CN110191127A - A kind of immune prediction technique of nonlinear kinetics P2P network worm - Google Patents

A kind of immune prediction technique of nonlinear kinetics P2P network worm Download PDF

Info

Publication number
CN110191127A
CN110191127A CN201910462524.5A CN201910462524A CN110191127A CN 110191127 A CN110191127 A CN 110191127A CN 201910462524 A CN201910462524 A CN 201910462524A CN 110191127 A CN110191127 A CN 110191127A
Authority
CN
China
Prior art keywords
host
online
worm
indicate
probability
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910462524.5A
Other languages
Chinese (zh)
Other versions
CN110191127B (en
Inventor
刘小洋
刘加苗
唐婷
何道兵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Chengxiang Computer Co ltd
Original Assignee
Chongqing University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chongqing University of Technology filed Critical Chongqing University of Technology
Priority to CN201910462524.5A priority Critical patent/CN110191127B/en
Publication of CN110191127A publication Critical patent/CN110191127A/en
Application granted granted Critical
Publication of CN110191127B publication Critical patent/CN110191127B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention proposes a kind of nonlinear kinetics P2P network worm be immunized prediction technique, comprising the following steps: S1, obtain initial time worm to network formed different conditions host quantity, and after t moment different conditions host quantity;S2 calculates the change rate of different conditions host according to the data of acquisition;S3 judges helminth immunity situation by data judgment threshold according to the data obtained are calculated.The present invention can spread unchecked propagation state to network worm and carry out immune prediction, make defence policies in time.

Description

A kind of immune prediction technique of nonlinear kinetics P2P network worm
Technical field
The present invention relates to a kind of worm propagation technical fields, more particularly to a kind of nonlinear kinetics P2P network worm Immune prediction technique.
Background technique
With the development of internet, resource-sharing is the foundation stone of internet development, and the upper network of basic C/S structure cannot It meets the needs of users, peer-to-peer network (peer-two-peer networking) then occurs.The appearance of peer-to-peer network is very It solves central server bottleneck problem well, but brings new problem simultaneously.Since P2P network is the structure of equity, in P2P Each host is likely to be server in network.Computer virus is then always internet there are problem, wherein verminosis Poison is a kind of with extremely with a kind of virus of contagiousness.The process of worm attack is generally information collection, vulnerability detection, virus Trigger and execute the code of virus.The establishment of P2P network is each corresponding P2P user software of user installation of needs, and same Software in a P2P network must be it is identical can just be linked into this network, if there are loopholes for this P2P user software If, malicious user (attacker) discovery loophole simultaneously writes corresponding vulnerability exploit program (P2P worm-type virus), then entire right Equal networks would be at breakneck condition, and the P2P network will be caused to paralyse by attack in a short period of time.It is another Communication strategy is to be implanted to the code file of worm-type virus normally based on social engineering (social engineering) In file, worm-type virus starts to excite and be propagated when under the conditions of meeting a certain.The biography of worm-type virus on the internet It broadcasts compared with propagation on the p 2 p network, harm can be bigger.It is not required in P2P worm propagation as other on Internet are compacted Parasitosis poison is the same, and the worm of internet is first to carry out targeted scans to judge that destination host IP whether there is, the secondly detection of loophole, Infection host then is carried out using loophole if there is loophole, and carries out the propagation of next round.P2P worm virus spreading is exceedingly fast, In the host that the user of P2P network is necessary being, do not need to judge destination host IP existence.The biography of P2P worm-type virus Broadcast success rate height, attack each time is all to be attached using effective address, therefore to connect into power very high for attack.And phase Will be much lower than its effective address connected for Internet, it is that the object attacked is much the shape that is not present or shuts down State.The attack of P2P worm-type virus is difficult to be detected.Worm on Internet generally requires a large amount of target acquisition of progress and sweeps It retouches, judging host by detection host request connection exception, there are worm-type viruses.And P2P worm-type virus does not need to carry out target spy Scanning is surveyed, the detection connected extremely will not be triggered, the attack of P2P worm is caused to be difficult to be detected.In practice, it only analyzes The connection request of host is difficult to distinguish the request of the request connection and the upper downloading of normal file of worm attack to a certain extent Connection.
The purpose of the author (attacker) of P2P worm-type virus is different, and different P2P worm-type viruses is caused to be attacked Effect afterwards is different, and a Botnet is set up in the propagation of worm-type virus, carries out DDOS attack using the bandwidth that host carries. Secondly the reason of current ideal money prevalence causes many worm-type viruses with " digging mine " program, illegally uses other people meter The resource of calculation machine is calculated.There are also other purposes such as steal personal informations, click and kidnap, spam.
It can thus be appreciated that the harmfulness and destructiveness of P2P network worm are huge, in order to protect the peace of host subscriber in P2P network Quan Xing, it is necessary to contain the propagation of its P2P worm-type virus.Therefore a propagation model to hold water describes the biography of P2P worm The process of broadcasting is necessary, and can expose the weakness of P2P worm propagation, and prediction threat that may be present, do in time Defence policies out.
Summary of the invention
The present invention is directed at least solve the technical problems existing in the prior art, especially innovatively propose a kind of non-linear Prediction technique is immunized in dynamics P2P network worm.
In order to realize above-mentioned purpose of the invention, it is immune that the present invention provides a kind of nonlinear kinetics P2P network worms Prediction technique, comprising the following steps:
S1 obtains the quantity that initial time worm forms different conditions host to network, and the different conditions after t moment The quantity of host;Wherein, different conditions host include online easy infection host, latent host, offline easy infection host, it is online Through infection host, one of host, the online host of worm protective capacities, the offline host of worm protective capacities is contaminated offline or have appointed One combination;
S2 calculates the change rate of different conditions host according to the data of acquisition;Wherein, under different conditions host variation Rate include the change rate of online easy infection host, the change rate of latent host, offline easy infection host change rate, it is online It infects the change rate of host, contaminated the change rate of host, the change rate of the online host of worm protective capacities, worm protection offline One of change rate of the offline host of ability or any combination;
S3 judges helminth immunity situation by data judgment threshold according to the data obtained are calculated.
In the preferred embodiment of the present invention, the calculation method of the change rate of online easy infection host are as follows:
Wherein:
α indicates easy infection host from the probability of infection host downloading file;
μdIndicate the probability of easy infection host downloading file;
Son(t) quantity of the online easy infection host of t moment is indicated;
Ion(t) indicate that t moment has infected host number online;
E (t) indicates the latent host number of t moment;
β indicates infection probability of the host from easy infection host downloading files;
εonIndicate the online rate of host;
Soff(t) quantity of the offline easy infection host of t moment is indicated;
εoffIndicate host ratio of contact loss;
μrnIt indicates in online situation, infection host is restored to the probability of Vulnerable hosts;
μsmnIndicate the immunization rate of online easy infection host.
In the preferred embodiment of the present invention, the calculation method of the change rate of latent host are as follows:
Wherein:
α indicates easy infection host from the probability of infection host downloading file;
μdIndicate the probability of easy infection host downloading file;
Son(t) quantity of the online easy infection host of t moment is indicated;
Ion(t) indicate that t moment has infected host number online;
E (t) indicates the latent host number of t moment;
β indicates infection probability of the host from easy infection host downloading files;
μifIndicate that worm-type virus file is activated to offline easy infection host probability;
μinIndicate that worm-type virus file is activated to the probability of online easy infection host.
In the preferred embodiment of the present invention, the calculation method of the change rate of offline easy infection host are as follows:
εoffIndicate host ratio of contact loss;
Son(t) quantity of the online easy infection host of t moment is indicated;
εonIndicate the online rate of host;
Soff(t) quantity of the offline easy infection host of t moment is indicated;
μrfIt indicates under off-line case, infection host is restored to the probability of Vulnerable hosts;
Ioff(t) indicate that t moment has infected host number offline;
μsmfIndicate the immunization rate of offline easy infection host.
In the preferred embodiment of the present invention, the calculation method of the change rate of host has been infected online are as follows:
Wherein:
μinIndicate that worm-type virus file is activated to the probability of online easy infection host;
E (t) indicates the latent host number of t moment;
εonIndicate the online rate of host;
Ioff(t) indicate that t moment has infected host number offline;
εoffIndicate host ratio of contact loss;
Ion(t) indicate that t moment has infected host number online;
μrnIt indicates in online situation, infection host is restored to the probability of Vulnerable hosts;
μimnIt indicates in online situation, easy infection host to the probability for having immune host.
In the preferred embodiment of the present invention, the calculation method of the change rate of host has been contaminated offline are as follows:
Wherein:
μifIndicate that worm-type virus file is activated to offline easy infection host probability;
E (t) indicates the latent host number of t moment;
εonIndicate the online rate of host;
Ioff(t) indicate that t moment has infected host number offline;
εoffIndicate host ratio of contact loss;
Ion(t) indicate that t moment has infected host number online;
μrfIt indicates under off-line case, infection host is restored to the probability of Vulnerable hosts;
μimfIt indicates under off-line case, easy infection host to the probability for having immune host.
In the preferred embodiment of the present invention, the calculation method of the change rate of the online host of worm protective capacities Are as follows:
Wherein:
μimnIt indicates in online situation, easy infection host to the probability for having immune host;
Ion(t) indicate that t moment has infected host number online;
μsmnIndicate the immunization rate of online easy infection host;
Son(t) quantity of the online easy infection host of t moment is indicated;
εonIndicate the online rate of host;
Roff(t) indicate that worm host number is immunized in t moment;
Ron(t) indicate that worm host number is immunized in t moment.
In the preferred embodiment of the present invention, the calculation method of the change rate of the offline host of worm protective capacities Are as follows:
μimfIt indicates under off-line case, easy infection host to the probability for having immune host;
Ioff(t) indicate that t moment has infected host number offline;
μsmfIndicate the immunization rate of offline easy infection host;
Soff(t) quantity of the offline easy infection host of t moment is indicated;
εoffIndicate host ratio of contact loss;
Ron(t) indicate that worm host number is immunized in t moment;
εonIndicate the online rate of host;
Roff(t) indicate that worm host number is immunized in t moment.
In the preferred embodiment of the present invention, the method for helminth immunity situation is judged by data judgment threshold Are as follows:
JudgementWith 1 size relation:
Wherein:
μdIndicate the probability of easy infection host downloading file;
α indicates easy infection host from the probability of infection host downloading file;
β indicates infection probability of the host from easy infection host downloading files;
εonIndicate the online rate of host;
μifIndicate host ratio of contact loss;
μinIndicate that worm-type virus file is activated to the probability of online easy infection host;
μrfIt indicates under off-line case, infection host is restored to the probability of Vulnerable hosts;
μrnIt indicates in online situation, infection host is restored to the probability of Vulnerable hosts;
εoffIndicate host ratio of contact loss;
IfThen worm will not spread unchecked propagation on network, and worm is by immune;
Otherwise, worm can spread unchecked propagation on network, and worm is not affected by immune.
In the preferred embodiment of the present invention, the calculating process of the change rate of online easy infection host includes following Step:
S101, when easy infection host is downloaded to other host demand files of P2P network, chooses and has felt in t moment The host of dye is as the probability in file download sourceAnd it is from the probability for having infected host downloading file μd, therefore the probability that an easy infection host carries worm-type virus file because of downloading isIn a list Position time, online easy infection host number are Son(t) it is μ that platform executes download time altogetherdSon(t), therefore in a unit time It is interior sharedPlatform Vulnerable hosts are because downloading becomes latence host with worm-type virus file;
S102, when having infected host demand file, any one host is selected as the general of upload file host Rate isSo accordingly, host is not the probability being selectedIn moment t, Vulnerable hosts quantity Ion(t) executing downloading task altogether is μdIon(t) secondary;So, a host is not once selected as upper The probability of hero of biography machine isThen obtaining the selected probability of a host isSo easy infection host because go to have infected on host transmitting file so as to cause The probability of self-contained virus isTo obtain carrying disease within a unit time The quantity that malicious file becomes latent host is
S103, the online easy infection host in part still can be converted to offline because of offline easy infection host is become offline Easy infection host number is εoffSon
S104, and the offline host of part since the demand that file transmits will become online host, switch to online host Quantity be εonSoff
S105, in addition some is because the virus infected in host online is removed and is restored to online easy The state of host is infected, and the host number restored is μrnIon
In conclusion by adopting the above-described technical solution, the present invention can spread unchecked propagation state progress to network worm Immune prediction, makes defence policies in time.
Additional aspect and advantage of the invention will be set forth in part in the description, and will partially become from the following description Obviously, or practice through the invention is recognized.
Detailed description of the invention
Above-mentioned and/or additional aspect of the invention and advantage will become from the description of the embodiment in conjunction with the following figures Obviously and it is readily appreciated that, in which:
Fig. 1 is P2P Worm Propagation Model warehouse schematic diagram of the present invention.
Fig. 2 is P2P helminth immunity model warehouse schematic diagram of the present invention.
Fig. 3 is each warehouse host number variation schematic diagram of Worm Propagation Model of the present invention.
Fig. 4 is influence schematic diagram of the downloading rate of the present invention to viral transmission.
Fig. 5 is influence schematic diagram of the Vulnerable hosts of the present invention as downloading end probability.
Fig. 6 is influence schematic diagram of the present invention infection host as downloading end.
Fig. 7 is the influence schematic diagram for the probability that worm of the present invention is activated online.
Fig. 8 is the influence schematic diagram of the online recovery rate of worm of the present invention.
Fig. 9 is influence schematic diagram of the online infection Initial master number of the invention to worm propagation.
Figure 10 is influence schematic diagram of the online rate of the present invention to online infection host.
Figure 11 is each warehouse quantity variation schematic diagram of immune model of the present invention.
Figure 12 is immunization rate μ of the present inventionsmnTo the influence schematic diagram of infection host.
Figure 13 is immunization rate μ of the present inventionimnInfluence schematic diagram to online Vulnerable hosts.
Figure 14 is immunization rate μ of the present inventionsmnSchematic diagram is influenced on latent host.
Specific embodiment
The embodiment of the present invention is described below in detail, examples of the embodiments are shown in the accompanying drawings, wherein from beginning to end Same or similar label indicates same or similar element or element with the same or similar functions.Below with reference to attached The embodiment of figure description is exemplary, and for explaining only the invention, and is not considered as limiting the invention.
The present invention provides a kind of nonlinear kinetics P2P network worms, and prediction technique is immunized, comprising the following steps:
S1 obtains the quantity that initial time worm forms different conditions host to network, and the different conditions after t moment The quantity of host;Wherein, different conditions host include online easy infection host, latent host, offline easy infection host, it is online Through infection host, one of host, the online host of worm protective capacities, the offline host of worm protective capacities is contaminated offline or have appointed One combination;
S2 calculates the change rate of different conditions host according to the data of acquisition;Wherein, under different conditions host variation Rate include the change rate of online easy infection host, the change rate of latent host, offline easy infection host change rate, it is online It infects the change rate of host, contaminated the change rate of host, the change rate of the online host of worm protective capacities, worm protection offline One of change rate of the offline host of ability or any combination;
S3 judges helminth immunity situation by data judgment threshold according to the data obtained are calculated.
In the preferred embodiment of the present invention, the calculation method of the change rate of online easy infection host are as follows:
Wherein:
α indicates easy infection host from the probability of infection host downloading file;
μdIndicate the probability of easy infection host downloading file;
Son(t) quantity of the online easy infection host of t moment is indicated;
Ion(t) indicate that t moment has infected host number online;
E (t) indicates the latent host number of t moment;
β indicates infection probability of the host from easy infection host downloading files;
εonIndicate the online rate of host;
Soff(t) quantity of the offline easy infection host of t moment is indicated;
εoffIndicate host ratio of contact loss;
μrnIt indicates in online situation, infection host is restored to the probability of Vulnerable hosts;
μsmnIndicate the immunization rate of online easy infection host.
In the preferred embodiment of the present invention, the calculation method of the change rate of latent host are as follows:
Wherein:
α indicates easy infection host from the probability of infection host downloading file;
μdIndicate the probability of easy infection host downloading file;
Son(t) quantity of the online easy infection host of t moment is indicated;
Ion(t) indicate that t moment has infected host number online;
E (t) indicates the latent host number of t moment;
β indicates infection probability of the host from easy infection host downloading files;
μifIndicate that worm-type virus file is activated to offline easy infection host probability;
μinIndicate that worm-type virus file is activated to the probability of online easy infection host.
In the preferred embodiment of the present invention, the calculation method of the change rate of offline easy infection host are as follows:
εoffIndicate host ratio of contact loss;
Son(t) quantity of the online easy infection host of t moment is indicated;
εonIndicate the online rate of host;
Soff(t) quantity of the offline easy infection host of t moment is indicated;
μrfIt indicates under off-line case, infection host is restored to the probability of Vulnerable hosts;
Ioff(t) indicate that t moment has infected host number offline;
μsmfIndicate the immunization rate of offline easy infection host.
In the preferred embodiment of the present invention, the calculation method of the change rate of host has been infected online are as follows:
Wherein:
μinIndicate that worm-type virus file is activated to the probability of online easy infection host;
E (t) indicates the latent host number of t moment;
εonIndicate the online rate of host;
Ioff(t) indicate that t moment has infected host number offline;
εoffIndicate host ratio of contact loss;
Ion(t) indicate that t moment has infected host number online;
μrnIt indicates in online situation, infection host is restored to the probability of Vulnerable hosts;
μimnIt indicates in online situation, easy infection host to the probability for having immune host.
In the preferred embodiment of the present invention, the calculation method of the change rate of host has been contaminated offline are as follows:
Wherein:
μifIndicate that worm-type virus file is activated to offline easy infection host probability;
E (t) indicates the latent host number of t moment;
εonIndicate the online rate of host;
Ioff(t) indicate that t moment has infected host number offline;
εoffIndicate host ratio of contact loss;
Ion(t) indicate that t moment has infected host number online;
μrfIt indicates under off-line case, infection host is restored to the probability of Vulnerable hosts;
μimfIt indicates under off-line case, easy infection host to the probability for having immune host.
In the preferred embodiment of the present invention, the calculation method of the change rate of the online host of worm protective capacities Are as follows:
Wherein:
μimnIt indicates in online situation, easy infection host to the probability for having immune host;
Ion(t) indicate that t moment has infected host number online;
μsmnIndicate the immunization rate of online easy infection host;
Son(t) quantity of the online easy infection host of t moment is indicated;
εonIndicate the online rate of host;
Roff(t) indicate that worm host number is immunized in t moment;
Ron(t) indicate that worm host number is immunized in t moment.
In the preferred embodiment of the present invention, the calculation method of the change rate of the offline host of worm protective capacities Are as follows:
μimfIt indicates under off-line case, easy infection host to the probability for having immune host;
Ioff(t) indicate that t moment has infected host number offline;
μsmfIndicate the immunization rate of offline easy infection host;
Soff(t) quantity of the offline easy infection host of t moment is indicated;
εoffIndicate host ratio of contact loss;
Ron(t) indicate that worm host number is immunized in t moment;
εonIndicate the online rate of host;
Roff(t) indicate that worm host number is immunized in t moment.
In the preferred embodiment of the present invention, the method for helminth immunity situation is judged by data judgment threshold Are as follows:
JudgementWith 1 size relation:
Wherein:
μdIndicate the probability of easy infection host downloading file;
α indicates easy infection host from the probability of infection host downloading file;
β indicates infection probability of the host from easy infection host downloading files;
εonIndicate the online rate of host;
μifIndicate host ratio of contact loss;
μinIndicate that worm-type virus file is activated to the probability of online easy infection host;
μrfIt indicates under off-line case, infection host is restored to the probability of Vulnerable hosts;
μrnIt indicates in online situation, infection host is restored to the probability of Vulnerable hosts;
εoffIndicate host ratio of contact loss;
IfThen worm will not spread unchecked propagation on network, and worm is by immune;
Otherwise, worm can spread unchecked propagation on network, and worm is not affected by immune.
In the preferred embodiment of the present invention, the calculating process of the change rate of online easy infection host includes following Step:
S101, when easy infection host is downloaded to other host demand files of P2P network, chooses and has felt in t moment The host of dye is as the probability in file download sourceAnd it is from the probability for having infected host downloading file μd, therefore the probability that an easy infection host carries worm-type virus file because of downloading isIn a unit Time, online easy infection host number are Son(t) it is μ that platform executes download time altogetherdSon(t), therefore within a unit time It is sharedPlatform Vulnerable hosts are because downloading becomes latence host with worm-type virus file;
S102, when having infected host demand file, any one host is selected as the general of upload file host Rate isSo accordingly, host is not the probability being selectedIn moment t, Vulnerable hosts quantity Ion(t) executing downloading task altogether is μdIon(t) secondary;So, a host is not once selected as upper The probability of hero of biography machine isThen obtaining the selected probability of a host isSo easy infection host because go to have infected on host transmitting file so as to cause The probability of self-contained virus isTo obtain carrying disease within a unit time The quantity that malicious file becomes latent host is
S103, the online easy infection host in part still can be converted to offline because of offline easy infection host is become offline Easy infection host number is εoffSon
S104, and the offline host of part since the demand that file transmits will become online host, switch to online host Quantity be εonSoff
S105, in addition some is because the virus infected in host online is removed and is restored to online easy The state of host is infected, and the host number restored is μrnIon.Its is specific as follows:
1. worm propagation modeling analysis
1.1 modeling parameters and hypothesis
According to the actual propagation condition of condition triggering type worm-type virus, in propagation model, the state of host can be divided into Three classes: easy infection host, has infected host at latent host, and realistic Host Status is in Vulnerable hosts and Online and offline two states have been divided again on infection Host Status.And in the state of latent host due to worm-type virus file It has existed and waits a certain condition triggering in host, the simplification of mathematical model is abstracted into order to facilitate practical problem, therefore latent The host of volt state does not divide presence and off-line state.In immune model, host increases immune state, equally examines Immune model is divided on line state under state and line by the problem of considering actual propagation.For further subsequent worm Viral transmission modeling analysis, then will use parameter when modeling and experimental paradigm use value is enumerated in table 1.
1 P2P worm propagation mathematical model parameter of table
Modeling is based on epidemiology and mean field theory, therefore the parameter representative in model built is average value.Verminosis The important propagation parameter μ of poisond, it is mainly used for file-sharing in P2P network, the host data interaction in P2P network is more frequent, compacted The influence of parasitosis poison is bigger.The modeling of P2P worm propagation is to be abstracted into mathematical model by the problem of physical presence, is ground for convenience Study carefully, done the following hypothesis:
(1) there is no variation (including wherein online and offline state) for the total quantity of the middle host of P2P network.
(2) the state transfer of host is completed in a unit time (Time Unit), and multiple states are in same unit It can generating state transfer simultaneously in time.
(3) the considerations of modeling file is the executable file that can make directly to run, and equally includes compressed executable File, it is also possible to be media file (screen, picture, audio files) by certain technical methods executable verminosis Malicious document bundle is wherein.
(4) online host is linked into P2P network by P2P software.Offline host is to publish P2P software to exit P2P network, but the operating system of host is still starting state.
(5) Vulnerable hosts are to infection host downloading file in P2P network, and there are the risks of infection.Equally infect Host remove easy infection host downloading files, when P2P software is there are when loophole, by the data interaction of both sides, in malice generation Code is transferred to the easy infection host as loading source.
1.2. Host Status transfer analysis
In the case where P2P condition triggering type worm propagation, analyze worm-type virus the characteristics of be not difficult to obtain the state of host Transfer figure (as shown in Figure 1), wherein the entity of each state is indicated with circle, what it is with arrow line is the side of state conversion To mark is the probability of transfer on line.The warehouse figure figure describes P2P worm-type virus in not having immunocompetent P2P network It is propagated.
(1) host state in which illustrates, online easy infection host (Son): host runs P2P user software, has connect Enter among P2P network.Host is uploaded and downloaded the activity of the data interaction of file, and there are infected risks, and the host is just State in online easy infection host.Offline easy infection host (Soff): host not running P2P user software, not in P2P Among network.Host can not carry out data interaction with the host in other P2P networks, then the host is in offline easy infection host State.Preclinical host (E): at least possess a carrying worm-type virus file (text in the Shared Folders of the P2P of host Part has been downloaded into host local, but not up to executes worm trigger condition), it is latent which is in worm-type virus file un-activation The Host Status of volt phase.Host (I has been infected onlineon): user has been among P2P network, holds due to meeting certain condition It has gone the file with worm-type virus, has caused the host to be in and infected host online.Host (I has been infected offlineoff): it uses P2P network has been published at family, but equally triggers the condition of the execution of worm-type virus, which is at has infected offline Host.
(2) the state transfer instruction of host: Son→ E: state change is there are two types of reason: a kind of Vulnerable hosts are from having infected Host downloading file causes host to include virus document, and another kind is to have infected host to cause to easy infection downloading files Carry virus document.Host is transformed into latence by online easy infection Host Status at this time.μ in Fig. 1sIt is to represent entire propagate Influence factor, specific propagation factor propagate mathematical model description in 1.3..User is due to completing downloading or upload Task exits P2P network, i.e., online Vulnerable hosts state is transformed into offline easy infection state.Same user needs to carry out file biography P2P software is logged in when defeated and enters P2P network, and offline easy infection state is switched to online easy infection host at this time.E→Ion: work as master Worm-type virus file has been carried on machine, causes virus to be excited due to meeting certain activation condition, and at host at this time In P2P network, Host Status is transformed into online Infection Status by latent Host Status.E→Ioff: host has existed It with virulent file, meets certain triggering requirement virus and is excited, but host at this time has published P2P network, Host Status is switched to by latence has infected Host Status offline.Ion→Son: host in the worm-type virus, Infected file is removed and the manual killing of virus is fallen, but relatively high to requiring in terms of the network security knowledge of user, and at this time Host is simultaneously among P2P network, and the state of host is switched to online easy infection master by having infected Host Status online at this time The state of machine.The P2P network user is logged in or is published P2P network using P2P software, corresponding state should by from Line has infected host conversion and infected host online and either infected host online and be transformed into has infected master offline Machine.Ioff→Soff: in the host for the P2P network not entered, the host of virus infection by delete entrainment virus document or Manually killing virus or user have reinstalled operating system and remove virus person, but do not accomplish safe anti- Shield, this host transform to offline easy infection Host Status by having infected host offline.
1.3. mathematical model is propagated
The propagation model of worm-type virus is studied in the case where not considering that host is immune, host can be in sensitization S, dive Volt state E, Infection Status I.Host is in three state one of which, and state migration procedure is S → E → I → S.
(1) online easy infection host change rate
It due to condition triggering type worm, can be excited when meeting a certain condition virus, and it is locally total to infect P2P Enjoy file (having infected host).Therefore easy infection host uploads or downloading file is likely to locally carrying worm-type virus text Part, and the host in P2P network just can be carried out file transmission, therefore online easy infection host is likely to downloading file and becomes Carry the host of virus document latence.
When t is carved, when easy infection host is downloaded to other host demand files of P2P network, the master infected is chosen Machine is as the probability in file download sourceIt and is μ from having infected host to download the probability of filed, therefore one Platform easy infection host because downloading and the probability that carries worm-type virus file isIn a unit time, Online easy infection host number is Son(t) it is μ that platform executes download time altogetherdSon(t), it therefore within a unit time sharesPlatform Vulnerable hosts are because downloading becomes latence host with worm-type virus file.
When having infected host demand file, the selected probability as upload file host of any one host isSo accordingly, host is not the probability being selectedIt is susceptible in moment t Host number Ion(t) executing downloading task altogether is μdIon(t) secondary.Obviously so, a host is not once selected as upper The probability of hero of biography machine isThen obtaining the selected probability of a host isSo easy infection host because go to have infected on host transmitting file so as to cause The probability of self-contained virus isTo obtain carrying disease within a unit time The quantity that malicious file becomes latent host is
Certainly, in P2P network, the online easy infection host in part still can be because of becoming offline easy infection master offline Machine, being converted to offline easy infection host number is εoffSon.And in the offline host of part since the demand that file transmits will become Online host, the quantity for switching to online host is εonSoff.In addition some is because having infected the disease in host online The state of online easy infection host is removed and be restored to poison, and the host number restored is μrnIon
By the combined factors analysis of the quantity of the online Vulnerable hosts of above-mentioned influence, the change rate of online easy infection host is obtained Are as follows:
(2) latence host change rate
The in-degree of latent host warehouse is from conversion of the online easy infection host downloading comprising virus document.Partial is latent State Host is lied prostrate because meeting the trigger condition of virus, causes the activation of virus, switching to online infection host number is μinE(t).Being partially in offline host triggers virus simultaneously, and having infected host number offline is μifE(t).It has downloaded File containing worm-type virus, but worm-type virus un-activation is in incubation period host change rate:
(3) offline easy infection host change rate
It is removed because having infected host virus offline by killing, part host is restored to the quantity of offline easy infection and host For μrfIoff(t), offline easy infection host change rate are as follows:
(4) host change rate has been infected online
By the transition diagram of the state of the warehouse of Fig. 1, the change for having infected host number online within the unit time is obtained Rate:
(5) host change rate has been infected offline
The change rate for having infected host number in the unit time offline is obtained by warehouse transition diagram:
It is exactly the mathematical model of the propagation of condition triggering type worm-type virus by the equation group that equation (1)~(5) form.
2. helminth immunity model
2.1.P2P helminth immunity warehouse
Inhibiting worm virus spreading most efficient method is exactly according to worm-type virus using loophole, and specific aim is write accordingly Loophole patch simultaneously mounts it in P2P network on host, or installation can identify the antivirus of virus signature on host Software can identify the file for carrying worm and can carry out checking and killing virus removing to host has been infected.In such case P2P For host in network there are 7 kinds of states, i.e., online Vulnerable hosts, latent host, have infected master at offline Vulnerable hosts online Machine has infected host offline, is online with protective capacities host, offline with protective capacities host.
Immune model is that online immune state R is extended on the basis of propagation modelon(t) and offline immune state Roff(t).It is in easy infection Host Status when main in actual P2P network, since possessing using individual for part is relatively high Protection safety consciousness loads onto the software for capableing of the killing virus and detection with wormy file to host in advance, therefore online easy Sense host and offline Vulnerable hosts are respectively present μsmn、μsmfThe probability of conversion.Use μimnAnd μimfIt indicates online and offline to have felt Host is contaminated to online immune host and the offline conversion ratio that host is immunized.
2.2. the immune model of mathematics is established
It is as follows to establish immune mathematical model by the warehouse map analysis of 2.1. immune model:
The change rate of online easy infection host in helminth immunity model:
When having downloaded worm in helminth immunity model but not being satisfied a certain condition, the change in preclinical host Rate:
The change rate of offline easy infection host in helminth immunity model:
Helminth immunity model has infected the change rate of host online:
Helminth immunity model has contaminated the change rate of host offline:
Helminth immunity model has the change rate of the online host of worm protective capacities:
Helminth immunity model has the change rate of the offline host of worm protective capacities:
The sum of the host number of warehouse is indicated with M in the propagation of helminth immunity model:
M=Son(t)+Soff(t)+E(t)+Ion(t)+Ioff(t)+Ron(t)+Roff(t) (13)
The immune mathematical model of condition triggering type worm-type virus is made of equation (6)~(12), equation (13) is pointed out to study It is constant to assume that total host number is to maintain in entire P2P network.
3. the equilibrium condition of worm-free virus
The main purpose for establishing the mathematical model of worm propagation herein is propagation trend direction for predicting worm, then The key factor of analyzing influence worm propagation, in order to for worm-type virus patch do not write out also or antivirus software in Virus base in be not added in the condition code period of the virus, which specific factor, which is only, determines the important of worm propagation degree What the condition that factor and worm will not spread unchecked is.It provides and is analyzed as follows based on epidemic disease most important theories herein.
3.1. epidemic theory
It is obtained by document analysis, can virus prevalence be by viral basic reproduction rate (regeneration number) R in P2P network0Certainly Fixed, work as R0When < 1, virus can shortly disappear in P2P network in the air, and network is in virus-free state at this time.Such as Fruit R0When > 1, virus can be gradually expanded in P2P Internet communication, finally make the host in entire P2P network all infected.Compacted Worm communication process finds out the adequate condition that P2P network is in nontoxic equilibrium state, even if occurring new infection master in P2P network Machine ensures that worm will not be popular in network again or be spread unchecked as long as meeting the condition of nontoxic equilibrium state in network.Pass through The transfer stream of the state of host is divided by the method that document proposes that one kind seeks basic reproduction rate (regeneration number) in this approach New infection individual in-degree stream and other two kinds of streams, and indicated respectively with f and v.Ask two vectors to each state respectively The differential of variable, the vector matrix after differential are as shown below:
fiAnd viIt is i-th of component of f and v, wherein xiIt is i-th of state variable and xi=fi(x)-vi(x), m indicates sense Contaminate state variable quantity.Solve FV-1The absolute value (spectral radius) of matrix maximum eigenvalue is exactly to regenerate number R0
3.2. the condition that worm will not spread unchecked
Theorem is according to the condition triggering type Worm Propagation Model and epidemiology most important theories proposed, when worm propagation is abundant Condition
It sets up, i.e., worm will not spread unchecked in P2P network.
Condition triggering type worm propagation state variable is divided into 3 classes: E (t), Ion(t)、Ioff(t) the m value of i.e. upper trifle is 3, And it is obtained by propagation modeling (2), (4), (5) as follows:
When being in nontoxic equilibrium state in P2P network, each warehouse state change is as follows:
And carry virus document or to have infected disease host number as follows:
Ion(t)=Ioff(t)=E (t)=0 (17)
In the model of P2P worm propagation, the sum of each warehouse host number is constant.
N=Son(t)+Soff(t)+E(t)+Ion(t)+Ioff(t) (18)
The sum of the composition P2P network host state of nontoxic equilibrium state is calculated according to preceding two sides formula are as follows:
N=Son(t)+Soff(t) (19)
According to above-mentioned formula, COMPREHENSIVE CALCULATING obtain online Vulnerable hosts quantity and offline easy infection host number it is as follows:
Subsequent calculating for convenience carries out formula abbreviation:
By
Be unfolded by Newton binomial
Therefore it obtains
To Ion(t) differential is carried out, following result is obtained:
Vector f and v are respectively to E (t), Ion(t)、Ioff(t) it differentiates to obtain as follows
And worm is in equilibrium stateShi You brings parameter into and obtains following result:
V is solved according to matrix V after differential-1, as a result as follows:
R0=ρ (FV-1), i.e. ρ (FV-1) indicate FV-1Matrix multiple after the characteristic value of the maximum absolute value of matrix be R0
According to document it is found that worm will not spread unchecked propagate adequate condition be:
4. simulation analysis
4.1. worm will not spread unchecked adequate condition experiments have shown that
The worm derived is verified according to following Fig. 3~10 will not spread unchecked whether adequate condition has correctness. Fig. 1 is the variation diagram of propagation model whole warehouse host number, due to R0It is the condition for meeting worm and spreading unchecked, root at this time greater than 1 According to variation tendency in figure, when downloading file due to online susceptible user, Vulnerable hosts fast transition is to carry the master of virus document Machine.After it carries virus document host number to reach to peak value, meet shooting condition host be changed into it is online or it is offline Through infecting host, then worm-type virus starts gradually to spread in a network, is finally reached the equilibrium state of worm propagation.Analysis chart It (has been infected comprising online and offline containing viral host in 4~10 factor pair P2P networks different over time Host, carry virus document latent host) quantity variation.And it is seen by Fig. 4, Fig. 5, Fig. 6, Fig. 8, different impact factors pair Host variation in its network containing worm-type virus, it is not difficult to find out that R0When < 1, network is gradually decreased containing virulent host, most Afterwards until disappearing.Work as R0When very close to 1, the quantity of worm can kept in balance in network.Work as R0When > 1, worm will be in net It begins to extend in network.By it is above-mentioned show this paper derivation worm will not the condition of spreading unchecked be correct.
Fig. 3 is presented in P2P network, the quantity variation diagram of host under different conditions.Online and offline Vulnerable hosts Due to the factor downloaded or uploaded, leads to the local file containing worm-type virus, hide hereof under conditions of proper Virus start to trigger, then infected host (I in figureoffAnd I (t))on(t)) quantity starts to increase.As it is assumed that P2P Host in network be it is certain, infect host increase so latent host and Vulnerable hosts quantity is just reduced, when passing through one After the section time, infection host reaches equilibrium state in a network.And due to R0> 1, worm-type virus will not disappear in a network.
Downloading rate is the important impact factor that can worm-type virus spread unchecked in a network.Worm usually disguises oneself as normally File is bundled with normal file, and route of transmission is by mutually shared between file, host in P2P network Between data interaction be mainly by the upload and downloading of file.The number downloaded in the host of network is more frequent, just Easier download to takes viruliferous file.Containing virus document host number by the downloading factor pair of Fig. 4 different value influences, In the case where the other influences factor is constant, value is bigger to increase infection host number to meeting indirectly, however when value is less than certain When, i.e. R0When < 1, network worm would not be spread unchecked at this time.
Online easy infection host has infected host or latent host (has contained in P2P Shared Folders to online Virus document) downloading file, if downloading file in include virulent file, then online infection host will be converted to it is latent The state of host is lied prostrate, worm carries out the state that triggering is transformed into infection host in condition appropriate.As can be seen from Figure 5, when P2P other Parameter constant in the case where, the value (0-1 range) of alpha parameter will lead to more greatly infection host and increase.But it is equally general by worm Indiscriminate condition limitation, value R0When < 1, worm will not spread unchecked in a network.
Similar with the α factor, the β factor is to indicate that infected host as downloading end online carries out to online easy infection host File download.When the value of impact factor parameters other under similarity condition remains unchanged, β value (0-1 range) it is bigger its in net Host number is infected in network to be increased, and meets the adequate condition that worm is spread unchecked.
It will be excited after the virus in latent host meets certain condition, be transformed into online infection host and offline sense Contaminating host, (there are many reason virus trigger conditions, and most typically user goes to open causes virus to be swashed containing virulent file Hair is whether already logged into P2P network and is likely to excitation worm).Its impact factor is μin, when the bigger network of its value In online infected host quantity it is more.
It has infected host subscriber and has been able to carry out manual killing virus due to having network security knowledge, or reinstalled Operating system, host are restored to easy infection state from Infection Status, and Fig. 8 shows its impact factor μrnIt is to have infected host online State is restored to online easy infection Host Status, works as μrnWhen value (0-1 range) is bigger, the quantity of the host of recovery is more, sense The quantity for contaminating host is fewer, when value it is small to a certain degree when will meet the equilibrium condition of worm, i.e. R0< 1 worm will not be in net It is spread unchecked in network.
In the Worm Propagation Model of P2P network, the initial value for infecting host will not impact the worm condition of spreading unchecked. According in the result of proof, expression formula (14) does not contain the relevant impact factor of I, and the size of I value only will affect as can be seen from FIG. 9 The speed that worm is propagated in a network.
Online rate and ratio of contact loss indicate host whether in P2P network, and analysis chart 1 obtains, when the increasing of online Vulnerable hosts When more, more hosts will be made to be uploaded or be downloaded in a network file operation, and then be infected after hiding.By Figure 10 Influence of the shown online rate to online infection host, and when the value of online rate is bigger, when the other influences factor is constant, host of hiding Quantity will increase, and then increase the quantity of online infection host indirectly.
4.2.P2P influence of the parameter to worm propagation
From Fig. 4~10 as can be seen that downloading rate is more obvious to the quantity of online infection host, therefore to its network worm It is maximum for spreading unchecked the influence of degree (total host number ratio in the quantity and network for always infecting host in its equilibrium state). Followed by it is that online and offline worm-type virus is activated rate respectively, is to have infected host recovery rate again, finally to influence degree Smaller is the online rate and offline rate of host.The reason is that online rate or offline rate indicate whether host enters P2P network, And it mainly impacts online infection host, therefore it has certain influence to viral transmission in network, in conjunction with practical feelings Condition analysis, the very small therefore caused influence power of the fluctuation of worm outburst its upper and lower rate of stage and offline rate is than other factors Want smaller.There are also the quantity of primary infection host to the degree of its virus overflowing also a small amount of influence, the expression of worm equilibrium condition Without this factor in formula, but it will affect the speed of worm propagation.Work as R0When > 1, if to have infected host number relatively more for network In the case where, then can reach equilibrium state in a short period of time, otherwise it is few initially to have infected host number, then can be through Spending the more very long time can be only achieved equilibrium state.
The R of table 2 Fig. 3~8 experiment0Value
By table 2 and Fig. 3~10 it can be seen that being exactly R propagating there are one important parameter0,R0In addition to that can indicate compacted Worm is other than whether Internet communication spreads unchecked.And in R0When > 1, value is bigger, then shows that spread speed must be faster in worm network, Otherwise spread speed is slower.And in R0In the case where < 1, i.e., worm will not spread unchecked R0Value more it is big then worm network disappear The required time is longer, otherwise the required time to disappear is shorter.
4.3. worm propagation controls
Worm virus spreading by downloading rate, downloading infection rate, upload infection rate, recovery rate (online and offline), virus The influence of toggle rate (online and offline), offline rate, online rate this some parameter, the wherein triggering of downloading rate, recovery rate, virus Rate, online rate and offline rate, this five parameters are that user can control, therefore not announced also for its loophole patch When or antivirus software when extracting the condition code of virus not in time, can virus be delayed to effective control of this five parameters In the situation of Internet communication.It is analyzed one by one below.
Recovery rate can significantly reduce worm transmission capacity in a network.Have by combining actual analysis to increase recovery rate Two methods: it selects when host has suffered worm-type virus user from new clothes operating system, is in addition manual killing worm-type virus.Wherein The Feasible degree of this two o'clock is very low, if user's selection fills operating system it would be possible that partial document is brought to lose again, causes It can not work normally.And select manually killing virus then require higher, need user to grasp anti-microbial relevant knowledge, if It is not that professional person is difficult to accomplish this point.
Downloading rate is to influence the most key impact factor of worm virus spreading, and major part data are handed in P2P network It is mutually downloading file-based.Under condition triggering type worm, if it is possible to file download rate energy be greatly reduced in a network Latent host number is enough effectively reduced, and then can effectively contain the propagation of worm-type virus.In P2P type of network topology Three kinds are also classified into, one is the P2P network of full distributed unstructured topology, another kind is the P2P network of concentrating structure topology, Finally one is hybrid-type topological structures.Such as this P2P network of Gnutella is to belong to full distributed unstructured topology P2P network, it is open very well, the downloading rate that reduce the network only prompts user network by network announcement there are compacted Parasitosis poison does not know depositing for the virus of worm in outburst stage many user roots of virus when such effect produces little effect ?.Even if user be aware of network there are worm, downloading rate is reduced consciously, it is likely that the sprawling of virus will not be prevented. EDonkey be then it is different from the topological structure of Gnutella, it has central node to carry out the index of resource, if control money Source list address does not allow user to carry out the inquiry of resource, to reduce the downloading rate of file.Mixed type topological structure network Limitation access the Resources list be can also use to limit the downloading of file.
Influence virus trigger condition may there are many, but most commonly seen is locally downloading containing virus document, is led to Opening file is crossed to trigger worm-type virus.In the worm outbreak period, the file of downloading had better not be opened directly, need to be placed on special Sandbox environment in test after just use.But the trigger condition of worm more than opening file is simple in this way, and perhaps worm is being examined It surveys the unmanned use of host triggered, keeps its crypticity.Therefore the biography of worm-type virus is controlled for control trigger condition It broadcasts, can only accomplish a part of effective control.
The change of online rate and offline rate can control, but its effect also can only be it is local, due to lower published article Host must be online situation when part, at this time control host online rate can avoid in time host enter P2P network into Row file download and upload operation, but lose the effect for carrying out file-sharing.
By above-mentioned analysis it is found that worm propagation has the characteristics that speed is fast, the period is short, to control worm propagation it is best when Between be exactly initial stage in virus outbreak, infect the negligible amounts of host, can also prevent and be controlled in time.But due to item Part triggering type worm its than more covert, it is not easy to be detected, only waiting condition when meeting worm swashed, when starting worm in net Network spreads and spreads unchecked the vigilance that Shi Caihui causes user, takes above-mentioned measure to produce effects at this time not obvious enough.
4.4. helminth immunity model emulation
It according to the mathematics immune model of the worm-type virus of foundation, is emulated to obtain Figure 11 in conjunction with actual conditions, be described Host number in immunocompetent network passes through the variation aft engine of a period of time under different conditions in P2P network The worm-type virus can finally be immunized.Influence of the single impact factor in Figure 12~14 to infection host, and the influence in two width figures Factor musmnAnd μimnHost carries out immune crucial shadow in quantity obvious effect and immune model to infection host Ring the factor.Impact factor μ is presented in Figure 14smnThe latent host number for carrying file is influenced, host is wanted to become latent host only Have and removes downloading or upper transmitting file, and impact factor μ by online Vulnerable hostssmnThe quantity that online Vulnerable hosts can only be changed, from And indirectly change the quantity of latent host.
Under Figure 11 is presented in immunologic mechanism P2P network, the quantity variation diagram of host under different conditions.Work as host After having suffered worm, since antivirus software has been able to the condition code of virus to be identified, it is compacted to be able to carry out removing carrying in time The file and worm-type virus of parasitosis poison.It being obtained from the variation in figure, online Vulnerable hosts and offline Vulnerable hosts are reduced, wherein Host is infected since awareness of safety is stronger, loads onto the antivirus software with feature database in host, then directly from infection shape State is transformed into immune state.From the point of view of pattern analysis, in advance fill antivirus software host number it is fewer, therefore beginning when It is fewer to wait immune host number.The peak reached with file-sharing, data interaction in P2P network, the quantity of host of hiding Value, then viral condition triggering, host start to be changed into infection Host Status its to reach to peak value, viral transmission draws attention, needle Corresponding patch has been done to it and its condition code is added to virus base for antivirus software identification and killing, with infection host number The quantity for measuring the immune host that fades away starts to increase, and last whole network host is all immune to worm.
Immunization rate μsmnIt is to be converted to immune Host Status online after online Vulnerable hosts have immunocompetence.Pass through figure 12 it can be seen that immunization rate μsmnValue (0-1 range) is bigger, has infected the quantity of host peak value online with regard to smaller, simultaneously because Online Vulnerable hosts and offline easy infection host are mutually converted, and the quantity of offline host peak value is caused also to be followed by reduction.Exempting from In epidemic disease model, as the immunocompetence of host increases, finally infects host and disappear in a network.
μimnIt is the immunization rate for the state for having infected Host Status online to online immune host.And immunization rate size is Directly online infection host peak value is impacted, immunization rate μimnIt is worth bigger (value is in 0-1 range), then corresponding online Having infected host number peak value will be smaller.
Immunization rate μsmnIt is the indirect influence on latent host.The conversion of latent Host Status is by under online Vulnerable hosts It carries caused by containing virulent file, and immunization rate μsmnOnline Vulnerable hosts are directly affected, when online Vulnerable hosts quantity It reduces, other P2P parameter constants, hiding host at this time also can be with reduction.As can be seen from Figure 14 as immunization rate μsmnIt is worth (value 0-1 Range) it is bigger when, the quantity of latence host is reduced.
Although an embodiment of the present invention has been shown and described, it will be understood by those skilled in the art that: not A variety of change, modification, replacement and modification can be carried out to these embodiments in the case where being detached from the principle of the present invention and objective, this The range of invention is defined by the claims and their equivalents.

Claims (10)

1. prediction technique is immunized in a kind of nonlinear kinetics P2P network worm, which comprises the following steps:
S1 obtains the quantity that initial time worm forms different conditions host to network, and the different conditions host after t moment Quantity;Wherein, different conditions host includes online easy infection host, latent host, offline easy infection host, has felt online Dye host has contaminated one of host, the online host of worm protective capacities, the offline host of worm protective capacities or any group offline It closes;
S2 calculates the change rate of different conditions host according to the data of acquisition;Wherein, under different conditions host change rate packet It includes the change rate of online easy infection host, the change rate of host of hiding, the change rate of offline easy infection host, infected online The change rate of host has contaminated the change rate of host, the change rate of the online host of worm protective capacities, worm protective capacities offline One of change rate of offline host or any combination;
S3 judges helminth immunity situation by data judgment threshold according to the data obtained are calculated.
2. prediction technique is immunized in nonlinear kinetics P2P network worm according to claim 1, which is characterized in that online The calculation method of the change rate of easy infection host are as follows:
Wherein:
α indicates easy infection host from the probability of infection host downloading file;
μdIndicate the probability of easy infection host downloading file;
Son(t) quantity of the online easy infection host of t moment is indicated;
Ion(t) indicate that t moment has infected host number online;
E (t) indicates the latent host number of t moment;
β indicates infection probability of the host from easy infection host downloading files;
εonIndicate the online rate of host;
Soff(t) quantity of the offline easy infection host of t moment is indicated;
εoffIndicate host ratio of contact loss;
μrnIt indicates in online situation, infection host is restored to the probability of Vulnerable hosts;
μsmnIndicate the immunization rate of online easy infection host.
3. prediction technique is immunized in nonlinear kinetics P2P network worm according to claim 1, which is characterized in that latent The calculation method of the change rate of host are as follows:
Wherein:
α indicates easy infection host from the probability of infection host downloading file;
μdIndicate the probability of easy infection host downloading file;
Son(t) quantity of the online easy infection host of t moment is indicated;
Ion(t) indicate that t moment has infected host number online;
E (t) indicates the latent host number of t moment;
β indicates infection probability of the host from easy infection host downloading files;
μifIndicate that worm-type virus file is activated to offline easy infection host probability;
μinIndicate that worm-type virus file is activated to the probability of online easy infection host.
4. prediction technique is immunized in nonlinear kinetics P2P network worm according to claim 1, which is characterized in that offline The calculation method of the change rate of easy infection host are as follows:
εoffIndicate host ratio of contact loss;
Son(t) quantity of the online easy infection host of t moment is indicated;
εonIndicate the online rate of host;
Soff(t) quantity of the offline easy infection host of t moment is indicated;
μrfIt indicates under off-line case, infection host is restored to the probability of Vulnerable hosts;
Ioff(t) indicate that t moment has infected host number offline;
μsmfIndicate the immunization rate of offline easy infection host.
5. prediction technique is immunized in nonlinear kinetics P2P network worm according to claim 1, which is characterized in that online Infect the calculation method of the change rate of host are as follows:
Wherein:
μinIndicate that worm-type virus file is activated to the probability of online easy infection host;
E (t) indicates the latent host number of t moment;
εonIndicate the online rate of host;
Ioff(t) indicate that t moment has infected host number offline;
εoffIndicate host ratio of contact loss;
Ion(t) indicate that t moment has infected host number online;
μrnIt indicates in online situation, infection host is restored to the probability of Vulnerable hosts;
μimnIt indicates in online situation, easy infection host to the probability for having immune host.
6. prediction technique is immunized in nonlinear kinetics P2P network worm according to claim 1, which is characterized in that offline Contaminate the calculation method of the change rate of host are as follows:
Wherein:
μifIndicate that worm-type virus file is activated to offline easy infection host probability;
E (t) indicates the latent host number of t moment;
εonIndicate the online rate of host;
Ioff(t) indicate that t moment has infected host number offline;
εoffIndicate host ratio of contact loss;
Ion(t) indicate that t moment has infected host number online;
μrfIt indicates under off-line case, infection host is restored to the probability of Vulnerable hosts;
μimfIt indicates under off-line case, easy infection host to the probability for having immune host.
7. prediction technique is immunized in nonlinear kinetics P2P network worm according to claim 1, which is characterized in that worm The calculation method of the change rate of the online host of protective capacities are as follows:
Wherein:
μimnIt indicates in online situation, easy infection host to the probability for having immune host;
Ion(t) indicate that t moment has infected host number online;
μsmnIndicate the immunization rate of online easy infection host;
Son(t) quantity of the online easy infection host of t moment is indicated;
εonIndicate the online rate of host;
Roff(t) indicate that worm host number is immunized in t moment;
Ron(t) indicate that worm host number is immunized in t moment.
8. prediction technique is immunized in nonlinear kinetics P2P network worm according to claim 1, which is characterized in that worm The calculation method of the change rate of the offline host of protective capacities are as follows:
μimfIt indicates under off-line case, easy infection host to the probability for having immune host;
Ioff(t) indicate that t moment has infected host number offline;
μsmfIndicate the immunization rate of offline easy infection host;
Soff(t) quantity of the offline easy infection host of t moment is indicated;
εoffIndicate host ratio of contact loss;
Ron(t) indicate that worm host number is immunized in t moment;
εonIndicate the online rate of host;
Roff(t) indicate that worm host number is immunized in t moment.
Pass through in step s3 9. prediction technique is immunized in nonlinear kinetics P2P network worm according to claim 1 The method that data judgment threshold judges helminth immunity situation are as follows:
JudgementWith 1 size relation:
Wherein:
μdIndicate the probability of easy infection host downloading file;
α indicates easy infection host from the probability of infection host downloading file;
β indicates infection probability of the host from easy infection host downloading files;
εonIndicate the online rate of host;
μifIndicate host ratio of contact loss;
μinIndicate that worm-type virus file is activated to the probability of online easy infection host;
μrfIt indicates under off-line case, infection host is restored to the probability of Vulnerable hosts;
μrnIt indicates in online situation, infection host is restored to the probability of Vulnerable hosts;
εoffIndicate host ratio of contact loss;
IfThen worm will not spread unchecked propagation on network, and worm is by immune;
Otherwise, worm can spread unchecked propagation on network, and worm is not affected by immune.
10. prediction technique is immunized in nonlinear kinetics P2P network worm according to claim 2, which is characterized in that online The calculating process of the change rate of easy infection host the following steps are included:
S101, when easy infection host is downloaded to P2P network other host demand files, chooses and has infected in t moment Host is as the probability in file download sourceIt and is μ from having infected host to download the probability of filed, Therefore the probability that an easy infection host carries worm-type virus file because of downloading isIn a unit Between, online easy infection host number is Son(t) it is μ that platform executes download time altogetherdSon(t), therefore it is total within a unit time HavePlatform Vulnerable hosts are because downloading becomes latence host with worm-type virus file;
S102, when having infected host demand file, the selected probability as upload file host of any one host isSo accordingly, host is not the probability being selectedIn moment t, susceptible master Machine quantity Ion(t) executing downloading task altogether is μdIon(t) secondary;So, a host is not once selected as upload host Probability beThen obtaining the selected probability of a host is So easy infection host is because removing to have infected on host transmitting file so as to cause the probability of self-contained virusBecome latent host to obtain carrying virus document within a unit time Quantity is
S103, the online easy infection host in part still can be converted to offline susceptible because of offline easy infection host is become offline Dye host number is εoffSon
S104, and the offline host of part since the demand that file transmits will become online host, switch to the number of online host Amount is εonSoff
S105, in addition some is because the virus infected in host online is removed and is restored to online easy infection The state of host, and the host number restored is μrnIon
CN201910462524.5A 2019-05-30 2019-05-30 Nonlinear dynamics P2P network worm immune prediction method Active CN110191127B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910462524.5A CN110191127B (en) 2019-05-30 2019-05-30 Nonlinear dynamics P2P network worm immune prediction method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910462524.5A CN110191127B (en) 2019-05-30 2019-05-30 Nonlinear dynamics P2P network worm immune prediction method

Publications (2)

Publication Number Publication Date
CN110191127A true CN110191127A (en) 2019-08-30
CN110191127B CN110191127B (en) 2020-06-02

Family

ID=67718952

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910462524.5A Active CN110191127B (en) 2019-05-30 2019-05-30 Nonlinear dynamics P2P network worm immune prediction method

Country Status (1)

Country Link
CN (1) CN110191127B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1710906A (en) * 2005-07-08 2005-12-21 清华大学 P2P worm defending system
US7325251B1 (en) * 2003-12-16 2008-01-29 Symantec Corporation Method and system to prevent peer-to-peer (P2P) worms
CN102104606A (en) * 2011-03-02 2011-06-22 浙江大学 Worm detection method of intranet host
CN102368719A (en) * 2011-09-28 2012-03-07 浙江大学 Method for detecting large-scale worm eruption on P2P (Peer-to-Peer) network
CN102404715A (en) * 2011-11-18 2012-04-04 广东步步高电子工业有限公司 Method for resisting worm virus of mobile phone based on friendly worm
CN104038475A (en) * 2014-05-09 2014-09-10 深圳市深信服电子科技有限公司 P2P (peer to peer) worm detection method and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7325251B1 (en) * 2003-12-16 2008-01-29 Symantec Corporation Method and system to prevent peer-to-peer (P2P) worms
CN1710906A (en) * 2005-07-08 2005-12-21 清华大学 P2P worm defending system
CN102104606A (en) * 2011-03-02 2011-06-22 浙江大学 Worm detection method of intranet host
CN102368719A (en) * 2011-09-28 2012-03-07 浙江大学 Method for detecting large-scale worm eruption on P2P (Peer-to-Peer) network
CN102404715A (en) * 2011-11-18 2012-04-04 广东步步高电子工业有限公司 Method for resisting worm virus of mobile phone based on friendly worm
CN104038475A (en) * 2014-05-09 2014-09-10 深圳市深信服电子科技有限公司 P2P (peer to peer) worm detection method and device

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
冯朝胜: "P2P网络中激发型蠕虫传播动态建模", 《电子学报》 *
冯朝胜: "P2P网络中被动型蠕虫传播与免疫建模", 《电子学报》 *

Also Published As

Publication number Publication date
CN110191127B (en) 2020-06-02

Similar Documents

Publication Publication Date Title
Alshamrani et al. A survey on advanced persistent threats: Techniques, solutions, challenges, and research opportunities
Lohachab et al. Critical analysis of DDoS—An emerging security threat over IoT networks
Bringer et al. A survey: Recent advances and future trends in honeypot research
Shire et al. Malware squid: A novel iot malware traffic analysis framework using convolutional neural network and binary visualisation
Monge et al. A novel self-organizing network solution towards crypto-ransomware mitigation
Swathy Akshaya et al. Taxonomy of security attacks and risk assessment of cloud computing
Rani et al. A survey on machine learning-based ransomware detection
Demertzis et al. Computational intelligence anti-malware framework for android OS
Zolotukhin et al. On artificial intelligent malware tolerant networking for IoT
Wang et al. Dynamic game model of botnet DDoS attack and defense
Wang et al. An ai-powered network threat detection system
Wang et al. Using honeypots to model botnet attacks on the internet of medical things
Baruah Botnet detection: analysis of various techniques
Li et al. An optimal defensive deception framework for the container‐based cloud with deep reinforcement learning
Amal et al. H-DOCTOR: Honeypot based firewall tuning for attack prevention
Kanaker et al. Trojan Horse Infection Detection in Cloud Based Environment Using Machine Learning.
Priya et al. A static approach to detect drive-by-download attacks on webpages
CN110191127A (en) A kind of immune prediction technique of nonlinear kinetics P2P network worm
CN110191126A (en) A kind of nonlinear kinetics P2P Network Worm Propagation prediction technique
Challoo et al. Detection of botnets using honeypots and p2p botnets
Calderon et al. Malware Detection based on HTTPS Characteristic via Machine Learning.
Yan CAS: A framework of online detecting advance malware families for cloud-based security
Yan et al. Anti‐virus in‐the‐cloud service: are we ready for the security evolution?
CN113553584A (en) Method, system and storage medium for detecting unknown threats of industrial internet security
Seraj et al. BotDroid: Permission-Based Android Botnet Detection Using Neural Networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20220727

Address after: 510000 room 2216-2218, No. 48, Kexue Avenue, Huangpu District, Guangzhou, Guangdong Province (office only)

Patentee after: Guangzhou Chengxiang Computer Co.,Ltd.

Address before: No.69 Hongguang Avenue, Banan District, Chongqing

Patentee before: Chongqing University of Technology