| Network worms can not only exhaust system resources of infected hosts and damage them, but also occupy network bandwidth and thus jam network, even disrupt whole network. Now, network worms have become a common problem for all computer users on the Internet. The frequent breakouts of Internet worms not only bring lots of trouble to Internet users, but also result in tremendous economic destruction.How to depict the characteristic of worm propagation accurately and compute the worm signatures to identify worms, which is the foundation of anti-worm research, has become an important task in computer network security field.In this paper, based on the review of the development history of worm and its definition, we explained and described how worm works, exploration funcation component, the architectures of worm performance, and canning strategies. After introduceing some typital models, we analyzed the property of mathematical worm propagation model, pointed out the limitness in the traditional models, and detailedly described our worm propagation model which considered multiple effect. We came out with the effect of worm propagation model according to the average security level of node in the network and network congestion, the scanned address is not in the network or re-scanning the same address and a improved propagation model based on two-factor model.According to the propagation simulation of CodeRed using our models, we found that compare our model with the existed ones, our models works better in description of modern worm propagation processing.Then, we made a full-scall explation of some worm defense technology in common use in network. We detailedly analyzed the process of signature generation, and compared them based on out experiments results. Based on the worm detection, biological sequence analysis, and dynamic optimization research, two attack signatures automatic generation approachs were proposed.1) The approach based on multi-sequence alignment. The suspicious flows are transferred into sequence and the adaptation of alignment algorithm is used to find the signature from two samples, and the merging alignment algorithm shows how to use the alignment algorithm to find the signature for any number of samples. Through merging technology, setting filter function in two-sequence alignment algorithm and assembling new shorter sequences, the algorithm efficiently reduces the total complexity.2) The approach based on EM algorithm to compute a type of position-aware distribution signatures (PADS), which fit in the gap between the trational signatures and the anomaly-based systems. According to the characters of input data sets, we changed the way of initial value of the underlying parameter. Our experiments showed that the algorithm accurately generated the PADS from worm samples and was more efficient than before.After that, we summarized the research work and pointed out some suggestions for the future research. |
PDF Full Text Request