《计算机应用》唯一官方网站 ›› 2022, Vol. 42 ›› Issue (7): 2125-2131.DOI: 10.11772/j.issn.1001-9081.2021040625

• 网络空间安全 • 上一篇    

P2P网络中基于特征行为检测的恶意代码传播模型

李汉伦, 任建国()   

  1. 江苏师范大学 智慧教育学院,江苏 徐州 221116
  • 收稿日期:2021-04-20 修回日期:2021-07-11 接受日期:2021-07-14 发布日期:2022-07-15 出版日期:2022-07-10
  • 通讯作者: 任建国
  • 作者简介:李汉伦(1993—),男,江苏徐州人,硕士研究生,主要研究方向:传播模型、复杂网络;
  • 基金资助:
    江苏省自然科学基金资助项目(BK20201462)

Malware propagation model based on characteristic behavior detection in P2P networks

Hanlun LI, Jianguo REN()   

  1. School of Wisdom Education,Jiangsu Normal University,Xuzhou Jiangsu 221116,China
  • Received:2021-04-20 Revised:2021-07-11 Accepted:2021-07-14 Online:2022-07-15 Published:2022-07-10
  • Contact: Jianguo REN
  • About author:LI Hanlun, born in 1993, M. S. candidate. His research interests include propagation model, complex networks.
  • Supported by:
    Natural Science Foundation of Jiangsu Province(BK20201462)

摘要:

针对现有恶意代码传播模型在点对点(P2P)网络中缺乏新型恶意代码的实时检测以及节点间动态共享防治信息机制的问题,基于恶意代码特征行为检测技术建立了一类检测-传播模型。首先,在经典易感-感染-免疫(SIR)传播模型的基础上引入广播节点(广播节点是指成功检测出包含恶意代码的文件后生成防治信息并能持续把这一消息发送给邻居节点的特殊节点),引入广播节点后的模型通过检测技术不仅能有效降低节点自身被感染的风险,还可以通过节点之间动态共享恶意代码信息来阻断恶意代码在网络中的传播;然后,计算出平衡点并通过下一代矩阵理论得到模型的传播阈值;最后,通过Hurwitz判据和构造Liapunov函数证明了模型平衡点的局部稳定性和全局稳定性。实验结果表明,在传播阈值小于1的情况下,与退化的SIR模型相比,当检测率取值0.5、0.7和0.9时,所提检测-传播模型在峰值点处的感染节点总数分别下降了41.37%、48.23%和48.64%。可见,基于特征行为检测技术的检测-传播模型能遏制恶意代码前期在网络中的快速传播,且检测率越高,遏制效果越好。

关键词: 恶意代码, 点对点网络, 实时检测, 特征行为, 局部稳定性, 全局稳定性

Abstract:

Concerning the problem that the existing malware propagation models lack the mechanism of real-time detection of new malware and dynamic sharing of prevention and control information between nodes in Peer-to-Peer (P2P) networks, a detection-propagation model was established based on malware characteristic behavior detection technology. Firstly, based on the classic Susceptible-Infected-Recovered (SIR) propagation model, broadcast nodes were introduced (broadcast nodes refer to special nodes that generate prevention and control information after successfully detecting files containing malware and continuously send this message to neighbor nodes). The model after introducing broadcast nodes can effectively reduce the risk of nodes themselves being infected through detection technology and can restrain the spread of malware in the network by dynamically sharing malware information between nodes in the network. Then, the equilibrium point was calculated and the propagation threshold of the model was obtained by the next generation matrix theory. Finally, the local stability and global stability of the equilibrium point of the model were proved by Hurwitz criterion and constructing Liapunov function. Experimental results show that when the propagation threshold is less than 1, compared with the degraded SIR model, under the detection rate of 0.5, 0.7 and 0.9, the proposed detection-propagation model has the total number of infected nodes at the peak point decreased by 41.37%, 48.23% and 48.64% respectively. Therefore, the detection-propagation model based on characteristic behavior detection technology can restrain the rapid propagation of malware in the network in the early stage, and the higher the detection rate, the better the containment effect.

Key words: malware, Peer-to-Peer (P2P) network, real-time detection, characteristic behavior, local stability, global stability

中图分类号: