CN110191126B - Nonlinear dynamics P2P network worm propagation prediction method - Google Patents

Nonlinear dynamics P2P network worm propagation prediction method Download PDF

Info

Publication number
CN110191126B
CN110191126B CN201910462514.1A CN201910462514A CN110191126B CN 110191126 B CN110191126 B CN 110191126B CN 201910462514 A CN201910462514 A CN 201910462514A CN 110191126 B CN110191126 B CN 110191126B
Authority
CN
China
Prior art keywords
host
hosts
susceptible
infected
online
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910462514.1A
Other languages
Chinese (zh)
Other versions
CN110191126A (en
Inventor
刘小洋
刘加苗
唐婷
何道兵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chongqing Beite Computer System Engineering Co ltd
Original Assignee
Chongqing University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chongqing University of Technology filed Critical Chongqing University of Technology
Priority to CN201910462514.1A priority Critical patent/CN110191126B/en
Publication of CN110191126A publication Critical patent/CN110191126A/en
Application granted granted Critical
Publication of CN110191126B publication Critical patent/CN110191126B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a nonlinear dynamics P2P network worm propagation prediction method, which comprises the following steps: s1, acquiring the number of hosts in different states formed by worms on the network at the initial moment and the number of hosts in different states after t moment; s2, calculating the change rate of the host in different states according to the acquired data; and S3, judging the worm propagation condition through a data judgment threshold value according to the calculated and obtained data. The invention can predict the network worm flooding propagation condition and make a defense strategy in time.

Description

Nonlinear dynamics P2P network worm propagation prediction method
Technical Field
The invention relates to the technical field of worm propagation, in particular to a nonlinear dynamics P2P network worm propagation prediction method.
Background
With the development of the internet, resource sharing is a cornerstone of the development of the internet, and a network on a basic C/S structure cannot meet the requirements of users, so that peer-to-peer (peer-to-peer) networks appear. The advent of peer-to-peer networks has solved the central server bottleneck problem well, but has brought about new problems. Since the P2P network is a peer-to-peer architecture, each host in the P2P network may be a server. Computer viruses have been a problem with the internet, where a worm virus is a virus that is extremely contagious. The process of worm attack is generally information collection, vulnerability detection, virus triggering, and execution of the virus' code. The P2P network is constructed by requiring each user to install corresponding P2P user software, and the software in the same P2P network must be the same to access the network, if the P2P user software has a bug, a malicious user (attacker) finds the bug and writes a corresponding bug explorator (P2P worm virus), so that the whole peer-to-peer network is in a very dangerous situation, and the P2P network is attacked and paralyzed in a short time. Another propagation strategy is based on social engineering (social engineering) to embed a code file of a worm virus into a normal file, and the worm virus starts to be excited and propagated when a certain condition is met. The spread of worm viruses over the internet can be more harmful than the spread over the P2P network. When the P2P worm is spread, the worm of the Internet does not need to be the same as other worm viruses on the Internet, firstly carries out target scanning to judge whether the IP of a target host exists, secondly detects a vulnerability, and if the vulnerability exists, the vulnerability is utilized to infect the host, and the next round of spreading is well done. The P2P worm virus is spread very fast, and users of the P2P network are all real hosts and do not need to judge the IP existence of the target host. The P2P worm virus has high spreading success rate, and each attack uses effective address to connect, so the attack connection success rate is high. The effective address of the connection is much lower than that of the Internet, in that many of the objects of the attack are non-existent or powered-off. Attacks by the P2P worm virus are difficult to detect. The worm on Internet generally needs to carry out a large amount of target detection scanning, and the worm virus exists in the host by detecting the abnormal connection request of the host. The P2P worm virus does not need to perform target detection scanning and does not trigger detection of abnormal connection, so that the attack of the P2P worm is difficult to detect. In practice, it is difficult to distinguish a request connection of worm attack from a request connection of download and upload of a normal file to some extent by analyzing only a connection request of a host.
The purpose of P2P writer (attacker) of the worm virus is different, which causes different P2P worm viruses to have different effects after attack, and the propagation of the worm virus constitutes a botnet to carry out DDOS attack by using the bandwidth of the host. Secondly, due to the current virtual currency prevalence, many worm viruses carry a 'mining' program, and the resources of computers of other people are illegally used for calculation. There are other purposes such as stealing personal information, click hijacking, spam.
Therefore, the harmfulness and destructiveness of the P2P network worm are great, and in order to protect the security of the host users in the P2P network, the spread of the P2P worm virus must be restrained. Therefore, a correct and reasonable propagation model is necessary to describe the propagation process of the P2P worm, so that the vulnerability of P2P worm propagation can be exposed, the possible threat can be predicted, and the defense strategy can be made in time.
Disclosure of Invention
The invention aims to at least solve the technical problems in the prior art, and particularly provides a nonlinear dynamics P2P network worm propagation prediction method.
In order to achieve the above object, the present invention provides a method for predicting worm propagation in a nonlinear dynamics P2P network, comprising the following steps:
s1, acquiring the number of hosts in different states formed by worms on the network at the initial moment and the number of hosts in different states after t moment;
s2, calculating the change rate of the host in different states according to the acquired data;
and S3, judging the worm propagation condition through a data judgment threshold value according to the calculated and obtained data.
In a preferred embodiment of the present invention, the different state hosts include one or any combination of an offline infection-prone host, an online infection-prone host, a latent host, an online infected host, and an offline infected host.
In a preferred embodiment of the present invention, the change rate of the host in different states includes one or any combination of a change rate of an online susceptible host, a change rate of a latent host, a change rate of an offline susceptible host, a change rate of an online infected host, and a change rate of an offline infected host.
In a preferred embodiment of the present invention, the method for calculating the change rate of the online susceptible host comprises:
Figure BDA0002078476050000021
wherein:
α denotes the probability of an infected host downloading a file from the infected host;
μdrepresenting the probability of the susceptible host computer downloading the file;
Son(t) represents the number of online susceptible hosts at time t;
Ion(t) indicates the number of hosts that have been infected online at time t;
e (t) represents the number of latent hosts at the time t;
β denotes the probability of an infected host downloading a file from a susceptible host;
onindicating the line rate on the host;
Soff(t) represents the number of off-line susceptible hosts at time t;
offindicating a host offline rate;
μrnindicating the probability of an infected host reverting to a susceptible host in an online situation.
In a preferred embodiment of the present invention, the method for calculating the rate of change of the latent host comprises:
Figure BDA0002078476050000022
wherein:
α denotes the probability of an infected host downloading a file from the infected host;
μdrepresenting the probability of the susceptible host computer downloading the file;
Son(t) represents the number of online susceptible hosts at time t;
Ion(t) indicates the number of hosts that have been infected online at time t;
e (t) represents the number of latent hosts at the time t;
β denotes the probability of an infected host downloading a file from a susceptible host;
μifrepresenting the probability that the worm virus file is activated to an offline susceptible host;
μinrepresenting the probability of worm virus files activating to an online susceptible host.
In a preferred embodiment of the present invention, the method for calculating the change rate of the offline susceptible host comprises:
Figure BDA0002078476050000031
offindicating a host offline rate;
Son(t) represents the number of online susceptible hosts at time t;
onindicating the line rate on the host;
Soff(t) represents the number of off-line susceptible hosts at time t;
μrfthe probability that the infected host recovers to the susceptible host under the offline condition is shown;
Ioff(t) indicates that offline at time t has infected the number of hosts.
In a preferred embodiment of the present invention, the calculation method of the change rate of the online infected host is as follows:
Figure BDA0002078476050000032
wherein:
μinrepresenting the probability of worm virus files being activated to an online susceptible host;
e (t) represents the number of latent hosts at the time t;
onindicating the line rate on the host;
Ioff(t) represents the number of infected hosts offline at time t;
offindicating a host offline rate;
Ion(t) indicates that the moment t is onlineThe number of dyeing host machines;
μrnindicating the probability of an infected host reverting to a susceptible host in an online situation.
In a preferred embodiment of the present invention, the calculation method of the rate of change of the host infected offline is as follows:
Figure BDA0002078476050000033
wherein:
μifrepresenting the probability that the worm virus file is activated to an offline susceptible host;
e (t) represents the number of latent hosts at the time t;
offindicating a host offline rate;
Ion(t) indicates the number of hosts that have been infected online at time t;
onindicating the line rate on the host;
Ioff(t) represents the number of infected hosts offline at time t;
μrfindicating the probability of an infected host recovering to a susceptible host in an offline situation.
In a preferred embodiment of the present invention, the method for determining the propagation status of the worm by using the data determination threshold comprises:
judgment of
Figure BDA0002078476050000041
Magnitude relation to 1:
wherein:
μdrepresenting the probability of the susceptible host computer downloading the file;
α denotes the probability of an infected host downloading a file from the infected host;
β denotes the probability of an infected host downloading a file from a susceptible host;
onindicating the line rate on the host;
μifindicating a host offline rate;
μinindicating worm virus file activation toProbability of online susceptibility to host infection;
μrfthe probability that the infected host recovers to the susceptible host under the offline condition is shown;
μrnrepresenting the probability of the infected host recovering to the susceptible host under the online condition;
offindicating a host offline rate;
if it is
Figure BDA0002078476050000042
The worm will not flood the network;
otherwise, the worm may flood the network.
In a preferred embodiment of the present invention, the calculation process of the change rate of the online susceptible host computer comprises the following steps:
s101, at the time of t, when the susceptible host requests other hosts of the P2P network to download the file, the probability of selecting the infected host as the file download source is
Figure BDA0002078476050000043
And the probability of downloading a file from an infected host is mudTherefore, the probability that a host susceptible to infection carries the files of the worm virus because of downloading is
Figure BDA0002078476050000044
In a unit time, the number of online susceptible hosts is Son(t) the number of times of downloading of the station is mudSon(t) and thus are shared in one unit time
Figure BDA0002078476050000045
The platform susceptible host becomes a latent host because of downloading files with the worm viruses;
s102, when the infected host requests the file, the probability that any host is selected as the host for uploading the file is
Figure BDA0002078476050000046
Then correspondinglyThe probability that the host is not selected is
Figure BDA0002078476050000047
At time t, the number of susceptible hosts Ion(t) Co-executing the download task as mudIon(t) times; then, the probability that one host is not selected as the uploading host at a time is
Figure BDA0002078476050000048
Thus, the probability that one host is selected is obtained
Figure BDA0002078476050000049
Therefore, the probability that one susceptible host carries viruses because the infected host uploads files is
Figure BDA00020784760500000410
Thereby obtaining the number of the hosts which become latent and carry the virus files in a unit time as
Figure BDA00020784760500000411
S103, part of the online susceptible hosts can be changed into offline susceptible hosts due to offline, and the number of the offline susceptible hosts is changed into the number of the offline susceptible hostsoffSon
S104, the partial off-line hosts become on-line hosts due to the requirement of file transmission, and the number of the on-line hosts isonSoff
S105, in addition, the virus in the online infected host is removed to restore the state of the online susceptible host, and the number of the restored hosts is murnIon
In conclusion, by adopting the technical scheme, the invention can predict the network worm flooding propagation condition and timely make a defense strategy.
Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.
Drawings
The above and/or additional aspects and advantages of the present invention will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
FIG. 1 is a schematic diagram of a P2P worm propagation model bin according to the present invention.
FIG. 2 is a schematic diagram of the P2P worm immunization model chamber of the present invention.
FIG. 3 is a diagram illustrating the variation of the number of hosts in each chamber of the worm propagation model of the present invention.
FIG. 4 is a graph illustrating the effect of download rate on virus propagation according to the present invention.
FIG. 5 is a diagram illustrating the influence of probability of the susceptible host being the downloading end according to the present invention.
FIG. 6 is a diagram illustrating the effect of the infected host of the present invention as a downloading end.
FIG. 7 is a graphical representation of the impact of the probability of the worm of the present invention being activated online.
FIG. 8 is a graph showing the effect of the online recovery rate of worms according to the present invention.
FIG. 9 is a schematic diagram illustrating the effect of the present invention on worm propagation of the number of initial hosts infected online.
FIG. 10 is a graphical representation of the effect of line rate on an online infected host in accordance with the present invention.
FIG. 11 is a graph showing the number of each chamber of the immune model of the present invention.
FIG. 12 shows the immune rate μ of the present inventionsmnSchematic of the impact on infected host.
FIG. 13 shows the immune rate μ of the present inventionimnThe influence on the online susceptible host is shown schematically.
FIG. 14 shows the immunological ratio μ of the present inventionsmnSchematic of the effects on latent hosts.
Detailed Description
Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the accompanying drawings are illustrative only for the purpose of explaining the present invention, and are not to be construed as limiting the present invention.
The invention provides a nonlinear dynamics P2P network worm propagation prediction method, which comprises the following steps:
s1, acquiring the number of hosts in different states formed by worms on the network at the initial moment and the number of hosts in different states after t moment;
s2, calculating the change rate of the host in different states according to the acquired data;
and S3, judging the worm propagation condition through a data judgment threshold value according to the calculated and obtained data.
In a preferred embodiment of the present invention, the different state hosts include one or any combination of an offline infection-prone host, an online infection-prone host, a latent host, an online infected host, and an offline infected host.
In a preferred embodiment of the present invention, the change rate of the host in different states includes one or any combination of a change rate of an online susceptible host, a change rate of a latent host, a change rate of an offline susceptible host, a change rate of an online infected host, and a change rate of an offline infected host.
In a preferred embodiment of the present invention, the method for calculating the change rate of the online susceptible host comprises:
Figure BDA0002078476050000061
wherein:
α denotes the probability of an infected host downloading a file from the infected host;
μdrepresenting the probability of the susceptible host computer downloading the file;
Son(t) represents the number of online susceptible hosts at time t;
Ion(t) indicates the number of hosts that have been infected online at time t;
e (t) represents the number of latent hosts at the time t;
β denotes the probability of an infected host downloading a file from a susceptible host;
onindicating the line rate on the host;
Soff(t) represents the number of off-line susceptible hosts at time t;
offindicating a host offline rate;
μrnindicating the probability of an infected host reverting to a susceptible host in an online situation.
In a preferred embodiment of the present invention, the method for calculating the rate of change of the latent host comprises:
Figure BDA0002078476050000062
wherein:
α denotes the probability of an infected host downloading a file from the infected host;
μdrepresenting the probability of the susceptible host computer downloading the file;
Son(t) represents the number of online susceptible hosts at time t;
Ion(t) indicates the number of hosts that have been infected online at time t;
e (t) represents the number of latent hosts at the time t;
β denotes the probability of an infected host downloading a file from a susceptible host;
μifrepresenting the probability that the worm virus file is activated to an offline susceptible host;
μinrepresenting the probability of worm virus files activating to an online susceptible host.
In a preferred embodiment of the present invention, the method for calculating the change rate of the offline susceptible host comprises:
Figure BDA0002078476050000063
offindicating a host offline rate;
Son(t) represents the number of online susceptible hosts at time t;
onindicating the line rate on the host;
Soff(t) represents the number of off-line susceptible hosts at time t;
μrfthe probability that the infected host recovers to the susceptible host under the offline condition is shown;
Ioff(t) indicates that offline at time t has infected the number of hosts.
In a preferred embodiment of the present invention, the calculation method of the change rate of the online infected host is as follows:
Figure BDA0002078476050000071
wherein:
μinrepresenting the probability of worm virus files being activated to an online susceptible host;
e (t) represents the number of latent hosts at the time t;
onindicating the line rate on the host;
Ioff(t) represents the number of infected hosts offline at time t;
offindicating a host offline rate;
Ion(t) indicates the number of hosts that have been infected online at time t;
μrnindicating the probability of an infected host reverting to a susceptible host in an online situation.
In a preferred embodiment of the present invention, the calculation method of the rate of change of the host infected offline is as follows:
Figure BDA0002078476050000072
wherein:
μifrepresenting the probability that the worm virus file is activated to an offline susceptible host;
e (t) represents the number of latent hosts at the time t;
offindicating a host offline rate;
Ion(t) indicates that time t is onlineThe number of infected hosts;
onindicating the line rate on the host;
Ioff(t) represents the number of infected hosts offline at time t;
μrfindicating the probability of an infected host recovering to a susceptible host in an offline situation.
In a preferred embodiment of the present invention, the method for determining the propagation status of the worm by using the data determination threshold comprises: judgment of
Figure BDA0002078476050000073
Magnitude relation to 1:
wherein:
μdrepresenting the probability of the susceptible host computer downloading the file;
α denotes the probability of an infected host downloading a file from the infected host;
β denotes the probability of an infected host downloading a file from a susceptible host;
onindicating the line rate on the host;
μifindicating a host offline rate;
μinrepresenting the probability of worm virus files being activated to an online susceptible host;
μrfthe probability that the infected host recovers to the susceptible host under the offline condition is shown;
μrnrepresenting the probability of the infected host recovering to the susceptible host under the online condition;
offindicating a host offline rate;
if it is
Figure BDA0002078476050000081
The worm will not flood the network;
otherwise, the worm may flood the network.
In a preferred embodiment of the present invention, the calculation process of the change rate of the online susceptible host computer comprises the following steps:
s101, at time t, when the user is susceptible toWhen the infected host computer requests other host computers of the P2P network to download the file, the probability of selecting the infected host computer as the file download source is
Figure BDA0002078476050000082
And the probability of downloading a file from an infected host is mudTherefore, the probability that a host susceptible to infection carries the files of the worm virus because of downloading is
Figure BDA0002078476050000083
In a unit time, the number of online susceptible hosts is Son(t) the number of times of downloading of the station is mudSon(t) and thus are shared in one unit time
Figure BDA0002078476050000084
The platform susceptible host becomes a latent host because of downloading files with the worm viruses;
s102, when the infected host requests the file, the probability that any host is selected as the host for uploading the file is
Figure BDA0002078476050000085
Then correspondingly, the probability that the host is not selected is
Figure BDA0002078476050000086
At time t, the number of susceptible hosts Ion(t) Co-executing the download task as mudIon(t) times; then, the probability that one host is not selected as the uploading host at a time is
Figure BDA0002078476050000087
Thus, the probability that one host is selected is obtained
Figure BDA0002078476050000088
Therefore, the probability that one susceptible host carries viruses because the infected host uploads files is
Figure BDA0002078476050000089
Thereby obtaining the number of the hosts which become latent and carry the virus files in a unit time as
Figure BDA00020784760500000810
S103, part of the online susceptible hosts can be changed into offline susceptible hosts due to offline, and the number of the offline susceptible hosts is changed into the number of the offline susceptible hostsoffSon
S104, the partial off-line hosts become on-line hosts due to the requirement of file transmission, and the number of the on-line hosts isonSoff
S105, in addition, the virus in the online infected host is removed to restore the state of the online susceptible host, and the number of the restored hosts is murnIon. The concrete implementation is as follows:
1. worm propagation modeling analysis
1.1 modeling parameters and assumptions
According to the actual propagation condition of the condition-triggered worm virus, in the propagation model, the state of the host can be divided into three types: the host machine is susceptible to infection, hidden and infected, and the states of the host machine which are suitable for the actual state are divided into an online state and an offline state again on the states of the host machine which is susceptible to infection and the host machine which is infected. In the latent host state, because a worm virus file already exists in the host and waits for a certain condition to trigger, the mathematical model is abstracted to simplify the practical problem, and therefore the latent host does not divide the online state and the offline state. In the immune model, the host adds the immune state, and also considers the problem of actual propagation to divide the immune model into an online state and an offline state. For further subsequent analysis of worm virus propagation modeling, parameters and experimental example usage values used in modeling are listed in table 1.
TABLE 1P 2P mathematical model parameters for worm propagation
Symbol Means for Initial value
M Total number of hosts in a network 10000
Soff(t) Number of off-line susceptible hosts at time t 900
Son(t) Number of online susceptible hosts at time t 9000
E(t) Number of latent hosts (hosts with inactivated latent period for worm virus files) at time t 0
Ion(t) the online infected host number at the moment t 100
Ioff(t) time t offline has infected the number of hosts 0
Roff(t) Immunization at time tNumber of worm hosts (off-line hosts already having protection) 0
Ron(t) Number of host (online host with protection already) of immune worms at time t 0
μd Probability of susceptible host computer downloading file 0.08
α Probability of infected host downloading file from infected host 0.04
β Probability of infected host downloading file from susceptible host 0.04
μif Probability of worm virus file activating to offline susceptible host 0.00015
μin Probability of worm virus file activating to online susceptible host 0.0001
μrf Probability of infected host recovering to susceptible host under off-line condition 0.000001
μrn Probability of infected host recovering to susceptible host in on-line condition 0.000005
μimf Probability of infectious host to having immune host in off-line condition 0.0001
μimn Probability of infectious host to having immune host in online condition 0.0001
εoff Host offline rate 0.00003
εon Host line rate 0.0003
μsmf Immune rate of off-line susceptible host 0.000005
μsmn Immune rate of online susceptible host 0.000005
The modeling is based on epidemiological and mean field theory, so the parametric representation in the built model is the mean. HelminthiasisImportant transmission parameter mu of toxicitydIn the P2P network, which is mainly used for file sharing, the more frequent host data interaction in the P2P network, the greater the effect of worm virus. The P2P worm propagation modeling is abstracted from actual problems into a mathematical model, and for the convenience of research, the following assumptions are made:
(1) the total number of hosts in the P2P network does not change (including the status of online and offline therein).
(2) The state transition of the host is completed in one Unit Time (Time Unit), and the state transitions of a plurality of states can occur simultaneously in the same Unit Time.
(3) The modeling consideration file is an executable file which can be directly run and also comprises a compressed executable file, and a media file (a video screen, a picture, a sound file) is also possible to bind an executable worm virus file in the executable worm virus file through some technical method.
(4) The online hosts are accessed into the P2P network through P2P software. The offline host logs out of the P2P software and exits the P2P network, but the host's operating system is still in a boot state.
(5) In the P2P network, a susceptible host downloads files to an infected host, and the risk of infection exists. And when the P2P software has a bug, malicious codes are transmitted to the susceptible host serving as a download source through data interaction of the two parties.
1.2. Host state transition analysis
In the case of P2P condition-triggered worm propagation, it is not difficult to analyze the characteristics of a worm virus to obtain a transition diagram of the state of a host (as shown in fig. 1), where the entities of each state are represented by circles, and the line with an arrow is the direction of the state transition and the line is labeled as the probability of the transition. The bin diagram graphically depicts the spread of the P2P worm virus in an immunocompromised P2P network.
(1) The state of the host computer indicates that the host computer is susceptible to infection on line (S)on): the host runs P2P user software and has access to the P2P network. Data interaction activity of host for uploading and downloading files existsAnd the host is in the state of being susceptible to the host online. Off-line susceptible host (S)off): the host is not running P2P user software and is not in the P2P network. If the host cannot perform data interaction with other hosts in the P2P network, the host is in a state of being offline and susceptible to host infection. Host of latency (E): the shared folder of P2P of the host has at least one file carrying a worm virus (the file has been downloaded to the host locally but not reached the execution worm trigger condition), and the host is in a host state with the latent period of the worm virus file not being activated. On-line infected host (I)on): the user is already in the P2P network and the host is online and has infected the host because the file with the worm virus is executed when a certain condition is met. Off-line already infected host (I)off): the user has logged out of the P2P network but again triggered the condition for the execution of a worm virus, the host is offline and has infected the host.
(2) State transition description of host: son→ E: there are two reasons for a change of state: one is that the susceptible host downloads files from the infected host resulting in the host containing virus files, and the other is that the infected host downloads files to the susceptible host resulting in carrying virus files. At the moment, the host is converted into a latent state from an online susceptible host state. μ in FIG. 1sIs a mathematical model description representing the whole propagation influence factor, and the specific propagation factor is 1.3.
Figure BDA0002078476050000101
The user exits the P2P network by completing the downloading or uploading task, i.e. the online susceptible host state is switched to the offline susceptible state. And similarly, when the user needs to perform file transmission, logging in the P2P software to enter a P2P network, and switching the offline susceptible state to the online susceptible host. E → Ion: when a worm virus file is carried on a host, the virus is fired due to the fact that a certain activation condition is met, and the host is in the P2P network at the moment, the state of the host is converted from a latent host state to an online infected state. E → Ioff: the host computer already stores files with viruses and meets a certain requirementSome triggers require that the virus be activated, but at the moment the host has logged out of the P2P network, the host state switches from latent to offline to infected. I ison→Son: the host computer already stores the worm virus, removes the infected files and manually kills the virus, but the requirement on the network security knowledge of the user is higher, and the host computer is in the P2P network, and the state of the host computer is switched from the state of the online infected host computer to the state of the online susceptible host computer.
Figure BDA0002078476050000102
The P2P network user logs in or logs out to the P2P network by using the P2P software, and the corresponding state should be converted from the host which is infected offline to the host which is infected online or from the host which is infected online to the host which is infected offline. I isoff→Soff: in the host of the non-entering P2P network, the host infected with virus deletes the file carrying the virus or manually checks and kills the virus manually, or the user reinstalls the operating system to eliminate the virus but does not achieve the safety protection, and the host is changed from the off-line infected host to the off-line susceptible host.
1.3. Propagation mathematical model
The host can be in a susceptible state S, a latent state E and an infected state I by researching the spreading model of the worm virus without considering host immunity. The host is in one of 3 states, the state transition process is S → E → I → S.
(1) Online susceptibility to infection host rate of change
Due to the condition-triggered worm, the virus can be fired when a certain condition is met and infect P2P local shared files (already infecting the host). Therefore, the files uploaded or downloaded by the susceptible host can carry worm and virus files locally, and the hosts in the P2P network can only carry out file transmission, so that the online susceptible host can only download the files to become hosts carrying virus files in a latent state.
At time t, when the susceptible host requests file downloading from other hosts of the P2P network, the susceptible host selects to have downloaded the fileThe probability of the infected host as the file download source is
Figure BDA0002078476050000111
And the probability of downloading a file from an infected host is mudTherefore, the probability that a host susceptible to infection carries the files of the worm virus because of downloading is
Figure BDA0002078476050000112
In a unit time, the number of online susceptible hosts is Son(t) the number of times of downloading of the station is mudSon(t) and thus are shared in one unit time
Figure BDA0002078476050000113
The station susceptible host becomes a latent host because of downloading files with worms.
When a host has been infected to request a file, the probability that any one host is selected as the host for uploading the file is
Figure BDA0002078476050000114
Then correspondingly, the probability that the host is not selected is
Figure BDA0002078476050000115
At time t, the number of susceptible hosts Ion(t) Co-executing the download task as mudIonAnd (t) times. Obviously, the probability that one host is not selected as the uploading host at a time is
Figure BDA0002078476050000116
Thus, the probability that one host is selected is obtained
Figure BDA0002078476050000117
Therefore, the probability that one susceptible host carries viruses because the infected host uploads files is
Figure BDA0002078476050000118
Thereby obtaining in one unitThe number of hosts that become latent within a period of time carrying a virus file is
Figure BDA0002078476050000119
Certainly, in the P2P network, some online susceptible hosts become offline susceptible hosts because of offline, and the number of the offline susceptible hosts is converted into the number of the offline susceptible hostsoffSon. The number of the off-line hosts which become on-line hosts due to the file transmission requirement isonSoff. In addition, the virus in the online infected host is cleared and is recovered to the state of the online infected host, and the recovered host number is murnIon
The comprehensive analysis of the factors influencing the number of the online susceptible hosts obtains the change rate of the online susceptible hosts as follows:
Figure BDA00020784760500001110
(2) latency host rate of change
The entry of the latent host bin is derived from the transformation of online susceptible host downloads containing virus files. The activation of the virus caused by partial latent state host satisfying the virus triggering condition changes to be online, and the number of infected hosts is muinE (t). Meanwhile, the virus is triggered by the host partially in off-line state, and the number of the hosts infected off-line is muifE (t). Files containing worm viruses have been downloaded, but the worm virus inactivity is at the latent host rate of change:
Figure BDA0002078476050000121
(3) off-line susceptible host rate of change
Because the virus of the host which is infected offline is killed and eliminated, part of the hosts are restored to be infected offline and the number of the hosts is murfIoff(t), the change rate of the off-line susceptible host is as follows:
Figure BDA0002078476050000122
(4) rate of change of already infected host online
From the transition diagram of the state of the bins of fig. 1, the rate of change of the number of hosts that have been infected by the line per unit time is obtained:
Figure BDA0002078476050000123
(5) rate of change of host infected offline
The rate of change of the number of infected hosts offline per unit time is obtained from the bin transfer map:
Figure BDA0002078476050000124
the system of equations (1) through (5) is a mathematical model for the propagation of the conditionally-triggered worm virus.
2. Helminth immune model
P2P helminth immunization Chamber
The most effective method for inhibiting the transmission of the worm virus is to utilize the bug according to the worm virus, write a corresponding bug patch in a targeted manner and install the bug patch on a host in a P2P network, or install antivirus software capable of identifying virus characteristic codes on the host, so that files carrying the worm can be identified, and virus can be searched, killed and removed from the infected host. In this case, there are 7 states of the hosts in the P2P network, namely, online susceptible host, offline susceptible host, latent host, online infected host, offline infected host, online host with protection capability, and offline host with protection capability.
The immune model is based on the propagation model and expands the online immune state Ron(t) and off-line immune status Roff(t) of (d). When the master is in a susceptible host state in an actual P2P network, the master is advanced due to the fact that partial users have higher protection safety awarenessSoftware capable of checking and killing the virus and a file with worms are installed on the machine, so that the online susceptible host and the offline susceptible host respectively have musmn、μsmfThe probability of the transition. By muimnAnd muimfIndicating the conversion rate of online and offline infected hosts to online and offline immune hosts.
2.2. Establishing mathematical immune model
The mathematical model of immunization was established by 2.1. bin plot analysis of the immunization model, as follows:
rate of change of online susceptible hosts in worm immune model:
Figure BDA0002078476050000125
the rate of change of hosts in latency when a worm has been downloaded but is not met in the worm immunization model:
Figure BDA0002078476050000131
rate of change of off-line susceptible hosts in worm immune model:
Figure BDA0002078476050000132
rate of change that worm immune model has infected host online:
Figure BDA0002078476050000133
rate of change of worm immune model offline already stained host:
Figure BDA0002078476050000134
the worm immune model has the change rate of worm protection capability on-line host:
Figure BDA0002078476050000135
the worm immune model has the rate of change of worm protection capacity of the offline host:
Figure BDA0002078476050000136
the sum of the number of hosts in the bin in the propagation of the worm immune model is denoted by M:
M=Son(t)+Soff(t)+E(t)+Ion(t)+Ioff(t)+Ron(t)+Roff(t) (13)
the mathematical model for immunization of the condition-triggered worm virus consists of equations (6) to (12), and equation (13) indicates that the total number of hosts is assumed to remain unchanged throughout the P2P network.
3. Equilibrium conditions for helminth-free viruses
The main purpose of establishing a mathematical model of worm propagation herein is to predict the propagation trend direction of the worm, and then analyze the key factors influencing worm propagation, in order to determine which factors are important factors in the propagation degree of the worm during the time period when the patch for the worm virus is not written or the signature code of the virus is not added to the virus library in the antivirus software, and what is the condition that the worm will not flood. An important theoretical analysis based on epidemics is presented here as follows.
3.1. Theory of epidemic disease
Whether a virus can be prevalent in the P2P network or not is determined by the basic reproduction rate (regeneration number) R of the virus as analyzed by literature0Determined when R0<1, the virus disappears in the P2P network soon after the virus is propagated, and the network is in a virus-free state. If R is0>1, the spread of the virus in the P2P network gradually expands, and finally, all hosts in the whole P2P network are infected. The sufficient condition that the P2P network is in the non-toxic equilibrium state is solved in the worm transmission process, even if a new infected host appears in the P2P network, as long as the condition of the non-toxic equilibrium state in the network is met, the worm can be ensured not to be popular in the networkOr flooding. A method for finding the basic reproduction rate (regeneration number) is proposed by the literature, in which the transition stream of the state of the host is divided into a newly infected individual introductivity stream and two other streams, and denoted by f and v, respectively. The two vectors are differentiated for each state variable, and the differentiated vector matrix is as follows:
Figure BDA0002078476050000137
fiand viIs the f and v ith components, where xiIs the ith state variable and xi=fi(x)-vi(x) And m represents the number of infection state variables. Solving for FV-1The absolute value (spectrum radius) of the maximum eigenvalue of the matrix is the regeneration number R0
3.2. Condition of worm not flooding
The theorem is based on the proposed condition-triggered worm transmission model and important epidemiological theory, when the worm transmission is sufficient
Figure BDA0002078476050000141
The establishment that worms do not flood the P2P network.
The condition-triggered worm propagation state variables are classified into 3 types: e (t), Ion(t)、IoffThe value of m, the upper bar, is 3, and is obtained from the propagation modeling equations (2), (4), (5) as follows:
Figure BDA0002078476050000142
Figure BDA0002078476050000143
in a non-toxic equilibrium state in the P2P network, the various bin states change as follows:
Figure BDA0002078476050000144
and the number of hosts carrying the virus file or having infected the disease is as follows:
Ion(t)=Ioff(t)=E(t)=0 (17)
in the P2P worm propagation model, the sum of the numbers of the various bin hosts is always constant.
N=Son(t)+Soff(t)+E(t)+Ion(t)+Ioff(t) (18)
The sum of the states of the P2P network hosts which are obtained by calculation according to the previous two-sided formula and have no toxic equilibrium state is as follows:
N=Son(t)+Soff(t) (19)
according to the formula, the quantity of the online susceptible hosts and the quantity of the offline susceptible hosts are obtained by comprehensive calculation as follows:
Figure BDA0002078476050000145
in order to facilitate subsequent calculation, the following formula is simplified:
by
Figure BDA0002078476050000146
Spread out by Newton's binomial equation
Figure BDA0002078476050000147
Thus obtaining
Figure BDA0002078476050000148
To Ion(t) differentiation was performed to obtain the following results:
Figure BDA0002078476050000151
vectors f and v for E (t), I, respectivelyon(t)、Ioff(t) obtainingThe differential is obtained as follows
Figure BDA0002078476050000152
Figure BDA0002078476050000153
And worms are in equilibrium
Figure BDA0002078476050000154
Sometimes, the parameters are interpolated to obtain the following results:
Figure BDA0002078476050000155
solving V from the differentiated matrix V-1The results are shown below:
Figure BDA0002078476050000156
R0=ρ(FV-1) I.e. ρ (FV)-1) Showing FV-1The characteristic value of the maximum absolute value of the matrix after matrix multiplication is R0
Figure BDA0002078476050000157
From the literature, it is known that sufficient conditions for the worms not to spread abundantly are:
Figure BDA0002078476050000158
4. simulation analysis
4.1. Experimental proof of sufficient condition that worms will not flood
The correctness of the deduced condition that worms will not flood is verified according to FIGS. 3-10 below. FIG. 1 is a graph of the variation in the number of hosts in all bins of the propagation model due to R0Greater than 1, when the condition of worm flooding is satisfiedAccording to the change trend in the graph, when the online susceptible user downloads the file, the susceptible host is quickly changed into the host carrying the virus file. When the number of hosts carrying virus files reaches a peak value, the hosts meeting the excitation condition are changed into hosts which are infected online or offline, so that the worm virus starts to spread gradually in the network, and finally the equilibrium state of worm propagation is reached. Analyzing the changes of the different factors in fig. 4-10 over time to the number of virus-containing hosts (including hosts that have been infected online and offline, latent hosts carrying virus files) in the P2P network. And as shown in fig. 4, 5, 6 and 8, different influencing factors change the host containing worm virus in the network, and it is easy to see R0<1, the host containing the virus of the network gradually decreases, eventually until it disappears. When R is0Close to 1, the number of worms in the network will be substantially balanced. When R is0>1, the worm will start to spread in the network. It is true that the conditions for inferring that worms will not flood herein are indicated by the above.
Fig. 3 presents a graph of the number of hosts changing in different states in a P2P network. The online and offline susceptible hosts cause files containing worm viruses locally due to downloading or uploading factors, and the viruses in the files begin to trigger under proper conditions, so that the hosts are infected (I in the figure)off(t)) and Ion(t)) begin to increase in number. Since the number of hosts in the P2P network is assumed to be constant, the number of latent hosts and susceptible hosts decreases as the number of infected hosts increases, and the infected hosts reach a state of equilibrium in the network after a period of time. And due to R0>1, worm virus will not disappear in the network.
Download rate is an important factor in whether a worm virus can flood the network. Worms often masquerade as or bind to normal files, and the way of propagation in P2P networks is through mutual sharing between files, and data interaction between hosts is mainly through uploading and downloading of files. The more frequent the number of downloads in the host of the network, the easier it is to download to files carrying viruses. Download factor by different values of FIG. 4The child pair has influence on the number of hosts containing the virus files, under the condition that other influence factors are not changed, the larger the value of the child pair, the larger the number of hosts which are infected, and when the value of the child pair is smaller than a certain value, namely R0<1, the network worm will not flood.
The online susceptible host downloads files to the online infected host or the latent host (the P2P shared folder already contains virus files), if the downloaded files contain virus files, the online infected host is converted into the state of the latent host, and the worm is triggered to be converted into the state of the infected host under appropriate conditions, as can be seen from FIG. 5, under the condition that other parameters of P2P are not changed, the larger the value (0-1 range) of the α parameter is, the more the infected host is increased, but the value R is also limited by the condition of worm flooding, and the value R is the same as the value R0<1, the worm will not flood the network.
Similar to the α factor, the β factor represents that the online infected host is used as a downloading end to the online susceptible host for file downloading, when the values of other influencing factor parameters are kept unchanged under the same condition, the larger the β value (in the range of 0-1), the larger the number of infected hosts in the network is, and the sufficient condition of worm flooding is also met.
The virus in the latent host is activated when it meets certain conditions, and then changes to an online infected host and an offline infected host (the reason virus triggers are various, most typically, the virus is activated when a user opens a file containing the virus, and whether the user logs in the P2P network or not, the worm may be activated). The influencing factor is muinThe greater its value, the greater the number of hosts in the network that have been infected online.
The infected host user can manually check and kill viruses or reinstall the operating system due to the network security knowledge, the host is recovered from the infection state to the infection-susceptible state, and fig. 8 shows the influence factor murnThe state of the online infected host is recovered to the state of the online susceptible host when the state is murnThe larger the value (0-1 range), the larger the number of recovered hosts and the smaller the number of infected hosts, and the smaller the value to some extentEquilibrium condition of worms, i.e. R0<1 worms will not flood the network.
In the worm propagation model of the P2P network, the initial value of the infected host does not affect the condition of worm flooding. According to the proved results, the expression (14) does not contain I-related influence factors, and the I value only influences the speed of worm propagation in the network according to the figure 9.
The online rate and the offline rate indicate whether the host is in the P2P network, and as shown in fig. 1, when the number of online susceptible hosts increases, more hosts will upload or download files in the network, and then become infected after a latent event. The influence of the online rate on the online infected host is shown in fig. 10, and when the value of the online rate is larger and other influence factors are not changed, the number of the latent hosts is increased, thereby indirectly increasing the number of the online infected hosts.
Effect of P2P parameters on Worm propagation
It can be seen from fig. 4-10 that the download rate is significant for the number of online infected hosts, and therefore has the greatest impact on the degree of network worm flooding (the ratio of the total number of infected hosts in the equilibrium state to the total number of hosts in the network). Secondly, the online and offline worm virus activation rates are respectively, and the recovery rate of the infected host is the final influence degree, namely the online rate and the offline rate of the host. The reason is that the online rate or the offline rate indicates whether the host enters the P2P network, and the online infected host is mainly affected, so that the online infected host has a certain influence on virus propagation in the network, and the fluctuation of the online rate and the offline rate in the worm outbreak stage is very small in combination with the actual situation analysis, so that the affected rate is slightly smaller than that of other factors. There is also a small impact of the number of initially infected hosts on the degree of virus flooding, and the worm balance conditional expression does not have the factor, but can affect the speed of worm propagation. When R is0>1, if the number of infected hosts of the network is large, the equilibrium state can be reached in a short time, otherwise, if the number of infected hosts is small, the equilibrium state can be reached only after a long time.
TABLE 2R of the experiments of FIGS. 3 to 80Value of (A)
μd R0 α R0 β R0 μrn R0
0.1 7.6 0.001 2.28 0.001 2.47 0.00009 2.82
0.05 1.52 0.0006 1.52 0.0005 1.52 0.00006 1.42
0.01 0.76 0.0002 0.76 0.0001 0.76 0.00003 0.95
It can be seen from Table 2 and FIGS. 3-10 that another important parameter in propagation is R0,R0Except that it can indicate whether a worm is inundating in the network. And at R0>1, the larger the value, the faster the propagation speed in worm network, and vice versa. And at R0<1, i.e. worms do not flood R0The larger the value of (A), the longer the time required for a worm to disappear in the network, and vice versa.
4.3. Worm propagation control
The worm virus propagation is influenced by parameters of download rate, download infection rate, upload infection rate, recovery rate (online and offline), virus trigger rate (online and offline), offline rate and online rate, wherein the five parameters are controllable by a user, so that when a vulnerability patch is not published or antivirus software does not extract feature codes of the virus in time, effective control on the five parameters can delay the situation of the virus in network propagation. The following is an analysis one by one.
The recovery rate can significantly reduce the ability of worms to propagate in the network. There are two ways to increase recovery by combining the actual analysis: when the host computer has a worm virus, the user selects to install the operating system newly, and manually kills the worm virus. The feasibility of these two points is very low, and if the user chooses to reinstall the operating system, part of the file may be lost, resulting in failure to work properly. And the manual virus searching and killing is higher in requirement, so that a user needs to master the related knowledge of the antivirus, which is difficult to achieve by non-professional people.
Download rate is the most critical factor affecting the spread of worm viruses, and the main part of data interaction in P2P network is file-based download. Under the condition-triggered worm, if the file downloading rate can be greatly reduced in the network, the number of latent hosts can be effectively reduced, and further, the spread of worm viruses can be effectively inhibited. The types of network topologies at P2P are also classified into three types, one is a P2P network of a fully distributed unstructured topology, the other is a P2P network of a centralized structure topology, and the last is a mixed topology. For example, the P2P network such as Gnutella is a P2P network belonging to a fully distributed unstructured topology, which is very open, and only the network bulletins are used to prompt the user network of the existence of the worm virus to reduce the download rate of the network, and when the effect is very small, many user roots are not aware of the existence of the worm virus during the virus outbreak stage. Even if the user knows that a worm is present in the network, the download rate is intentionally reduced, but it may not prevent the spread of the virus. The EDonkey is different from the Gnutella topology structure, has a central node to index the resources, and if the resource list address is controlled, does not allow the user to inquire the resources, thereby reducing the download rate of the file. The hybrid topology network may also use a restricted access resource list to restrict the downloading of files.
The triggering conditions that affect viruses may vary, but most often are downloaded to a local file containing the virus, which is opened to trigger a worm virus. During the period of worm outbreak, the downloaded file is preferably not opened directly, and needs to be tested in a special sandbox environment before being used. However, the trigger condition of the worm is not just as simple as opening the file, and perhaps the worm is triggered when detecting that the host is not used by people, so that the secrecy of the worm is kept. Therefore, only a part of effective control can be achieved by controlling the spread of the worm virus according to the control trigger condition.
The change of the online rate and the offline rate can be controlled, but the action is only partial, and because the host must be online when downloading the file, the online rate of the host can be controlled to prevent the host from entering the P2P network to download and upload the file in time, but the action of sharing the file is lost.
The analysis shows that the worm propagation has the characteristics of high speed and short period, the optimal time for controlling the worm propagation is at the initial stage of virus outbreak, the number of infected hosts is small, and the control can be stopped in time. However, because the condition-triggered worm is relatively secret and not easy to detect, the worm is excited only when the waiting condition is met, and the user is only alerted when the worm starts to spread and flood the network, and the effect of taking the measures is not obvious enough.
4.4. Worm immune model simulation
According to the established mathematical immune model of the worm virus, simulation is carried out by combining with actual conditions to obtain a graph 11, which describes the number of hosts in different states in a P2P network, and in the network with immune capacity, the hosts can finally immunize the worm virus after a period of time change. FIGS. 12-14 Effect of a single influencing factor on infecting host, and influencing factor μ in both figuressmnAnd muimnThe influence on the number of infected hosts is obvious and is also a key influencing factor for host immunization in an immune model. FIG. 14 presents the impact factor μsmnThe influence on the number of latent hosts carrying files, which a host wants to become a latent host, is only to download or upload files through an online susceptible host, and the influence factor musmnOnly the number of online susceptible hosts can be changed, thereby indirectly changing the number of latent hosts.
Fig. 11 presents a graph of the number of hosts in different states in a P2P network with an immunization mechanism. After the worm is in the host, the antivirus software can identify the characteristic code of the virus, so that files carrying the worm virus and the worm virus can be removed in time. The change in the graph shows that online susceptible hosts and offline susceptible hosts are reduced, wherein infected hosts are provided with antivirus software with a feature library due to stronger safety awareness, and then directly switch from an infection state to an immunity state. From the view of graph analysis, the number of hosts which are provided with antivirus software in advance is small, so that the number of immune hosts is small at the beginning. With file sharing and data interaction in a P2P network, the number of latent hosts reaches a peak value, then a virus condition is triggered, the hosts start to change into an infected host state and reach the peak value, virus propagation draws attention, corresponding patches are made for the hosts, feature codes of the patches are added into a virus library for virus killing software to identify and kill, the number of immune hosts starts to increase as the number of infected hosts gradually disappears, and finally the whole network host is immune to worms.
Immune rate musmnThe online susceptible host is converted into an online immune host state after having the immune capability. The immunity rate μ can be seen in FIG. 12smnThe larger the value (0-1 range), the smaller the number of peaks of the online infected host, and the number of peaks of the offline infected host is reduced due to the mutual conversion between the online susceptible host and the offline susceptible host. In the immune model, as the host's immunocompetence increases, eventually the infected host disappears in the network.
μimnIs the immunization rate from the state of the online infected host to the state of the online immune host. The immunity rate is directly influenced on the peak value of the online infection host, and the immunity rate is muimnThe larger the value (in the range of 0-1), the smaller the peak value of the number of hosts infected by the corresponding online host.
Immune rate musmnIs an indirect effect on the latent host. The latent host state is converted by downloading a file containing a virus by an online susceptible host, and the immunity rate musmnThe direct influence on the online susceptible hosts is that when the number of the online susceptible hosts is reduced and other P2P parameters are unchanged, the number of the latent hosts is reduced. From FIG. 14, it can be seen that the equivalent immunity rate μsmnThe larger the value (range of values 0-1), the smaller the number of latent state hosts.
While embodiments of the invention have been shown and described, it will be understood by those of ordinary skill in the art that: various changes, modifications, substitutions and alterations can be made to the embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the claims and their equivalents.

Claims (8)

1. A worm propagation prediction method for a nonlinear dynamics P2P network is characterized by comprising the following steps:
s1, acquiring the number of hosts in different states formed by worms on the network at the initial moment and the number of hosts in different states after t moment;
s2, calculating the change rate of the host in different states according to the acquired data; the hosts in different states comprise an online susceptible host, and the calculation method of the change rate of the online susceptible host comprises the following steps:
Figure FDA0002513954180000011
wherein:
α denotes the probability of an infected host downloading a file from the infected host;
μdrepresenting the probability of the susceptible host computer downloading the file;
Son(t) represents the number of online susceptible hosts at time t;
Ion(t) indicates the number of hosts that have been infected online at time t;
e (t) represents the number of latent hosts at the time t;
β denotes the probability of an infected host downloading a file from a susceptible host;
onindicating the line rate on the host;
Soff(t) represents the number of off-line susceptible hosts at time t;
offindicating a host offline rate;
μrnrepresenting the probability of the infected host recovering to the susceptible host under the online condition;
s3, judging the worm propagation condition through the data judgment threshold value according to the calculated and obtained data;
the method for judging the worm propagation condition through the data judgment threshold value comprises the following steps:
judgment of
Figure FDA0002513954180000012
Magnitude relation to 1:
wherein:
μdrepresenting the probability of the susceptible host computer downloading the file;
α denotes the probability of an infected host downloading a file from the infected host;
β denotes the probability of an infected host downloading a file from a susceptible host;
onindicating the line rate on the host;
μifindicating a host offline rate;
μinrepresenting the probability of worm virus files being activated to an online susceptible host;
μrfthe probability that the infected host recovers to the susceptible host under the offline condition is shown;
μrnrepresenting the probability of the infected host recovering to the susceptible host under the online condition;
offindicating a host offline rate;
if it is
Figure FDA0002513954180000021
The worm will not flood the network;
otherwise, the worm may flood the network.
2. The nonlinear dynamics P2P network worm propagation prediction method of claim 1, wherein the different state hosts further include one or any combination of off-line infection-prone hosts, latent hosts, on-line infection-prone hosts, off-line infection-prone hosts.
3. The nonlinear dynamics P2P network worm propagation prediction method of claim 1, wherein the host's change rate in different states further includes one or any combination of the change rate of a latent host, the change rate of an off-line susceptible host, the change rate of an on-line infected host, and the change rate of an off-line infected host.
4. The method for predicting worm propagation in a nonlinear dynamical P2P network according to claim 3, wherein the rate of change of the latent host is calculated by:
Figure FDA0002513954180000022
wherein:
α denotes the probability of an infected host downloading a file from the infected host;
μdrepresenting the probability of the susceptible host computer downloading the file;
Son(t) represents the number of online susceptible hosts at time t;
Ion(t) indicates the number of hosts that have been infected online at time t;
e (t) represents the number of latent hosts at the time t;
β denotes the probability of an infected host downloading a file from a susceptible host;
μifrepresenting the probability that the worm virus file is activated to an offline susceptible host;
μinrepresenting the probability of worm virus files activating to an online susceptible host.
5. The method for predicting worm propagation in a nonlinear dynamics P2P network according to claim 3, wherein the method for calculating the rate of change of the off-line susceptible host comprises:
Figure FDA0002513954180000031
offindicating a host offline rate;
Son(t) represents the number of online susceptible hosts at time t;
onindicating the line rate on the host;
Soff(t) represents the number of off-line susceptible hosts at time t;
μrfthe probability that the infected host recovers to the susceptible host under the offline condition is shown;
Ioff(t) indicates that offline at time t has infected the number of hosts.
6. The method for predicting worm propagation in a nonlinear dynamics P2P network according to claim 3, wherein the calculation method of the change rate of the online infected host is:
Figure FDA0002513954180000032
wherein:
μinrepresenting the probability of worm virus files being activated to an online susceptible host;
e (t) represents the number of latent hosts at the time t;
onindicating the line rate on the host;
Ioff(t) represents the number of infected hosts offline at time t;
offindicating a host offline rate;
Ion(t) indicates the number of hosts that have been infected online at time t;
μ rn represents the probability of an infected host reverting to a susceptible host in an online situation.
7. The method for predicting worm propagation in a nonlinear dynamics P2P network according to claim 3, wherein the calculation method of the offline infected host change rate is:
Figure FDA0002513954180000041
wherein:
μifrepresenting activation of worm virus files to offline susceptible hostsRate;
e (t) represents the number of latent hosts at the time t;
offindicating a host offline rate;
Ion(t) indicates the number of hosts that have been infected online at time t;
onindicating the line rate on the host;
Ioff(t) represents the number of infected hosts offline at time t;
μrfindicating the probability of an infected host recovering to a susceptible host in an offline situation.
8. The method for predicting worm propagation in a nonlinear dynamics P2P network according to claim 1, wherein the calculation process of the change rate of the online susceptibility host includes the following steps:
s101, at the time of t, when the susceptible host requests other hosts of the P2P network to download the file, the probability of selecting the infected host as the file download source is
Figure FDA0002513954180000042
And the probability of downloading a file from an infected host is mudTherefore, the probability that a host susceptible to infection carries the files of the worm virus because of downloading is
Figure FDA0002513954180000043
In a unit time, the number of online susceptible hosts is Son(t) the number of times of downloading of the station is mudSon(t) and thus are shared in one unit time
Figure FDA0002513954180000044
The platform susceptible host becomes a latent host because of downloading files with the worm viruses;
s102, when the infected host requests the file, the probability that any host is selected as the host for uploading the file is
Figure FDA0002513954180000045
Then correspondingly, the probability that the host is not selected is
Figure FDA0002513954180000046
At time t, the number of susceptible hosts Ion(t) Co-executing the download task as mudIon(t) times; then, the probability that one host is not selected as the uploading host at a time is
Figure FDA0002513954180000047
Thus, the probability that one host is selected is obtained
Figure FDA0002513954180000048
Therefore, the probability that one susceptible host carries viruses because the infected host uploads files is
Figure FDA0002513954180000051
Thereby obtaining the number of the hosts which become latent and carry the virus files in a unit time as
Figure FDA0002513954180000052
S103, part of the online susceptible hosts can be changed into offline susceptible hosts due to offline, and the number of the offline susceptible hosts is changed into the number of the offline susceptible hostsoffSon
S104, the partial off-line hosts become on-line hosts due to the requirement of file transmission, and the number of the on-line hosts isonSoff
S105, in addition, the virus in the online infected host is removed to restore the state of the online susceptible host, and the number of the restored hosts is murnIon
CN201910462514.1A 2019-05-30 2019-05-30 Nonlinear dynamics P2P network worm propagation prediction method Active CN110191126B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910462514.1A CN110191126B (en) 2019-05-30 2019-05-30 Nonlinear dynamics P2P network worm propagation prediction method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910462514.1A CN110191126B (en) 2019-05-30 2019-05-30 Nonlinear dynamics P2P network worm propagation prediction method

Publications (2)

Publication Number Publication Date
CN110191126A CN110191126A (en) 2019-08-30
CN110191126B true CN110191126B (en) 2020-07-17

Family

ID=67718861

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910462514.1A Active CN110191126B (en) 2019-05-30 2019-05-30 Nonlinear dynamics P2P network worm propagation prediction method

Country Status (1)

Country Link
CN (1) CN110191126B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102104606A (en) * 2011-03-02 2011-06-22 浙江大学 Worm detection method of intranet host

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9154517B2 (en) * 2012-06-19 2015-10-06 AO Kaspersky Lab System and method for preventing spread of malware in peer-to-peer network
CN104468601A (en) * 2014-12-17 2015-03-25 中山大学 P2P worm detecting system and method

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102104606A (en) * 2011-03-02 2011-06-22 浙江大学 Worm detection method of intranet host

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
An adaptive membership protocol against sybil attack in unstructured P2P networks;Haowen Liu等;《IET International Conference on Information and Communications Technologies(IETICT 2013)》;20130829;全文 *
Information Diffusion Nonlinear Dynamics Modeling and Evolution Analysis in Online Social Network Based on Emergency Events;Xiaoyang Liu等;《IEEE Transactions on Computational Social Systems》;20190115;第6卷(第1期);全文 *
P2P网络中激发型蠕虫传播动态建模;冯朝胜等;《电子学报》;20120229;第40卷(第2期);第3节,第4节 *
P2P触发式主动型蠕虫传播建模;冯朝胜等;《电子学报》;20160731;第44卷(第7期);第4节 *
冯朝胜等.P2P网络中激发型蠕虫传播动态建模.《电子学报》.2012,第40卷(第2期), *

Also Published As

Publication number Publication date
CN110191126A (en) 2019-08-30

Similar Documents

Publication Publication Date Title
US10305919B2 (en) Systems and methods for inhibiting attacks on applications
Binsalleeh et al. On the analysis of the zeus botnet crimeware toolkit
JP4490994B2 (en) Packet classification in network security devices
US9548990B2 (en) Detecting a heap spray attack
KR101156005B1 (en) System and method for network attack detection and analysis
JP2012511847A (en) System and method for classifying unwanted or malicious software
US9584550B2 (en) Exploit detection based on heap spray detection
Grammatikakis et al. Understanding and mitigating banking trojans: From zeus to emotet
CN110401638A (en) A kind of network flow analysis method and device
Masid et al. Application of the SAMA methodology to Ryuk malware
CN104796386B (en) Botnet detection method, device and system
CN110191126B (en) Nonlinear dynamics P2P network worm propagation prediction method
CN110191127B (en) Nonlinear dynamics P2P network worm immune prediction method
Challoo et al. Detection of botnets using honeypots and p2p botnets
Mirvaziri A new method to reduce the effects of HTTP-Get Flood attack
Onwubiko et al. An improved worm mitigation model for evaluating the spread of aggressive network worms
Mishra et al. Multi tree view of complex attack–stuxnet
Okamoto et al. Toward an artificial immune server against cyber attacks
Singh et al. A survey on Malware, Botnets and their detection
Venkatraman Autonomic context-dependent architecture for malware detection
Liu et al. Novel non‐linear dynamics P2P network worm propagation and immune model
JP6101525B2 (en) COMMUNICATION CONTROL DEVICE, COMMUNICATION CONTROL METHOD, COMMUNICATION CONTROL PROGRAM
Mihanjo et al. Isolation of DDoS Attacks and Flash Events in Internet Traffic Using Deep Learning Techniques
Kandoussi et al. Modeling a Sandbox Security Mechanism in Cloud Computing Environment using Bayesian Game.
Ilavarasan et al. A Survey on host-based Botnet identification

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20220609

Address after: 400000 B2, floor 12, Ping Street, unit B, gangtian building, Zhonger Road, Yuzhong District, Chongqing

Patentee after: Chongqing Beite computer system engineering Co.,Ltd.

Address before: No.69 Hongguang Avenue, Banan District, Chongqing

Patentee before: Chongqing University of Technology