates only when there is a need for group communication.The rest of the paper is organized as follows: In section 2 we discuss on the literature a survey and the list of possible attacks in MANET. In section 3, 4 and 5, we discuss elaborately on the proposed detection and mitigation algorithm of selfish node, shared root node attack and control packet attack respectively. The detailed performance analyses for the proposed algorithms relative to the existing traditional MAODV are discussed in section 6. Finally, we conclude in section 7 with future scope.II.L ITER ATUR E R EVIEWFrom the recent past, many secure mitigation algorithms were proposed varying from trust basedsolution to energy based algorithms for selfish nodebehavior and shared root node attack. These algorithms were implemented based on the confidence level that aeach and every node possesses about their neighbournodes and they are mainly employed to tackle energy, congestion or bandwidth allocation. Some of the works present in the existing literature are enumerated below.Ching-Chuan Chiang et al [13] proposed a multicast routing protocol that needs only minimal infrastructure. This protocol makes its profit by exploiting the broadcast facilities of the wireless channel which is present implicitly in the network. The design protocol is a hybrid protocol that shows the property of both flooding and shortest multicast tree.S. Kumar Das et al [14] proposed a reactive multicastrouting protocol which performs its routing by buildingand maintaining a shared meshes. This shared mesh isformed by the group of core based trees.H. Yang et al [15] determined the genuineness of themobile nodes with the help of one way hash function.This one way hash function was manipulated based on the initial input iteratively. The obtained output can be used for authentication. This mechanism also enables to find any fault in the network using explicit acknowledgementS.Roy, V.G.Addada, S.Setia and S.Jajodia [16]proposed detection and prevention solutions to various attacks on multicast tree maintenance. The various attacks against route discovery and establishment are RREP-INV, MACT (J) –MTF and RREP-INV, MACT (P) –PA RT. They elaborated on the shared root node attack, how they occur and how they can be mitigated. They have explained about the clear scenario of how the shared multicast tree are formed and how a node or a group of nodes join a source multicast tree.C.Demir and aniciu et al [17] proposed an auction based routing methodology for MANETs. The auction based methodology was implemented with the following properties in mind, the first one is that the route can be selected depending upon minimum cost calculated from individual node bids. The second one i s that the payment allocated to the winning route should be the one requested by the second smallest biding route. The mechanism is implemented during route discovery following the route discovery process the payment is carried out the specific amount of currency is paid to the intermediate routes.Chi-Yuan Chang et al [18] proposed an efficient bootstrap router which was designed based on the rendezvous point mechanis m. This proposed mechanis m can provide a solution to the RP recovery in case of shared tree network. This work also emphasizes the need of PIM multicast network, which provides one-to-many services like videoconferencing and chat applications.D. Patel et al [19] addressed various security issues against Worm Hole attack. They used the parameter called time of flight which calculates the RTT for each and every node. This work also determines whether mobile nodes are within the communication range or not by using directional antennas.Bing Wu et al [20] suggested mechanism like Watch Dog, Pathrater and IDS for monitoring, so that the attacks could be prevented with an aid of a reactive solution. This solution mainly concentrates on the key manipulations performed on the mobile node. These computations help to determine whether a node is genuine or not.A. Similar Types of AttacksThere are a number of routing attacks which may reduce the performance of the MAODV protocol. Short descriptions of some of such attacks are given below: Neighbouring Attack:In a normal scenario, each and every participating node first records the id of the packet received. In case of neighbor attack the compromising node simply forwards the packet without recording the packet id assuming that they are neighbours even though they are not in the same radius of communication.Blackmail Attack:In case of black mail attack, the attacker node advertises a genuine node as a compromised node which may carry out some malicious behaviour during routing mechanis m. Such attacks could prevent the source to choose the best path to the destination there by reducing the overall efficiency and throughput in the network. Jelly fish Attack:In this kind of attack, an attacker delays the data packet unnecessarily for some quantum of time before forwarding them. Thus disturbing the performance of the multicast group results in high end to end delay in the networksSybil Attack:In case of Sybil attack, the malicious nodes present in the network topology generates a large number of fake identities to disturb the normal functioning of MANET applications.Resource consumption Attack:In this attack, the malicious node tries to consume the resources like battery power and bandwidth of the other nodes available in the network. This could be established by triggering unnecessary route request control messages, beacon messages packets or stale information to nodes.Sinkhole Attack:In this specific kind of attack, the compromised attacker node tries to get the attraction of the data packet to itself from all other neighboring nodes. This could make all the data flow to flow to particular node and hence the packet may be altered or eavesdropped. Byzantine Attack:In this byzantine attack, an attacked intermediate node or a set of compromised attacker nodes works in collusion and carries out the attacks such as creating routing loops, forwarding packets on non-optimal paths and selectively dropping packets which results in disruption or degradation of the routing services. It is hard to detect byzantine failures. The network would seem to be operating normally in the viewpoint of the nodes, though it may actually be showing Byzantine behavior.Gray hole Attack:The gray hole attack has two phases. In the first phase, a malicious node exploits the protocol to advertise itself having an optimal route to a destination node, with the intention of intercepting packets, even though the route is not optimal. In the second phase, the node drops the intercepted packets with a certain probability. This kind of attack is more difficult to detect than the black hole attack where the malicious node drops the received data packets with certainly. A gray hole may exhibit its malicious behavior different ways. It may drop packets coming from (or destined to) certain specific node(s) in the network while forwarding all the packets for other nodes. Another type of gray hole node may behave maliciously for some time duration by dropping packets but may switch to normal behavior later. A gray hole may also exhibit a behavior which is a combination of the above two, thereby making its detection even more difficult.B. Extract of the Literature ReviewThe review of the literature on the security mechanis ms available for MAODV protocol are lacking in the following issues:i.The methodology by which a shared root nodeattack can be detected and if detected how to isolatethe shared root node is not yet proposed. ii.The algorithm for choosing a node as the group leader, when the existing shared root node is compromised is not yet explored.iii.Non-reputation mechanisms for identifying a selfish node in a group are not available.iv.The use of the sequence number for identifying the control packet attack are not yet established for inthis protocolv.The preventive mechanism that has to be carried out, when the control packets like RREQ, RREP,MACT or GRPH are attacked has not been implemented.Thus it is motivated to detect and provide solution to these attacks on MAODV, in order to enhance the security and the performance of the network.III.S ELFISH N ODE A TTACKSelfish nodes are defined as the mobile nodes that deny forwarding other nodes’ packets but relays the packets originated from them. This behaviour is intentionally for maximizing their resources at the expense of all other neighbor nodes. Hence, Selfish nodes are found to be the most vulnerable in MANET environment. Due to the presence of selfish nodes the packet delivery ratio of the network drastically drops and leads to poor performance of the network. Suitable trust solution is required to mitigate the above said attack. Here we propose an algorithm called Secure Destined Packet Algorithm to secure the MAODV protocol against non cooperating nodes and make the protocol more robust. In Secure Destined Packet Algorithm, the detection of selfish behaviour present in the network topology is identified at two different levels. In the primary level, the selfish nodes are identified based on information obtained from neighbours using two hop acknowledgement mechanisms. In the secondary level, the mobile nodes which are already identified as selfish nodes are screened based on inbound and outbound data Counter.The optimal Packet transmission ratio obtained for each and every node is compared with the cut-off Packet Delivery Ratio. If the optimal Packet transmission ratio is lower, a selfish node is found.Algorithm 1 Pseudo code for Primary Level Secure DestinedPacket AlgorithmAlgorithm 2 Pseudo code of Secondary Level Secure DestinedPacketA. Illustration for Selfish Node Behaviour.Consider a multicast scenario in MAODV as illustrated in the Fig.1. Here ‘S’ is the source node, ‘M’ is the selfish node and ‘R1’, ‘R2’, ‘R3’ are the receiver nodes in the group. When the source ‘S’ present in the first multicast group transmits the data packets to the receiver nodes present in the next multicast group. Since the node ‘M’ is selfish, the packets routed through the S-RV1-RV2-M-R2 path are dropped by that node. Since the receiver ‘R2’ node has not received any packets, it sends RREQs to its neighbors. Further if any RREPs are not received, it sends THACK i.e., two hop acknowledgement for detecting the reliable route and marks the node ‘M’ as the selfish node in the routing table.Figure 1: The Presence of Selfish Node in the MulticastScenario of MAODVThe second level of selfish node detection is achieved by comparing the Packet Transmission Ratio of each and every node with the cut-off ratio computed distributive in each and every node. The mitigation of selfish node is achieved through the help of Rehabilitate ( ).IV. S HARED R OOT N ODE A TTACKIn case of shared root node attack, the attacker node disguises a tree node and sends a MACT (P) packets i.e., a tree prune control packet to all the nodes’ present in the multicast tree. If a downstream node has one and only downstream link and if it is a non member, it prunes itself and sends a prune message to its entire downstream node. This may cause multicast tree to be pruned. So the multicast pruning may disturb the group communication by not relaying the packets to the multicast members as well as the non members. Here, we propose a Detecting Shared Root Node algorithm to identify the mobile nodes which tries to exhibit shared root node behaviour. The identified attacker nodes are removed and new zone leader is elected by means of the secure zone leader election algorithm. The newly elected zone leader will update its entries in the multicast table. The zone is reconstructed with the help of newly elected zone leaderAlgorithm 3: Pseudo code for mitigating Shared root nodeattack.Algorithm 4 Secure Zone leader Election algorithmA. Illustration for Shared Root Node Behaviour.The source node D present in the first multicast tree wants to send data to receivers R1, R2 and R3, the rendezvous point RV of group 1 or group 2 may be compromised as shown in Fig. 2.Figure 2: The Presence of Shared Root Node Attack in theMulticast Scenario of MAODVThis can be counteracted by electing a zone leader which has maximum reputation Probability in the multicast group. In this scenario, the newly elected zone leader is E in group 1 and G in group 2 according to their Reputation Probability factor.V. C ONTROL P ACKET A TTAC KIn case of MAODV, the route establishment between the source node and the receiver nodes in group communication is achieved through control packets namely RREQ, RREP, GRPH and MACT. In our proposed solution, we have devised an algorithm mainly for detecting RREQ and RREP control packet attack. This algorithm makes use of the sequence number for detecting the control packet attack, where sequence number is the monotonically increasing number when the packet relays from one hop to the other hop. The following algorithm detects the control packet attack using sequence number.Algorithm 5: Pseudo code for detecting control packet attack A. Illustration for Control Packet Attack .Initially the source node S sends RREQs to all possible routes and waits for time period called Simclock for RREPs through reverse route as shown in Fig. 3.Figure 3: The Presence of Control Packet Attack in theMulticast Scenario of MAODVComputeEnd forIf M is not malicious RREPs are acknowledged, it stores the predecessor node id, current sequence number, destination sequence number and Multicast identifier in the Multicast Table. In case, the node M behaves as malicious node then the detection of control packet attack is performed by comparing the current node’s sequence number with destination node’s sequence number present in the control packet. If the current node sequence number is less than the destination node sequence number, the source node initiates the forwarding of data packets. If not, identify the predecessor node M is identified as malicious node and isolated. Finally call for retransmission of RREQs by the source node S.VI.S IMULATION AND R ESULTSThe simulation environment used for our study is ns-2.26.This simulation environment is chosen because of possessing the feature of high scalability especially for large scale wireless communication networks. We have used the above mentioned simulation platform for analyzing the influence of the selfish, root node and control packet attack based on the evaluation parameters like packet delivery ratio, control overhead and total overhead. In our simulation environment, 50 mobile nodes are placed in a terrain size of 1000X1000. Each source transmits packets of size 512 bytes each at various time intervals. The refresh interval time is set as20 seconds while the channel capacity is 2 Mbps.A.Performance MetricsThe performance analysis of multicast ad-hoc on demand distance vector protocol was carried out with the help of the following evaluation parameters.Packet Delivery Ratio:Packet delivery ratio may be defined as the ratio of the total number of data packets received to the total number of the data packets sent towards the multicast group in a multicast session.Control Overhead:Control overhead may be defined as the ratio of the sum of control data bytes needed by the source to explore the optimal route between the source and the receiver group to the total number of application data bytes transmitted.Total Overhead:Total overhead may be defined as the ratio of total number of packets comprising of both the control packets and data packets required for establishing a multicast session to the number of data packets sent towards the group.B.Simulation ParametersThe following table 1 illustrates the parameters for simulation study.Table 1 Simulation ParametersC.Performance Evaluation of Secured PacketDestination Algorithm for Selfish NodesPacket Delivery Ratio:In ideal conditions, the maximum packet delivery ratio of MAODV protocol is 97%. The performance of the protocol crumbles based on the number of selfish nodes present in the multicast scenario and reaches a minimum of 58%. The Fig. 4 shows the performance analysis of Secured Destination Packet Algorithm based on Packet Delivery RatioFigure 4: Performance Analysis of Secured Destination Packet Algorithm based on Packet Delivery Ratio.But When Secure Destination Packet Algorithm is deployed, the packet delivery ratio increases to an extent of 21%.Control OverheadThe presence of the selfish node behavior increases the control overhead in the MAODV protocol, whichreduces the effective group communication. Hence the control overhead has to be reduced for ideal performance of the protocol. The Fig. 5 shows the Performance Analysis of Secured Destination Packet Algorithm based on Control Overhead.Figure 5: Performance Analysis of Secured Destination Packet Algorithm based on Control Overhead.Control overhead considerably increases in the presence of the selfish node attack to an extent of 27% but when mitigation algorithm is deployed it shows a decrease of 25%.Total OverheadThe presence of the selfish node increases the total overhead in the MAODV protocol, thus by affecting the effective group communication. Hence the total overhead has a greater impact on the performance of the protocol. The Fig. 6 shows the performance Analysis of Secured Destination Packet Algorithm based on Total Overhead.Figure 6: Performance Analysis of Secured Destination Packet Algorithm based on Total Overhead.The total overhead considerably increases in the presence of the Selfish node attack to an extent of 32% but when mitigation algorithm is deployed it shows a decrease of 30%. D.Performance Evaluation of Secured Zone LeaderElection Algorithm.Packet Delivery RatioIn ideal conditions, the maximum packet delivery ratio of MAODV protocol is 97%. The performance of the protocol crumbles based on the number of selfish nodes present in the multicast scenario and reaches a minimum of 57%. The Fig. 7 shows the Performance Analysis of Secured Zone Leader Election Algorithm based on Packet Delivery Ratio.Figure 7: Performance Analysis of Secured Zone LeaderElection Algorithm based on Packet Delivery Ratio.But When Secure Zone leader election Algorithm is deployed, the packet delivery ratio increases to an extent of 33%.Control OverheadThe presence of the shared root node attack increases the control overhead in the MAODV protocol, which reduces the effective group communication. Hence the control overhead plays a vital impact on the performance of the protocol. The Fig. 8 shows the Performance Analysis of Secured Zone Leader Election Algorithm based on Control Overhead.Figure 8: Performance Analysis of Secured Zone Leader Election Algorithm based on Control Overhead.The control overhead considerably increases in the presence of the selfish node attack to an extent of 27% but when mitigation algorithm is deployed it shows a decrease of 25%.Total OverheadThe presence of the selfish node attack increases the total overhead in the MAODV protocol, which reduces the effective group communication. Hence the total overhead has a greater impact on the performance of the protocol. The Fig. 9 shows the Performance Analysis of Secured Zone Leader Election Algorithm based on Total Overhead.Figure 9: Performance Analysis of Secured Zone Leader Election Algorithm based on Total Overhead.The total overhead considerably increases in the presence of the Selfish node attack to an extent of 32% but when mitigation algorithm is deployed it shows a decrease of 30%.E.Performance Evaluation of Sequence Numberbased Detection Algorithm for Control PacketAttack.Packet Delivery RatioIn ideal conditions, the maximum packet delivery ratio of MAODV protocol is 97%. The Fig. 10 shows the performance Analysis of Control Packet Attack Detection Algorithm using Sequence Number based on Packet Delivery Ratio.Figure 10: Performance Analysis of Control Packet Attack Detection Algorithm using Sequence Number based on PacketDelivery Ratio.The performance of the protocol crumbles based on the number of selfish nodes present in the multicast scenario and reaches a minimum of 57%. But when is sequence number based detection algorithm was deployed, the packet delivery ratio increases to an extent of 21%.Control OverheadThe presence of the control packet attack increases the control overhead in the MAODV protocol, which reduces the effective group communication. Hence the control overhead plays a vital impact on the performance of the protocol. The Fig. 11 shows the performance analysis of Control Packet Attack Detection Algorithm using sequence number based on Control Overhead.Figure 11: Performance Analysis of Control Packet AttackDetection Algorithm using Sequence Number based onControl Overhead.The control overhead considerably increases in the presence of the control packet attack to an extent of 29% but when mitigation algorithm is deployed it shows a decrease of 26%.Total OverheadThe presence of the control packet attack increases the total overhead in the MAODV protocol, which reduces the effective group communication. Hence the total overhead has a greater impact on the performance of the protocol. The Fig. 12 shows the Performance Analysis of Control Packet Attack Detection Algorithm using Sequence Number based on Total Overhead.Figure 12: Performance Analysis of Control Packet Attack Detection Algorithm using Sequence Number based on TotalOverhead.The total overhead considerably increases in the presence of the control packet attack to an extent of 30% but when mitigation algorithm is deployed it showsa decrease of 27%.VII.C ONCLUSION AND F UTUR E E NHANC EMENTSThis paper provides an elaborate description about the existing reactive and tree based multicast protocol MAODV and how the security can be provided for the same by detecting and mitigating the attacks like shared root node attack, selfish node attack and control packet attack. The Performance of the algorithm has been analyzed by varying the number of mobile nodes with respect to the metrics like packet delivery ratio, Control overhead and total overhead.This work can be further proceeded to establish multiple level security, so as to propose security as oneof the QOS in group communication. New Security metrics can be framed and the above proposed algorithms can be analyzed with those metrics.R EFERENCES[1] E.M.Royer and C.E.Perkins. Multicast Operation ofthe Ad hoc On-Demand Distance Vector RoutingProtocol. Proceedings of ACM MOBICOM 2002,pp.207-218, Aug 2002.[2] Seungjoon Lee and Chongkwon Kim. NeighborSupporting Ad Hoc Multicast Routing Protocol. InProceedings of ACM the First ACM InternationalSymposium on Mobile Ad Hoc Networking andComputing, pages 37–44, August 2000.[3] M.Phani, Vijaya Krishna, Dr M.P.Sebastain.HMAODV: History aware on Multicast Ad HocOn Demand Distance Vector Routing. IEEE 2006. [4] S.Buchegger and J-Y L.Boudec. Nodes bearingGrudges: Towards routing security, Fairness, andRobustness in Mobile Ad-Hoc Networks preseentedat tenth Eurominicro workshop on Partallel.Distributed and Networkbased Processing , CanaryIslands, spain, 2002.[5] L.Buttyan and J-P, Hubaux, StimulatingCooperation in Self –organizing Mobile Ad hocNetworks, Mobile Computing and Networking. Pp255-265, 2003.[6] S.Marti, T.J Giuli, i, and M.Baker. Mitigatingrouting misbehavior in mobile ad hoc networks.Mobile Computing and Networking, pp 255-2656,2000.[7] P.Michiardi and R.Molva, CORE: A collaborativereputation mechanism to enforce node cooperationmobile ad hoc networks. presented atCommunication and Multimedia security, Protoroz,Solvenia, 2002.[8] S.Buchegger and J-Y L.Boudec. PerformanceAnalysis of the CONFIDANT protocol: Cooperation of Nodes – Fairness in Distributed Ad-hoc Networks. Presented at tenth Eurominicroworkshop on Partallel, Distributed and Networkbased Processing , Canary Islands, spain, 2002.[9] F.Kargl A.Klenk , S.Schlott and M.Weber.Advanced Detection of selfish or Malicious Nodesin Ad hoc Networks. Presented at 1st EuropeanWorkshop on Security in Ad-Hoc and SensorNetwork. Heidelberg Germany,2004.[10] Md. Amir Khusru Akhtar & G. Sahoo.Mathematical Model for the Detection of SelfishNodes in MANETs. International Journal ofComputer Science and Informatics (IJCSI) ISSN(PRINT): 2231 –5292, Volume-1, Issue-3.[11] A.H Azni, Rabiah Ahmad,Zul Azri Muhamad Noh,Abd Samad Hasan Basari, Burairah Hussin.Correlated Node Behavior Model based on SemiMarkov Process for MANETS. IJCSI InternationalJournal of Computer Science Issues, Vol. 9, Issue 1,No 1, January 2012.[12] C.A.V.Campos and L.F.M.de Moraes. AMorkovian Model Representation of IndividualMobility Scenarios in Ad Hoc Networks and ItsEvaluation. EURASIP Journal on WirelessCommunicationsand Networking.,Pp231 –5292,Volume-1, Issue-3.[13] Ching-Chuan Chiang, Mario Gerla, and LixiaZhang. Forwarding Group Multicast Protocol(FGMP) for Multihop, Mobile Wireless Networks.Cluster Computing, Springer Special Issue onMobile Computing, 1(2):187–196, 1998.[14] Subir Kumar Das, B.S. Manoj, and C. Siva RamMurthy. Dynamic Core-Based Multicast RoutingProtocol for Ad Hoc Wireless Networks. InProceedings of the Third A CM InternationalSymposium on Mobile Ad Hoc Networking andComputing, pages 24–35, June 2002.[15]H. Yang, H. Y. Luo, F. Ye, S. W. Lu, and L. Zhang,Security in mobile ad hoc networks: Challenges andsolutions. IEEE W ireless Communications, vol. 11,pp. 38-47, 2004.[16] S. Roy, V.G. Addada, S. Setia and S.Jajodia,Securing MAODV: Attacks and countermeasures,in Proceedings of. SECON’05, IEEE,2005.[17] Demir, C and Comaniciu C. An Auction basedAODV Protocol for Mobile Ad Hoc Networks withSelfish Node. Communications ICC'07. IEEEInternational Conference in June 2007.[18] Chi-Yuan Chang, Yun-Sheng Yen. Chang-WeiHsiesh Han-Chieh Chao An Efficient RendezvousPoint Recovery Mechanism in MulticastingNetwork. International Conference on Communications and Mobile Computing, 2007. [19] Ashish D. Patel, Jatin D. Parmar and Bhavin I.Shah. MANET Routing Protocols and WormholeAttack against AODV. IJCSNS InternationalJournal of Computer Science and Network Security,Vol.10 No.4, pp. 12-18, April 2010.[20] Bing Wu, Jianmin Chen, Jie Wu, Mihaela Cardei.A Survey on Attacks and Counter measures inMobile Ad Hoc Networks. W IRELESS/MOBILE。
计算机病毒网络传播模型分析
计算机病毒网络传播模型分析计算机这一科技产品目前在我们的生活中无处不在,在人们的生产生活中,计算机为我们带来了许多的便利,提升了人们生产生活水平,也使得科技改变生活这件事情被演绎的越来越精彩.随着计算机的广泛应用,对于计算机应用中存在的问题我们也应进行更为深刻的分析,提出有效的措施,降低这种问题出现的概率,提升计算机应用的可靠性.在计算机的广泛应用过程中,出现了计算机网络中毒这一现象,这种现象的存在,对于计算机的使用者而言,轻则引起无法使用计算机,重则会导致重要信息丢失,带来经济方面的损失。
计算机网络中毒问题成为了制约计算机网络信息技术的重要因素,因此,对于计算机网络病毒的危害研究,目前已经得到人们的广泛重视,人们已经不断的对计算机网络病毒的传播和建立模型研究,通过建立科学有效的模型对计算机网络病毒的传播和进行研究,从中找出控制这些计算机网络病毒传播和的措施,从而提升计算机系统抵御网络病毒侵害,为广大网民营造一个安全高效的计算机网络环境。
ﻭﻭ一、计算机病毒的特征ﻭﻭ(一)非授权性ﻭﻭ正常的计算机程序,除去系统关键程序,其他部分都是由用户进行主动的调用,然后在计算机上提供软硬件的支持,直到用户完成操作,所以这些正常的程序是与用户的主观意愿相符合的,是可见并透明的,而对于计算机病毒而言,病毒首先是一种隐蔽性的程序,用户在使用计算机时,对其是不知情的,当用户使用那些被感染的正常程序时,这些病毒就得到了计算机的优先控制权,病毒进行的有关操作普通用户也是无法知晓的,更不可能预料其执行的结果。
ﻭﻭ(二)破坏性计算机病毒作为一种影响用户使用计算机的程序,其破坏性是不言而喻的。
这种病毒不仅会对正常程序进行感染,而且在严重的情况下,还会破坏计算机的硬件,这是一种恶性的破坏软件。
在计算机病毒作用的过程中,首先是攻击计算机的整个系统,最先被破坏的就是计算机系统。
计算机系统一旦被破坏,用户的其他操作都是无法实现的。
ﻭ二、计算机病毒网络传播模型稳定性ﻭﻭﻭ计算机病毒网络的传播模型多种多样,笔者结合自身工作经历,只对计算机病毒的网络传播模型-——SIR模型进行介绍,并对其稳定性进行研究。
无线传感器网络中恶意程序的传播模型
l 概 述
无线 传 感 器 网络 ( rls S no ew r, S 是 由传 Wi es esrN t ok W N) e
本文提 出了一种基于 IE 0 .5 E E 821. 4标准的无线传感器
(. olg f h s sS i c n fr t nE gn eig He eNo a Unvri , hj zun 50 6Chn ; 1C l e P y i ce e dI omai n ier , bi r l iesy S iah a g 0 1 , ia e o c n a n o n m t i 0
W S I s f u d t a e p o a a i n o l wa e i h S c n be r sr i e y i c e s n e r c v r a e a d d c e sn h n e t n r t . N. ti o n h tt r p g t fma h o r n t e W N a e ta n d b n r a i g t e o e y r t n e r a i g t e i f c i a e h o
M a wa ePr p g to o e ie e sS n o t r l r o a a i n M d l n W r l s e s rNe wo k i
F S u i, ANG a g g a g , A i n f n U h a W Ch n - u n M J a -e g
S m u a i n r s lss o t a e m o e o k el i lto e u t h w h t h d l t w r sw l
恶意移动代码分析与研究共43页
Slapper,
2002年9月14日
Slammer,
2003年1月25日
Dvldr32,
2003年3月7日
MSBlaster,
2003年8月12日
Nachi,
2003年8月18日
2004年蠕虫
MyDoom.C Witty Worm Sasser Worm Santy Worm
2004年2月9日 2004年3月20日 2004年4月30日 2004年12月21日
WH
SY
SH
0
NJ
20
CD GZ
防范主体
– 网络运营商、服务提供商、用户; – 系统厂商、防毒产品厂商; – 科研技术人员、政府主管部门;
蠕虫的历史回顾
Xerox PRAC,
1980年
Morris Worm,
1988年11月2日
WANK Worm,
1989年10月16日
ADM Worm,
1998年5月
Millennium,
Regular viruses Macro viruses
风险越来越大…
攻击目标和 破坏程度
Rapidly Escalating Threat to Businesses
全球基础设施
区域性网络
多个网络
单个网络 单台计算机
周
一种P2P网络恶意代码4状态被动传播模型
( I o e eo o u e , nig Unv ri f o t n lc mmu i t n ,N yo ss dTe o l C n t P a e n ai s a j g 2 0 0 , hn ; c o n 2 S aeK y L b r tr f n o mai e u i si t o o t r , hn s a e f c n e ,B in 0 1 0 C ia . tt e a o ao yo fr t n S c r yI t u e f f I o t n t S wae C ieeAc d myo i c s e i 1 0 9 , hn ; S e jg
3 Ja g u Hih Te h oo yRe e rh Ke a o ao yf rW ieesS n o t r s . in s g c n lg s ac y L b rt r o rls e s rNewo k ,Na j g2 0 0 ni 1 0 3,Chn ) n ia
摘
要: 对等 网络的 恶意代码 传播 和破 坏 问题 日益 严重 。 区分 了对等 网络 中恶意 代码 的主 动传 播 和被 动传
播 2种 情况 , 对对 等 网络 中被动 传播 的 恶意代码提 出 了一种 4状 态被动传 播模 型 4 P 。该模 型根 据对 等 针 SP 点 受恶意代 码的 影响状 态, 对等 点分 为 易感染对等 点 、 将 已暴 露对 等 点 、 已感 染对 等 点和 已免疫 对 等 点 4种 类 型 , 给 出了以微分 方程表 示 的处 于各种状 态的 对等 点数 量 随 时间 迁移 变化 的规 律公 式 。特 别 针 对模 型 并 中的感 染与免 疫参数 以及 已感 染对等 点与 已暴露对 等 点数量 初 始值 的 不 同情 况进行 了仿 真 实验 , 观 地 掌 直 握 对等 网络 恶意代码 的基本被 动 传播规 律 , 出对 抗 P P网络 恶 意代码 的合理 策略 。 得 2
基于点对群网络反馈机制的恶意代码传播模型
基于点对群网络反馈机制的恶意代码传播模型
李晨曦;任建国
【期刊名称】《计算机工程》
【年(卷),期】2023(49)1
【摘要】在点对群信息共享网络中,群体成员之间交流频繁并且同一群体内的成员可以同时从信息源接收到相同信息,依据点对群网络的这2个特点,考虑从恶意代码感染中恢复后的节点作用,在点对群网络中建立一种具有动态反馈防治信息功能的易感-感染-反馈-免疫(SIFR)模型。
在经典易感-感染-免疫(SIR)传播模型的基础上引入反馈节点,通过动态共享防治信息遏制恶意代码在点对群网络中的传播。
根据计算得到SIFR模型的平衡点和传播阈值,构建相应的Lyapunov函数,证明了平衡点的局部和全局稳定性。
数值模拟实验结果显示:当反馈率取0.000 1时,SIFR模型相较于经典SIR模型在传播阈值小于1的情况下,感染节点在峰值处的数量降低了36.16%,能更早更快地趋近于0;当传播阈值大于1时,同一时间的感染节点数量有所减少,趋于稳定的感染节点数量降低了80%。
上述实验结果表明SIFR模型应用在点对群网络中能够更好地遏制恶意代码的传播,且反馈率越高,遏制效果越好。
【总页数】10页(P163-172)
【作者】李晨曦;任建国
【作者单位】江苏师范大学计算机科学与技术学院
【正文语种】中文
【中图分类】TP393
【相关文献】
1.一种P2P网络恶意代码4状态被动传播模型
2.无标度网络中基于反馈机制的病毒传播模型
3.对等网络主动型恶意代码与免疫疫苗的对抗传播模型
4.P2P网络中基于特征行为检测的恶意代码传播模型
因版权原因,仅展示原文概要,查看原文内容请购买。
探究复杂邮件网络和恶意代码传播模型
探究复杂邮件网络和恶意代码传播模型1引言网络拓扑结构经过以下三个发展阶段:1959年Erdo和Renyi提出一种随机网络模型(ER)模型来描述网络,在接下来的数十年里这种模型一直被研究和引用;从上世纪末开始,由于互联网的发展,科学家们发现大量的真实网络并不是随机网络,而是具有与随机网络不同的统计特征的网络,这样的一些网络被科学家们叫做复杂网络。
关于复杂网络,1999年Barabai和Albert在Science上发表文章指出,许多实际的复杂网络的连接度分布具有幂律形式,由于幂律分布没有明显的特征长度,该类网络又被称为无标度(Scale-Free,简称为SF)网络。
后来的研究表明并非万维网独有,无标度网络无处不在。
包括:生命科学领域的各种网络、社会网络(流行性疾病的传播网络、科学家合作网络、人类性关系网络)、语言学网络,等等。
当然电子邮件网络也不例外,它是符合幂律分布规律的网络之一,因而也具有无标度的特性。
Newman等人分析了电子邮件网络的实际拓扑结构,统计了和调查了一个实际的电子网络,通过电子邮件簿来构建该网络的模型。
在这个模型中,节点代表实际的计算机用户,如果B 的电子邮件地址出现在A的电子邮件地址簿中,则认为从A到B有一条连接。
该网络共有16881个节点,这些节点间共有4581个地址簿。
可以看出,该邮件网络的入度及出度均服从明显的指数型分布,但入度服从纯指数分布,而出度服从幂为1/2的拉伸的指数分布。
Ebel等人建立了另外一种电子邮件拓扑结构网络模型。
该模型基于美国Keil大学的一组电子邮件网络服务器。
该网络共有59812个节点。
与Newman的调查方式不同,他通过这个实际网络的电子邮件帐户来构建该模型。
可以看出,该邮件网络是一个明显的有向无标度网络,其入度服从指数为1.49±0.18的幂律分布,出度服从指数为2.03±0.12的的幂律分布。
2.本文的目的与贡献综合以上对于实际邮件网络的调查结果可知,现实中的电子邮件网络应该是一个符合幂律分布的有向SF网络。
基于N-gram特征的网络恶意代码分析方法
基于N-gram特征的网络恶意代码分析方法网络恶意代码是指通过网络传播的恶意软件,如病毒、蠕虫、木马等。
为了对网络恶意代码进行分析和检测,可以使用N-gram特征进行特征提取和预测。
N-gram是一种将文本划分为连续的N个字母或词语的方法,常用于文本分析、自然语言处理和机器学习等领域。
基于N-gram特征的网络恶意代码分析方法将网络恶意代码看作一段文本,利用N-gram特征提取方法将其表示成一个向量。
具体步骤如下:1. 数据收集:收集网络恶意代码样本,并进行分类和标注,例如恶意软件家族、类型等。
2. 特征提取:将网络恶意代码样本转化成可用的特征向量。
首先将代码样本进行预处理,如去除空格、注释、调整代码格式等。
然后利用N-gram方法将代码划分成连续的N 个字符或词语,并统计每个N-gram出现的频次,构建特征向量。
3. 特征选择:由于N-gram特征向量维度较大,可能存在冗余或无用的特征,因此需要进行特征选择。
常用的方法有信息增益、卡方检验、互信息等。
4. 分类模型训练:利用已标注的网络恶意代码样本和选取的特征,使用机器学习算法(如支持向量机、决策树、朴素贝叶斯等)进行模型训练。
5. 恶意代码检测:将网络恶意代码样本输入已训练好的分类模型,进行恶意代码检测和分类。
对于新的网络恶意代码,可以提取其N-gram特征,并利用已训练好的模型进行预测。
基于N-gram特征的网络恶意代码分析方法的优点是可以对代码样本进行全面的特征提取,并能够捕捉到代码的结构和语义信息。
N-gram方法无需依赖特定的语法或语义规则,具有较强的普适性和灵活性。
N-gram特征提取会导致特征向量维度较高,可能出现维度灾难和计算复杂度较大的问题。
在实际应用中需要进行特征选择和优化,以提高模型的效果和性能。
基于N-gram特征的网络恶意代码分析方法可以有效地对网络恶意代码进行特征提取和分类,对于网络安全和恶意软件防御具有重要意义。
未来可以结合其他特征提取方法和深度学习等技术,进一步提高网络恶意代码分析的准确率和效果。
基于恶意代码传播日志的网络安全态势分析
Cyber Security Posture Analysis based on Spread Logs of Malware
WANG Qinqin1’2,ZHOU Hao3,YAN Hanbing1’3,MEI Rui1’2,HAN Zhihui3
1The 2nd Laboratory, Institute of Information Engineering, Chinese Academy o f Sciences, Beijing 100093, China 2School of Cyber Security, University o f Chinese Academy o f Sciences, Beijing 100049, China
3 国 家 计 算 机 网 络 应 急 技 术 处 理 协 调 中 心 北 京 中 国 100029
摘 要 网络安全态势一直是网络安全从业人员的关注点。本 文 基 于 2 0 1 8 年 1 0 月 至 2 0 1 9 年 3 月的我国恶意代码的传播日志,利 用恶意代码的静态特征、动态特征及其传播特征对网络态势进行分析。然后基于社区发现算法,对 其 中 传 播 最 广 泛 的M irai家 族程序构成的网络进行团伙发现,结果表明,社区发现算法能够将M irai网络识别为多个社区,社区间的域名资源具有明显的差 异性,社区内域名资源具有相似性。
3National Computer Network Emergency Response Technical Team/Coordination Center o f China (CNCERT/CC), Beijing 100029, China
网络恶意移动代码扩散模型综述
网络恶意移动代码扩散模型综述
陆丽华;罗鹏飞;李星;孙爱民
【期刊名称】《计算机应用》
【年(卷),期】2003(023)006
【摘要】对因特网中恶意移动代码进行数学建模是研究恶意移动代码的主要手段之一,也是保障网络安全的重要组成部分,目前已有的几种数学模型并不能很好地描述新一代复合型智能化的主动攻击型恶意移动代码传播特性,对这几种模型进行了描述和分析,并对未来可能出现的恶意移动代码的特性与数学模型的内容进行了预测.
【总页数】4页(P17-19,22)
【作者】陆丽华;罗鹏飞;李星;孙爱民
【作者单位】国防科技大学,电子科学与工程学院,湖南,长沙,410073;清华大学,信息网络工程研究中心,北京,100084;国防科技大学,电子科学与工程学院,湖南,长
沙,410073;清华大学,信息网络工程研究中心,北京,100084;新疆昌吉州信息网络管理中心,新疆,昌吉,831100
【正文语种】中文
【中图分类】TP393.08
【相关文献】
1.基于蜜罐技术的恶意移动代码扫描监测模型研究 [J], 王乐乐;邢颖
2.基于蜜罐技术的恶意移动代码扫描监测模型研究 [J], 王乐乐;邢颖
3.基于Bass模型的品牌扩散模型研究综述 [J], 丁士海;韩之俊
4.基于生成对抗网络的恶意软件对抗样本生成综述 [J], 王树伟; 周刚; 巨星海; 陈靖元
5.基于网络流量和恶意行为关联的僵尸网络检测模型 [J], 田腾浩
因版权原因,仅展示原文概要,查看原文内容请购买。
基于网络的恶意代码检测技术
基于网络的恶意代码检测技术
吴冰;云晓春;高琪
【期刊名称】《通信学报》
【年(卷),期】2007(28)11
【摘要】通过对传统分布式IDS的分析,指出基于详细协议分析的多引擎小规则集的系统结构用于网络级恶意代码检测的缺陷,设计了单引擎大特征集的网络级恶意代码检测模型及恶意代码特征描述语言;分析了网络数据流的特征,通过对特征串进行优化的方法,避免特征串后缀与数据流的频繁碰撞及链表分支不平衡的问题,大幅度提高了WM算法检测网络恶意代码的效率.
【总页数】5页(P87-91)
【作者】吴冰;云晓春;高琪
【作者单位】哈尔滨工业大学,计算机网络与信息安全技术研究中心,黑龙江,哈尔滨,150001;中国科学院,计算技术研究所,北京,100080;哈尔滨工业大学,计算机网络与信息安全技术研究中心,黑龙江,哈尔滨,150001
【正文语种】中文
【中图分类】TN393.08
【相关文献】
1.基于P2P的网络恶意代码检测技术研究 [J], 辛毅;方滨兴;云晓春;胡振宇
2.基于网络的恶意代码检测技术探析 [J], 张显明
3.动静结合的网络恶意代码检测技术研究 [J], 邓兆琨;陆余良;黄钊
4.基于改进卷积神经网络的恶意代码检测技术 [J], 唐永旺; 王刚; 魏晗
5.基于One-Hot的CNN恶意代码检测技术 [J], 傅依娴; 芦天亮; 马泽良
因版权原因,仅展示原文概要,查看原文内容请购买。
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
I. J. Computer Network and Information Security, 2013, 10, 17-23Published Online August 2013 in MECS (/)DOI: 10.5815/ijcnis.2013.10.03Dynamic Model on the Transmission of Malicious Codes in NetworkBimal Kumar Mishra, Apeksha PrajapatiDepartment of Applied Mathematics, Birla Institute of Technology, Mesra, Ranchi-835215, Indiadrbimalmishra@, prajapatiapeksha@Abstract — This paper introduces differential susceptible e-epidemic model SS ii II II (susceptible class-1 for virus (S1) - susceptible class-2 for worms (S2) -susceptible class-3 for Trojan horse (S3) – infectious (I) – recovered (R)) for the transmission of malicious codes in a computer network. We derive the formula for reproduction number (R0) to study the spread of malicious codes in computer network. We show that the Infectious free equilibrium is globally asymptotically stable and endemic equilibrium is locally asymptotically sable when reproduction number is less than one. Also an analysis has been made on the effect of antivirus software in the infectious nodes. Numerical methods are employed to solve and simulate the system of equations developed.Index Terms — Computer network; Worms; Virus; Trojan horse; Epidemic Model; Reproduction number; Global stabilityI. INTRODUCTIONThis is the world of internet services and internet users are increasing exponentially. Computer systems now contain millions of records relating to commerce, healthcare, banking, defense and personal information. All this information is at risk of either being misused for fraudulent purposes or modified for malicious reasons. Malicious software, or malware, on the Internet can cause serious problems, not only for services like email and the web, but for electricity, transport and healthcare services due to their increasing Internet dependence. One of the serious threats to the Internet and Computer network is malware attack.Malicious code is any code added, changed, or removed from a software system in order to intentionally harm the system. Though the problem of malicious code has a long history, a number of recent, widely publicized attacks and certain economic trends suggest that malicious code is rapidly becoming a critical problem for industry, government, and individuals. Traditional examples of malicious code include viruses, worms and Trojan Horses. In these days networking is widespread, malicious code mostly use the sneaker net to spread over the network.One of the various ways in which computer systems canbe compromised is by deploying computer virus/worms.There have been instances in the past where virus/worms have virtually brought the Internet to a grinding. Currently, e-mail is one of the main sources for transmission of virus, worms and Trojans.A computer virus attaches itself to a program or file enabling it to spread from one computer to another, leaving infections as it travels. A computer virus can damage hardware, software or files of the systems. Computer viruses have been around from the days of DOS and even earlier, but after the 1990s, they became a potent threat due to the popularity of the internet and removable media. Some reported Viruses are I Love You, Logic Bomb and Melissa.I Love You(2000) - "I Love You" virus is a computer virus that successfully attacked tens of millions of computers in 2000 when it was sent as an attachment to a user with the text "ILOVEYOU" in the subject line.A computer worm is a code that infects computer system and is able to spread functional copies of it without depending on other codes. Worms spread from computer to computer, but unlike a virus, it has the capability to transmit without any human intervention. Due to the copying nature of a worm and its capability to travel across network the end result in most cases is that the worm consumes too much system memory, causing web servers, network servers and individual computers to stop responding. Some reported worms are Code Red, Slammer.Code Red (2001) - Code Red was a computer worm observed on the Internet on July 13, 2001. It attacked computers running Microsoft's IIS web server. Although the worm had been released on July 13, the largest group of infected computers was seen on July 19, 2001. On this day, the number of infected hosts reached 359,000.Slammer(2003)- Slammer worm caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic. This fast-moving worm managed to temporarily bring much of the Internet to its knees in January 2003.It spread rapidly, infecting mostof its 75,000 victims within ten minutes.A Trojan horse is a program that secretly performs its operation under the guise of a legitimate program. The Trojan horse at first glance will appear to be useful18Dynamic Model on the Transmission of Malicious Codes in Networksoftware but will actually damage once installed or run on the computer. When a Trojan is activated on the computer the results can vary. Some Trojans are designed to be be more annoying than virus and worms as they can cause serious damage by deleting files and destroying information on system. Trojans are also known to create a backdoor on computer that gives malicious users access to system, possibly allowing confidential or personal information to be compromised. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate. Some reported Trojan horses are remote access Trojans (RATs), backdoor Trojans (backdoors) Distributed Denial of Service Attack Trojan horseDistributed Denial of Service Attack Trojan horse- A lot of computers can be tricked into installing the Distributed Denial of Service Trojan so that the hacker can gain control over one, several or all computers through a client that is connected with a master server. Using the primary computer within one huge zombie network of machines, hackers are able to sent attacks at particular targets, including companies and websites. They simply flood the target server with traffic, thus making it impossible for simple users to access certain websites or systems. Often these attacks are used to stop the activity of famous brands that could handle different financial demands.The distribution of Malware attack is depicted in Fig.1 [1].Figure 1: The distribution of malicious attack in March 2011 Transmissions of virus, worms and Trojans in computer network are similar to biological infectious diseases and are epidemic in nature. One of the most basic procedures in the modeling of diseases is to use a compartmental model, in which the population is divided into different groups. The dynamics of the model are governed by the system of differential equations. The similarity between the spread of a biological virus and computer virus propagation encourages researchers to apply an epidemic model to the network environment.Today, people rely on computers to create, store and manage critical information. Information transmitted over networks has a higher degree of security risk. Thus, it is crucial to protect the computers and data from loss,damage and misuse. Antivirus programs are an effectiveway to protect a computer against virus, worms and Trojans. An antivirus program protects a computeragainst malicious codes (virus, worms and Trojans) byidentifying and removing them when found in memory, storage media or in any incoming files. One techniquethat antivirus programs use to identify a virus is to lookfor virus signatures or virus definitions, which are known specific patterns of virus codes. Most commercial anti-virus products make use of a black listing strategy. Theyrely on databases of virus signatures that are consulted when a new program arrives. Anti-virus tools scan disksand sometimes e-mail looking for known viruses.Updating the antivirus program’s signature files regularly is important as it will download any new virus definitionsthat have been added since the last update. In this paperwe have critically analyzed the effect of antivirus in our model that is; an analysis has been made to study thedynamic behavior of the system with and withoutantivirus installed in the nodes.The subsequent content of this paper is organized asfollows: Section 2 describes related works. Section 3introduces S i IR model,its variable and parameters. Section 4 describes equilibrium points, basicreproduction number and global stability of theinfectious-free equilibrium point. Section 5, finally summarizes the work with simulated results.II. RELA TED WORKSThe strong desire to understand the spread mechanism of malicious codes has motivated the proposal of a variety of epidemic models that are based on fully connected networks, that is, networks where each computer is equally likely to be accessed by any other computer. Transmissions of virus, worms and Trojans in computer network are similar to biological infectious diseases and are epidemic in nature. The similarity between the spread of a biological virus and computer virus propagation encourages researchers to apply an epidemic model to the network environment. One of the most basic procedures in the modeling of diseases is to use a compartmental model, in which the population is divided into different groups. The dynamics of the model are governed by the system of differential equations. Previous work in this direction was focused mainly on the theoretical study of complex dynamical properties of the models, such as the global stability of equilibriums, the emergence of periodic solutions, and the occurrence of chaotic phenomena.Mathematical epidemiology seems to have grown exponentially starting in the middle of the 20th century (the first edition in 1957 of Bailey’s book [2] is an important landmark). Kermack and McKendrick developed the classical epidemic models and obtained the epidemic threshold to show that the density of susceptible class must exceed a critical value in order to take place an epidemic outbreak [3], [4], [5]. As the attack of maliciouscodes in computer network is epidemic in nature, researchers used the classical epidemic model of Kermack and McKendrick to develop e-epidemic models on the transmission of malicious objects in computer network and their immune system [6], [7], [8], [9]. In recent years, more attention has been paid on the research of virus and worm propagation model and antivirus countermeasures to study the dominance of virus and worms, depending on the network parameters [10], [11], [12]. McCluskey studied on the SIR model with delay and proved the global asymptotically stability of the SIR model [13]. Mishra-et-al performed an analysis on SEIRS (Susceptible-Exposed-Infected-Recovered) and SEIQRS (Susceptible-Exposed-Infected-Quarantine-Recovered-Susceptible) dynamical system by considering variable parameters, fuzzy epidemics, differential epidemics and analyzed the stability of the disease free equilibrium points to have a better understanding to avoid infections in a computer network [14], [15], [16], [17]. Piqueira-et-al used the epidemiological models to describe the analogy between disease propagation and virus propagation [18], [19].III. MODEL FORMULATIONAccording to the modeling methodology, an important part of the model formulation process is to clearly identify the assumptions made in the model while abstracting from the real world situation to the mathematical model.The basic assumptions of our model are as follows: •The entire population can be divided into five states namely susceptible class-1, susceptible class-2,susceptible class-3, Infectious class and Recoveredclass based on their epidemiological status.•Every new node added to the network is initially susceptible and few of them are infected.•The active population includes all the nodes.•The rate at which new nodes are added to the network and the existing ones which die due to non-infection reason are assumed to be constants.•All the model parameters are positive constants. •The per capita contact rate is independent of the total population size.•All interactions are homogeneously occurring.Another important demand of the modeling methodology is to identify and describe the different variables and parameters used in the model formulation process.The model starts with some basic notation:•S1(t) represents the number of susceptible nodes due to virus at time t.•S2(t) represents the number of susceptible nodes due to worms at time t.•S3(t) represents the number of susceptible nodes due to Trojans at time t. •I(t) represents the number of infectious nodes at time t.•R(t) represents the number of recovered nodes at time t.•N(t) represents the total number of nodes at time t. The parameters used in the model are as follows:• b is the constant rate at which new nodes are added to the network.• d denotes the death rate of nodes due to natural or non- infectious reason.•β denotes the infectivity contact rate .•µ is the recovery rate.•δ is the death rate due to attack of mal icious codes ( virus, worms and Trojans ).•θ is the rate of vertical transmission.•p i is the probability of recruiting nodes from b number of nodes for i th susceptible class and ∑p i=1i=3i=1 so that the input flow into i th susceptible class is bp i ( i = 1, 2, 3).An e-epidemic S i IR (susceptible class-1, susceptible class-2, susceptible class-3, infectious class and recovered class) model illustrates the dynamics of direct transmission of virus, worms and Trojans in the computer network. The newborn susceptible can be distributed into three susceptible groups namely, SS1,SS2 and SS3 based on their inherent susceptibility. We assume that, there is a vital dynamics and the population has homogeneous spatial distribution and the mixing of nodes follow the law of mass action. The local density of the total population is assumed to be constant throughout the total population. The total population size is N, that is,NN= SS ii +II+II (ii=1,2,3 ) may vary with time.The flow of virus, worms and Trojans in computer network is depicted in Fig 2.Figure 2: The flow of virus, worms and Trojans in computernetworkOur main interest is to investigate transmission dynamics of virus, worms and Trojan horse. Based on our assumptions in the computer network, the transmission dynamics consists of the following system of ordinary differential equations:ddSS ii dddd=θθpp ii−βS i I−dS iddII dddd=βII�SS ii ii=3ii=1−(d+µ+δ−θb )IddII dddd= µI−dd R ⎭⎪⎪⎬⎪⎪⎫ (1)Thus,ddNN dddd= b−dN−(δ−θb )IIn the absence of the attack of virus, worms and Trojan the population size of the node N approaches to b/d. The differential equation for N implies that the solution of (1) starting in the II+5 either approaches, enters or remains in the subsetG = {(S1,S2,S3,I,R)/ S1≥ 0, S2≥0, S3≥ 0,I ≥ 0, R ≥0, S1 +S2 +S3 +I+R≤θθ/dd}.This implies that the solution in the region G and the equations defined by (1) exists and are unique on maximal interval. Since the solution remains bounded in the positive invariant region G, the maximal interval is[0,∞). Thus initial value problem is well posed both mathematically and epidemiologically.IV. EQUILIBRIUM POINTS A ND BASICREPRODUCTION NUMBEREquilibrium points are the points where the variables do not change with time. In order to know about the evolution of infected nodes, that is, the number of infected nodes increases indefinitely or not, we study the stability of equilibrium points.A. Equilibrium pointsFor equilibrium points we have,ddSS ii dddd=0 (i = 1, 2, 3); ddII dddd=0;ddII dddd=0We get,Infectious free equilibrium EE0=�θθpp1dd,θθpp2dd,θθpp3dd,0� and Endemic equilibriumEE∗=�(dd+μμ+δδ−θθθθ)pp1ββ,(dd+μμ+δδ−θθθθ)pp2ββ,(dd+μμ+δδ−θθθθ)pp3ββ,ββθθ−(dd+μμ+δδ−θθθθ)ddββ(dd+μμ+δδ−θθθθ)� .B. Basic Reproduction number and global stabilityAn important part of modeling trans mission of virus, worms and Trojans is the Basic Reproduction number, denoted by R0. The Basic Reproduction number also helps us predict who will not become infected at all. System (1) has an infectious-free equilibrium in which the component of infective is zero and other susceptible components are positive. This denotes infectious-free equilibrium by EE0 = (S1, S2, S3, I = 0). Analyzing the local stability of EE0 gives the epidemic threshold conditions under which the number of infected individuals will either increase or decrease to zero when a small number of infectious nodes are introduced into a fully susceptible population. These threshold conditions are characterized by the reproduction number, denoted by R0.Eliminating R, system (1) reduces toddSS ii=θθpp ii−βS i I−dS iddII dddd=βII�SS ii ii=3ii=1−(d+µ+δ−θb )I⎭⎪⎬⎪⎫ (2)We derive a formula for the reproduction number R0 by investigating the local stability of EE0.The Jacobian of (2) at EE0 has the formJ = �−dd 00 −dd0 00 00 00 0−dd 00−(dd+μμ+δδ−θθθθ)+ββθθ/dd�All the Eigen values of J have negative real part if and only if −(dd+μμ+δδ−θθθθ)+ββθθdd< 0So we assume, II0=ββθθdd(dd+μμ+δδ−θθθθ)Theorem 1: The attack-free equilibrium is globally asymptotically stable if R0 < 1.Proof. From first equation of (2), we haveddSS ii dddd≤θθpp ii−ddSS iiddSS ii dddd≤dd�θθpp ii dd−SS ii�Or, SS ii(dd)≤θθpp ii dd−(θθpp ii dd−SS ii(0))ee−dddd∀dd≥0 in the set G.Now from second equation of (2) we have,ddII(dd)dddd=ββII�SS ii ii=3ii=1−(dd+δδ+μμ−θθθθ)IIII(dd)=II(0)EEddpp{ββ�SS ii ii=3ii=1−(dd+δδ+μμ−θθθθ)}Or, II(dd)=II(0)EEddpp(II0−1)EEddpp(dd+δδ+μμ−θθθθ) Hence, II(dd)→0 as dd→∞ for II0<1 in the set GG. To prove the global asymptotic stability of EE0 in G we only need to show that (pp1θθdd,pp2θθdd,pp3θθdd,0) is globally asymptotically stable in ΩΩ={SS ii≥0,II=0,ii=1,2,3}. The first equation of (2) in ΩΩ reduces toddSS ii dddd≤θθpp ii−ddSS ii ; ii=1,2,3.Or, θθpp ii ii−ddddOr, SS ii (dd )=θθpp ii dd−{θθpp ii dd−SS ii (0)}ee −ddddSS ii (dd )→θθpp ii ddaaaa dd →∞ , ∀ ii =1,2,3.Theorem 2: The system (2) has a unique endemic equilibrium, if and only if, II 0>1 and the endemic equilibrium is locally asymptotically stable. Proof. From the first equation of (2).θθpp ii − βS i I −dS i =0(3)βII �SS ii ii =3ii =1−(d +µ+δ−θb )I =0I = 0 or ∑pp ii βI+d ii =3ii =1−(d+µ+δ−θb )βb=0 (4)Hence there exists an endemic equilibrium, if and only if, there exists a positive solution I to (4)Let, FF (II )=∑pp iiβI+d ii =3ii =1−(d+µ+δ−θb )βbFF ′(II )=−�ββpp ii()2ii =3ii =1<0Hence FF (II ) is decreasing functionlim II→∞FF (II )=−dd +μμ+δδ−θθθθβb<0When, dd +μμ+δδ>θθθθThen there exists a unique positive solution ofFF (II ) = 0 ; ii ii ii FF (0) > 0FF (0)=�pp ii dd ii =3ii =1−dd +μμ+δδ−θθθθOr, FF (0)=1ddII 0(II 0−1)There exists a unique endemic equilibrium points if and only if II 0>1.The Jacobian of (2) at EE ∗ has the formJ= �−dd 00−dd0 −ββθθpp 1/dd 0 −ββθθpp 2/dd 0 00 0 −dd−ββθθpp 3/dd0 −(dd +μμ+δδ−θθθθ)+ββθθ/dd�All the Eigen values of J have negative real part. Hence, EE ∗ is locally asymptotically stable.V. CONCLUSIONInspired by the biological compartmental models, an e- S i IR ( i=1, 2, 3) e-epidemic model for the transmission and control of virus, worms and Trojans in computer network is developed. The initial parameter values (Table1) were chosen to suit a real malware attack scenario. Runge-Kutta Fehlberg method of order 4 and 5 were employed to solve and simulate the system of equations (1).The behavior of the system with and without the run of antivirus software can be observed from Fig. 3 and Fig. 4 respectively. Comparisons can lead to a better understanding, so from Fig. 5 we observe the behavior of the infectious class of the system with and without antivirus software. In the system without anti-virus the number of infected nodes are high and the infection persist for a long period but the system having updated anti-virus software recovers faster and has less number of infected nodes. Fig. 6 shows that the recovery of the system is very high when we use anti-virus software. From Fig. 7 we observe the behavior of the Infectious class versus Recovered class in the system with anti-virus software. The crashing of nodes due to the attack are very less and the recovery of the nodes are high in the system (approx 88%) having antivirus software which can be clearly observed from Fig. 7.This shows the strength of our model. The simulation results, supported by the theoretical approach showed that all malicious codes were able to pervade if the reproduction number is less than one.Figure 3: Dynamical behavior of the system with anti-virussoftware (μμ=0.15)Figure 4: Dynamical behavior of the system without anti-virussoftware (μ=0)TIME IN MINUTESP O P U L A T I O N C L A S S S 1,S 2,S 3,I A N D RTIME IN MINUTESP O P U L A T I O N C L A S S S 1,S 2,S 3 A N D IFigure 5: Behavior of the infectious class versus time with andwithout antivirus software (μ=0.15,μ=0 )Figure 6: Behavior of the recovered class versus time with and without antivirus software (μ=0.15,μ=0)Figure 7: Recovered class versus Infectious class with anti-virus software TABLE I. P ARAMETRIC VALUES USED TO SIMULATE THESYSTEMREFERENCES[1] /wiki/File:Malware_statics_2011-03-16-en.svg#file . [2] N. T. J. Bailey, “The Mathematical Theory ofInfectious Diseases”, second ed., Hafner, New York, 1975. [3] W. O. Kermack, A. G. Mckendrick, “A contribution to the mathematical theory of epidemics”, Proc. Roy. Soc. Lond. Series- A, vol. 11, pp. 700– 721, 1927. [4] W. O. Kermack, A.G. McKendrick, “Contributions of mathematical theory to epidemics”, Proc. R. Soc. Lon. Series- A, vol. 138, pp. 55– 83, 1932. [5] W.O. Kermack, A.G. McKendrick, “Contributions of mathematical theory to epidemics”, Proc. R. Soc.Lon. Series-A, vol. 141, pp. 94– 122, 1933.[6] J.O. Kephart, S.R.White, D.M. Chess, “Comput. andEpidemio” IEEE Spectrum, pp. 20 – 26, 1933.[7] J.O. Kephart, “A biologically inspired immunesystem for computers”, Proceedings of InternationalJoint Conference on Artificial Intelligence, 1995.[8] N. Madar, T. Kalisky, R. Cohen, D. Ben Avraham, S.Havlin, “Immunization and epidemic dynamics in complex networks”, Eur. Phys. J. B, vol. 38, pp. 269– 276, 2004.[9] R. Pastor-Satorras, A. Vespignani, “Epidemics and immunization in scale-free networks”, Handbook of Graphs and network, From the Genome to the Internet, Willey-VCH, Berlin, 2002. [10] M.E.J. Newman, S. Forrest, J. Balthrop, “Email networks and the spread of computer virus”, Phys. Rev. E, vol. 66, pp. 035101-1-035101-4, 2002.[11] C.C. Zou and W. Gong, D. Towsley, “Wormpropagation modeling and analysis under dynamic quarantine defense”, Proceeding of the ACM CCS Workshop on Rapid Malcode, ACM, pp. 51 – 60,2003.[12] M.J. Keeling and K.T.D. Eames, “Network and epidemic models”, J. Roy. Soc. Interf., vol. 2, no. 4, pp. 295 – 307, 2005. [13] C.C McCluskey “Global stability for an epidemic model with delay and nonlinear incidence”, Nolinear Analysis, Real World Application., vol. 11, pp. 3106– 3109, 2010.TIME IN MINUTES I N F E C T I O U S C L A S STIME IN MINUTES R E C O V E R E D C L A S S050100150200250Infected nodes R e c o v e r e d n o d e s[14]Bimal Kumar Mishra and Gholam Mursalin Ansari,“Differential epidemic model of virus and worms incomputer network”, Int .J. of Net. Sec., vol. 14, no. 3,pp. 149-155, 2012.[15]Bimal Kumar Mishra and Dinesh Saini,“Mathematical models on computer viruse s”,Appl.Math. and Comput., vol. 187, no. 2, pp. 929– 936,2007.[16]Bimal Kumar Mishra and Navnit Jha, “SEIQRSmodel for the transmission of malicious objects incomputer network”, App. Math. Modelling, Vol. 34,no. 3, pp. 710– 715, 2010.[17]Bimal Kumar Mishra and Samir Kumar Pandey,“Fuzzy epidemic model for the transmission of worms in Computer network”, Nonlinear Analysis,Real World Application, vol. 11, pp. 4335– 4341,2010.[18]J. R. C Piqueira and V. O. Araujo, “A modifiedepidemiological model for computer viruses”, Appl.Math and Comput., vol. 213, no. 2, pp. 355– 360,2009.[19]J.R.C Piqueira, B.F. Navarro, L.H.A., “Monteiro,Epidemiological models applied to virus in computernetwork”,put. Sci., vol. 1, no. 1, pp. 31–34,2005.Bimal Kumar Mishra, born in 1969. Professor and Ph.D. supervisor in BIT Mesra, Ranchi. His main research interests include: Mathematical models on Cyber attack, defense and crime; Infectious disease; Nonlinear dynamics.Apeksha Prajapati, born in 1985. Ph. D. candidate in BIT Mesra,Ranchi. Her main research interests include Mathematical model on Cyber War, Cyber attack and its defense mechanism.。