Research And Realization Of Worm Detection And Automatic Worm Feature Extraction

Today, multifarious propagation paths and complicated application environments provide conditions for worms. The time from the discovery of bugs to the outbreak of worms is becoming shorter, the time from the outbreak of worms to the time when the worms are controlled is becoming longer. And, almost every outbreak of worms had caused huge economic losses. It is true that because of extracting signatures artificially, traditional anti-virus technology by signature matching can not meet the needs of today's network security. So it is significant and urgent to search into automatic unknown worm detection technology.As a theoretical basis, this dissertation analyszes theoretical knowledge being exsiting and related to worm detection. It analyzes intrusion detection technology; put forward the definition of worm and worm signature, and analyzes worm characteristics, worm's functional structure, worm's attcks, worm's scan strategies and worms'propagation model.This dissertation puts up basises for worm detection after analyzing the characteristics of worm traffic, the characteristics of normal network applications traffic which is similar to worm traffic, and the differences of two kind of traffic. In order to improve detection efficiency and accuracy, the network traffic is classified and abstracted and the worm propagation topography is constructed which is for the traffic analysis. According to the basises and worm propagation topography, this dissertation puts forward multidimensional worm abnormal detection algorithm for detecting unknown worms early.This dissertation comes up with foundation for automatic worm signature extraction and salutatory multiple signatures automatic worm signature extraction algorithm which extracts and counts substrings from abnormal flow ; then it analyzes and evaluates the algorithm's applicable scope, flexibility and the model of processing worm packets; rules for signature-based detection are generated by filtering the substrings extracted.This dissertation puts forward a distributed worm detection and automatic worm signature extraction system model which is for detecting unknown worms, then tests it and discusses the existing problems.