| Nowadays, P2P network traffic possesses 60% of Internet bandwidth, and the hiddensecurity issues arising therefrom are steadily on the increase. Proactive P2P worm canpropagate in P2P network through all kinds of security holes, and it attacks partial or allneighbors directly by getting neighbor information of infected node. Compared withrandom scanning worm, it need not find target by probing randomly generated IP addresses,and it does not generate too many connection failures. Thus it can achive faster and moreconcealed propagation, and it is more difficult to detect and defend. Proactive P2P wormbecomes one of the most serious security threats that restrict the development of P2Pnetwork application.The discrete recursive propagations model of proactive P2P worm (P2P WormDiscrete Recursive Model, PWDRM) is constructed. As the propagation of proactive P2Pworm is a dynamic process, it analyzes the state and behavior of node in every discretemoment, concludes relation of infected node numbers in very neighboring time and therebybuild recursive mathematical model. The model introduces P2P network parameters such asP2P network size, online probability of node, vulnerable probability of node, topologicaldegree of node, etc. It also introduces worm parameters such as attack rate, hit-list size, etc.It especially considers other factors that may affect propagation of proactive P2P worm,such as topology type, average topology degree of node, power law exponent ofunstructured P2P network, infection tactics, topology degree of hit-list, selection strategy ofneighbor node, etc. Simulations indicate that the model can describe the propagationphenomenon of proactive P2P worm effectively in both unstructured and structured P2Pnetwork, and it can reflect real propagation of proactive P2P worm more than presenttopological epidemic differential model.Network-based detection methods against proactive P2P worm leveraging application level knowledge are proposed. 1) Connection Chang-point based Detection (CCD) method.It uses random sequence to denote the total number of connections with differentsource-destination pairs, and applies sequential change detection theory to conduct statisticdetection for data stream. 2) Abnormal Multicast based Detection (AMD) method. Itconstructs multicast tree of proactive P2P worm, considers the propagation as a Poissonprocess, and detects the abnormal multicast phenomenon which may appear to find worm.Moreover, it can also achieve defense against proactive P2P worm by blocking wormmulticast behavior of infected nodes. Simulations indicate that above methods can findproactive P2P worm in a short time and contain its propagation.The defense strategies, defense methods, and defense system framework are proposed.1) Selective Static Immunization (SSI) method. It slows down or contains propagationspeed of proactive P2P worm through immunizing partial nodes statically. 2) Key Nodebased Local Containment (KNLC) method. It utilizes multilevel k-way partitioningalgorithm to divide P2P network into a number of areas with a nearly equal size, andimmunizes key node (node that worm propagation between different areas has to gothrough). Then the worm propagation will be contained in these areas, and the separation toother areas is accomplished. Moreover, the key node selection algorithm can be used tochoose nodes that should be statically immunized. 3) Connected Dominating Set basedDynamic Immunization (CDSDI) method. It constructs connected dominating set of P2Pnetwork, and push vaccine to some nodes in the set for rapid disseminating in P2P networks.Simulations indicate that, SSI is quite effective for unstructured P2P network throughadopting appropriate strategy to select nodes; KNLC and CDSDI outperform the baselinemethod, and they are tolerant to the topology changes of P2P network. 4) Defense systemframework against proactive P2P worm is designed. The system is composed of securityservers, volunteer key nodes, and volunteer nodes of connected dominating set. Wormdetection component is deployed on statically immunized volunteer key node, and securityserver generates vaccine according to detection report, and pushes it to volunteer nodes of connected dominating set. The vaccine is then disseminated to normal nodes by volunteernodes of connected dominating set, and the framework defend proactive P2P wormsystematically. |