Research Of Unknown Worms Detection And Automatic Generation Of Worms Signature

Network worms pose a serious threat to the security of Internet infrastructures by their rapid and variety propagation. Compared with the traditional host virus, worms infect more quickly and destroy more severity. When the time between detecting vulnerability and the outbreak of worms is shorter and for long time to exterminate the worms, so it is not realistic to control the infection of worms by artificial methods, therefore automatic detection system is needed. Especially under the environment of Internet, the variety of the propagation ways result in worm with more worms variation, much deeper latency and much wider coverage. The traditional detection system which is based on signature is not suiting new various worms, so the system is able to detected unknown worms.Network worms come from virus, but it is different with virus. After define the network worms and introduce the pivotal character include the behavior, the structure and the working flow of worms. Form the aspect of detecting the worms, we analyze the scanning methods and distinguish the difference between the automatic scanning of worms and the artificial scanning of hackers, and intro the propagation model.Then based on the worms'behavior, we mainly study the unknown worms in the network layer. We analyze the network traffic which obtained by network trap, take into the multi-attribute of inbound traffic (e.g. source IP, destination port) account, at the same time compute the outbound traffic depended on moving windows of the failing traffic, then construct the suspicious attribute database. After that, we find the suspicious unknown worms in the inbound traffic which refer to the suspicious attribute database, and put it into the suspicious pool.When the accounts of suspicious pool exceed the critical account, trigger the automated signature generation system. The system read data from the pool and export worms'signature to the database of signature. The system implements two methods to generate signature, both of them are apply the same principle. After eliminate the noise in the pool, system then extract the common substring in the pool and auto generate the signature of the unknown worms based on the similarity among worms from the same types. Essentially, I propose a model to detect unknown worms and automated generate signature, and then test it and discuss the emergent problems.