| As the improvement of network applications and complexity, internet worms have become the threat to the security of the network. Recently, worms have new revolution that is polymorphic worms, which could use many metamorphic techniques to evade the detection of the existing IDSes. At present, the detection technologies of polymorphic worms have become the focus of the worm research.The research of polymorphic worms has made quite a number of important achievements, however, all these researches are based on the hypothesis of the simple transfiguration ability of polymorphic worms, and lack a full analysis and understanding of the metamorphic techniques and tools. Although polymorphic worms have not appeared in a large scale on the Internet, along with the continuous improvement of code obfuscation and metamorphic techniques, their potential dangers and damages deserves our serious attention.Behavior-based detection technologies, because of its trait of making use of the worm' s constant behavior in the whole attack process and its flexibility in detecting polymorphic worms, have become the focus on the research of detection technologies of polymorphic worms at present. In this paper the structure of polymorphic worms and metamorphic techniques was firstly completely presented, then some detection techniques in recent years were concluded and an analysis was given, finally a kind of stronger polymorphic worms and a corresponding detection method are presented. The major work is done by the following:(1) A systematic and comprehensive analysis about the detection technologies of polymorphic worms was given. Through the comparison among these detection technologies, all of their characteristics such as advantages and limitations were presented by charts.(2) A structure and some metamorphic techniques of a new kind of polymorphic worms with high ability, polymorphic worms with changeable program structure, are introduced. With the analysis of large amounts of references and current metamorphic techniques, one kind of polymorphic worms withhigh ability and potential harm(dangerous) is presented, and multiplemetamorphic techniques of this worm is analyzed. At the same time, we alsoanalyze and draw some conclusions on the limitation of current methods.(3) A new approach of detecting the polymorphic worms mentioned above isintroduced, that is applying PDG (Program Dependence Graph) to detectpolymorphic worms. With analysis of the features of such worm's behavior,we found out that the function of such worms remains the same during thewhole process of attacking. With this property, we put forward such adetecting approach that applies PDG to describing the common featuresamong different instances of various polymorphic worms.In this paper, a new direction for the development of polymorphic wormswas introduced. At the same time, the corresponding detection approach wasalso provided. It has been proved that our approach has several advantages,such as good detecting ability, low error, and acceptable detecting efficiency... |
PDF Full Text Request