Research On Polymorphic Worms Signature Extraction Based On Improved Ant Colony Algorithm

Combing the intrusion detection system with firewall is the most effective meansto protect the network. Most of misuse intrusion detection systems are based on attacksignatures; its detection performance largely depends on the quality of thecharacteristics. With the development of polymorphic technology, worms and theirvariants is difficult to detect by existing intrusion detection system so they can easilypenetrate network protection facilities, make great harm to the security of the networksystem. So, how to extract the polymorphic worm’s signature quickly and effectivelyto strangle the worm in the cradle at the early stages when the worm outbreaks is aresearch hot topic. In the past, we can only relying on safety experts’ post-hocanalysis to extract signature,but now its difficult to deal with growing networksecurity issues, method should cost two days or longer time to extract signature, andthe signature that it extract is not precise enough to protect network’s security.Automatic feature extraction technique can extract signature without humanintervention, extract the signature quickly and accurately, is a better networkprotection technology and has good prospects.Enlightened by the knowledge ofsequence alignment in biological, we proposed antMSA combined sequencealignment and improved colony algorithm to study the polymorphic worms’signature automatic extraction techniques. The main work is as fellows:1. Study the polymorphic worm’s structure deeply; analyze its various deformationtechniques, its conservative signature remains regardless of how the morphingtechnology develop. Analysis of the existing signature extraction methods andsignature’s manifestation, compare their advantages and disadvantages.2. From the view point of biological, the biological multiple sequence alignmentalgorithm and polymorphic worm’s signature extraction has the have a strongcommonality. Using the biological multiple sequence alignment algorithm toextract polymorphic worm’ s signature, owning to the Needleman-Wunschalgorithm is easy to produce debris and CMENW-HMSA signature extractionalgorithm’s efficiency, we applied to ant colony algorithm, improved the ant’ssearch strategies and antMSA is proposed, Using the ant colony algorithm’sability of fast convergence to get better solutions in the global scope, extract moreprecise signature. Finally, the experiment is used to verify the validity of antMSA method, it caneffectively improve the efficiency of signature extraction and rate of false positivesand false negative rates are both improved.