CN101202744A - Devices for self-learned detecting helminth and method thereof - Google Patents
Devices for self-learned detecting helminth and method thereof Download PDFInfo
- Publication number
- CN101202744A CN101202744A CNA2006101652900A CN200610165290A CN101202744A CN 101202744 A CN101202744 A CN 101202744A CN A2006101652900 A CNA2006101652900 A CN A2006101652900A CN 200610165290 A CN200610165290 A CN 200610165290A CN 101202744 A CN101202744 A CN 101202744A
- Authority
- CN
- China
- Prior art keywords
- worm
- equipment
- packet
- unit
- newly
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention aims at providing a device for detecting worms, which includes a step that a network packet is intercepted and processed and the step carries through layering and classifying on the collected packet according to a TCP/IP protocol model and a device contract issuing statistical information list which records the situation of each host that transmits the packets is recorded; whether the step belongs to an ARP request packet is judged, if yes, then contract issuing statistical information list of the device is updated, if not, then whether the step is a newly built IP connection is judged; if not, then the step is that intercepting the network packet is returned and treatment is carried through on the network packet, if yes, then contract issuing statistical information list of the device is updated by the newly built connection; whether the device for transmitting the packet is a step of a suspicious device is judged and whether the suspicious device is infected by worms according to the content of the device contract issuing statistical information list is judged, if yes, marking the device infected by worms; if not, the network packet is returned to be intercepted and the step carries through treatment on the network packet.
Description
Technical field
The present invention relates to detect the devices and methods therefor of worm, particularly the devices and methods therefor of the detection worm in computer network and the data communication.
Background technology
Since Mo Lisi in 1988 produced first worm-type virus from the laboratory, computer-based worms constantly brought disaster to network world with its quick, diversified circulation way.Particularly after 1999, the continuous appearance of high-risk worm-type virus, repeatedly all make World Economics suffered light then tens, the massive losses of hundred million dollars of heavy then hundreds ofs.
Though the Internet worm usually is classified in the virus of broad sense, but worm with traditional virus except duplicate and infection aspect have the similitude, also having a lot of differences, mainly is target of attack with the computer as worm, and virus mainly is target of attack with the file system; Worm has the active attack characteristic, and virus needs triggering of computer user or the like when propagating.These and viral difference are when causing traditional virus to detect application of policies to the antagonism worm, no longer suitable basically just.On the destructiveness that produces, worm neither street virus can be compared, and networks development makes worm to spread whole Internet in the short time, causes the Internet large tracts of land can't operate as normal.Therefore to the effective detection method of Internet worm, especially to all kinds worm, comprise temporary transient at present unknownly, all extensively effectively the research of detection method is just very crucial.
Existing worm detection system mainly contains following two kinds:
(1) finishes by intruding detection system (IDS, Intrusion Detection System).This type systematic all is flows all in the network all need be mirrored in the IDS system, by IDS the IP packet that listens to is analyzed then, and when worm condition code storehouse is complementary among condition code and the IDS in finding the IP packet, i.e. worm is found in report.This method is owing to adopt and the similar feature matching method of traditional method for detecting virus, and on the one hand, because the feature database matching performance is lower, it is low to cause whole worm to detect performance; On the other hand, the real-time update of feature database is had higher requirement, cause accommodation narrow; At last, this method can't be applicable to the novel worm of unexposed condition code.
(2) finish by the Traffic Anomaly analytical system.This type systematic is normally collected flow information on each network equipment by the network equipment that possesses this function, and they are added up and analyze.Utilize certain predetermined Traffic Anomaly threshold value to judge whether be worm then.This method mainly causes Traffic Anomaly to change as theoretical foundation with worm activity regular meeting.Owing to only analyze, have wrong report to a certain degree from the Changing Pattern of flow.
More than two kinds of methods, have all that accommodation is narrow, efficient is low, sensitivity is lower, the rate of false alarm problem of higher.Therefore press for a kind of applied widely, efficient is high, highly sensitive, Worm detection method that rate of false alarm is low.
Summary of the invention
The object of the present invention is to provide a kind of device that detects worm, this device can efficiently detect the main frame of PI worm in the network in real time, and can adjust the threshold value of a parameter in the worm behavioural characteristic description scheme according to the probability that occurs wrong report in detecting automatically, advantage such as have wide accommodation, performance height, sensitivity is adjustable, rate of false alarm is low.
The device of detection worm of the present invention is characterised in that, comprise: intercept network packet and its unit of handling, this unit carries out layering and classification to the packet of collecting according to the ICP/IP protocol model, and sets up equipment that each main frame of record sends the packet situation Statistics table of giving out a contract for a project; Whether judge whether be the unit of ARP request data package, if then update the equipment the Statistics table of giving out a contract for a project, be the newly-built connection of IP if not then judging; Judge whether be the unit of the newly-built connection of IP, if the packet of receiving is not newly-built connection then does not deal with, the Statistics table of giving out a contract for a project if newly-built connection is then updated the equipment; Judge whether the equipment that sends this packet is the unit of suspect device, judge according to the give out a contract for a project content of Statistics table of equipment whether the equipment of this transmission packet is the suspect device that infects worm, then it is carried out mark if infect the equipment of worm, if not then not dealing with.
The feature of the device of detection worm of the present invention also is, describedly intercept network data and to its unit of handling, utilize source MAC in the message, source IP address as hash calculation of parameter index value, and set up the host information hash table with this index value, this host information hash table is used for according to the equipment of each equipment sending data bag situation of the index value index record network Statistics table of giving out a contract for a project.
The feature of the device of detection of the present invention worm also is, describedly judges whether this equipment is the unit of suspect device, judges whether be suspect device according to ARP request data package transmission frequency.
The feature of the device of detection of the present invention worm also is, describedly judges whether this equipment is the unit of suspect device, judges whether be suspect device according to the frequency of newly-built connection in the IP packet.
The feature of the device of detection worm of the present invention is that also described newly-built connection comprises: TCP, UDP, ICMP etc.
The feature of the device of detection of the present invention worm also is, describedly judges that whether this equipment be that the unit of suspect device is by setting in the worm behavioural characteristic description scheme certain threshold level M and calculating the last computation frequency and calculate described ARP request data package transmission frequency until the time difference of current time Δ t.
The feature of the device of detection of the present invention worm also is, describedly judges that whether this equipment be that the unit of suspect device is by setting in the worm behavioural characteristic description scheme certain threshold level M and calculating the last computation frequency and calculate the frequency of described newly-built connection until the time difference of current time Δ t.
The feature of the device of detection of the present invention worm also is, also comprises: the unit of self study, this unit is adjusted certain threshold level M in the described worm behavioural characteristic description scheme during greater than certain value automatically in rate of false alarm.
The feature of the device of detection worm of the present invention also is, also comprises: aging unit, this aging unit abandons, replaces for reaching the aging statistical information that requires.
The feature of the device of detection of the present invention worm also is, describedly judges whether this equipment be that the unit of suspect device judges whether be worm according to ARP packet rs destination address distribution situation.
The feature of the device of detection of the present invention worm also is, describedly judges whether this equipment be that the unit of suspect device distributes to judge whether be worm according to the newly-built connection packet of IP target similarity.
The method of detection worm of the present invention is characterised in that, comprise the steps: to intercept network packet and to its step of handling, in this step, the packet of collecting is carried out layering and classification according to the ICP/IP protocol model, and set up equipment that each main frame of record sends the packet situation Statistics table of giving out a contract for a project; Whether judge whether to be the step of ARP request data package, if then upgrade the described equipment Statistics table of giving out a contract for a project, be the newly-built connection of IP if not then judging; Judge whether to be the newly-built step of connecting of IP, intercept network packet and to its step of handling, if the described equipment Statistics table of giving out a contract for a project is then upgraded in newly-built connection if not then turning back to; Judge whether the equipment that sends this packet is the step of suspect device, judge whether to be the suspect device that infects worm according to the give out a contract for a project content of Statistics table of described equipment, if infect the equipment of worm it is carried out mark, intercept network packet and to its step of handling if not then turning back to.
The feature of the method for detection worm of the present invention also is, in the described step of intercepting network data and it being handled, utilize source MAC in the message, source IP address as hash calculation of parameter index value, and set up the host information hash table with this index value, this host information hash table is used for according to the equipment of each equipment sending data bag situation of the index value index record network Statistics table of giving out a contract for a project.
The feature of the method for detection worm of the present invention also is, judges described whether this equipment is in the step of suspect device, judges whether be suspect device according to ARP request data package transmission frequency.
The feature of the method for detection worm of the present invention also is, judges described whether this equipment is in the step of suspect device, judges whether be suspect device according to the frequency of newly-built connection in the IP packet.
The feature of the method for detection worm of the present invention is that also described newly-built connection comprises: TCP, UDP, ICMP etc.
The feature of the method for detection of the present invention worm also is, described ARP request data package transmission frequency is by setting in the worm behavioural characteristic description scheme certain threshold level M and calculating the last computation frequency and calculate until the time difference of current time Δ t.
The feature of the method for detection of the present invention worm also is, the frequency of described newly-built connection is by setting in the worm behavioural characteristic description scheme certain threshold level M and calculating the last computation frequency and calculate until the time difference of current time Δ t.
The feature of the method for detection of the present invention worm also is, also comprises: the step of self study, this step is adjusted certain threshold level M in the described worm behavioural characteristic description scheme during greater than certain value automatically in rate of false alarm.
The feature of the method for detection worm of the present invention also is, also comprises: aging step, this aging step abandons, replaces for reaching the aging statistical information that requires.
The feature of the method for detection worm of the present invention also is judge whether be worm according to ARP packet rs destination address distribution situation.
The feature of the method for detection worm of the present invention also is distribute to judge whether be worm according to the newly-built connection packet of IP target similarity.
Theoretical foundation of the present invention: it is very strong propagated that the key character of worm is that it has.During the worm rapid diffusion, be accompanied by a large amount of and complicated network behavior.Generally speaking, worm can adopt variety of way to obtain by the IP of target of attack main frame (for example generating Target IP at random or in proper order), and sends the attack packet to their.Owing to ICP/IP protocol mechanism reason, main a kind of propagation the in the following ways of worm main frame: (1) obtains to be attacked the MAC Address of main frame, directly sets up and comes the forwarding attack data with communicate by letter (2) of this main frame by router.For first kind of situation, worm usually can send the MAC of ARP broadcast packet request target address with very high or higher frequency in broadcast domain; For second situation, worm can be set up IP to router solicitation with very high or upper frequency and be connected.In addition, worm sends to similitude and the temporal locality that height is arranged on the information content of different target main frame.Therefore fully utilize above-mentioned worm behavioural characteristic, can detect the worm that may exist in the network efficiently, accurately.
The present invention is based upon the analysis to the worm behavioural characteristic, and mates with worm behavioural characteristic description scheme.For the main frame on the coupling, will judge that it infects worm.
This method and device be based on analyzing the worm behavioural characteristic, thereby can detect the worm that may exist in the network efficiently.Therefore, the method for real-time monitoring worm of the present invention can efficiently detect the main frame of PI worm in the network in real time, advantage such as have wide accommodation, performance height, sensitivity is adjustable, rate of false alarm is low.
Description of drawings
Fig. 1 is the network topological diagram of the device of detection worm of the present invention.
Fig. 2 is the structural representation of the device of detection worm of the present invention.
Fig. 3 is the flow chart of the method for detection worm of the present invention.
Fig. 4 is an embodiment of the method for detection worm of the present invention.
Fig. 5 is the host information hash table of adopting in the method for detection worm of the present invention.
Embodiment
Followingly the specific embodiment of the present invention is elaborated with reference to accompanying drawing.Fig. 1 is the network topological diagram of the device of detection worm of the present invention.Fig. 2 is the structural representation of the device of detection worm of the present invention.Fig. 3 is the flow chart of the method for detection worm of the present invention.Fig. 4 is an embodiment of the method for detection worm of the present invention.Fig. 5 is the host information hash table of adopting in the method for detection worm of the present invention.
The device 2 of detection worm of the present invention is connected between fire compartment wall 1 and the Ethernet 4, detect each equipment 3 that is connected with Ethernet 4 and whether infect worm, the device 2 of detection of the present invention worm comprises: intercept network packet and to its unit of handling 21, this unit carries out layering and classification to the packet of collecting according to the ICP/IP protocol model, and sets up equipment that each main frame of record sends the packet situation Statistics table of giving out a contract for a project; Whether judge whether be the unit 22 of ARP request data package, if then update the equipment the Statistics table of giving out a contract for a project, be the newly-built connection of IP if not then judging; Judge whether be the unit 23 of the newly-built connection of IP, if the packet of receiving is not newly-built connection then does not deal with, the Statistics table of giving out a contract for a project if newly-built connection is then updated the equipment; Judge whether the equipment that sends packet is the unit 24 of suspect device, judge according to the give out a contract for a project content of Statistics table of equipment whether the equipment of this transmission packet is the suspect device that infects worm, then it is carried out mark if infect the equipment of worm, if not then not dealing with; The unit 26 of self study, this unit is adjusted certain threshold level M in the described worm behavioural characteristic description scheme during greater than certain value automatically in rate of false alarm; Aging unit 25, this aging unit abandons, replaces for reaching the aging statistical information that requires; Man-machine interface 27, whether the equipment that judge to send packet is that the unit 24 of suspect device is judging that a certain equipment is when infecting the worm suspect device, result of determination is offered man-machine interface (UI) 27, and carry out self study according to the feedback of man-machine interface 27, automatically adjust worm behavioural characteristic description scheme, improve the sensitivity that detects, reduce wrong report.
The method of detection of the present invention worm comprises the steps: to intercept network packet and to its step S10 that handles, in this step, the packet of collecting is carried out layering and classification according to the ICP/IP protocol model, utilize source MAC in the message, source IP address as hash calculation of parameter index value, and set up the host information hash table with this index value, this host information hash table is used for according to the equipment of each equipment sending data bag situation of the index value index record network Statistics table of giving out a contract for a project; Judge whether be the step S20 of ARP request data package, in this step, the packet that listens to is judged whether it is the ARP request data package, if the ARP request data package then advances to the step S40 of Statistics table of giving out a contract for a project that updates the equipment, whether be the newly-built step of connecting S30 of IP if not then advancing to judgement; Judge whether to be newly-built step of connecting 30, then get back to if not newly-built connection and intercept network packet and to its step S10 that handles, the Statistics table (S40) of giving out a contract for a project if newly-built connection is then updated the equipment; The step S40 of Statistics table of giving out a contract for a project that updates the equipment, the statistical information that this step is used to update the equipment and gives out a contract for a project; Judge whether the equipment that sends this packet is the step S50 of suspect device, in this step, send the threshold value whether ARP request data package and the newly-built frequency that is connected of IP surpass regulation according to the equipment statistical information list deciding of giving out a contract for a project, if surpass the threshold value of worm behavioural characteristic description scheme defined then judge that this equipment is suspicious, it is masked as the suspicious main frame of invermination (S60) and returns step S10, if do not surpass the threshold value of worm behavioural characteristic description scheme defined then the equipment of emptying is given out a contract for a project ARP request package counter in the Statistics table and the newly-built connection request counter of IP and turn back to and intercept network packet and to its step S10 that handles.
[embodiment]
Fig. 3 is an embodiment who implements the method for detection worm of the present invention by the device of detection worm of the present invention.Intercept network data and its unit of handling is carried out layering and classification to the packet of collecting according to the ICP/IP protocol model, the method of layering and classification: by intercepting all message datas of network intercepting, extract the relevant information in the message, for the ARP packet, extract the source IP address, purpose IP address, source MAC, the target MAC (Media Access Control) address that comprise in the ARP packet; For the IP packet, after extracting the IP five-tuple information (source address, destination address, source port/ICMP id, destination interface/ICMP type and code, protocol number) that comprises in the IP packet, time that the IP packet takes place, connecting, first effective content data packets, and based on the context relation that connects.
It is as follows that the method for operation committed step is intercepted and collected to described message data:
(1) with information collection unit with in the transparent bridge mode access network environment;
(2) network interface card in the unit is set to promiscuous mode, thereby can intercept the packet of communicating by letter between the network host under all Layer 2 switch;
(3) information of collecting is left in for example high-speed internal memory etc. of buffering storage device, outstanding message processing unit processes.
Next, for the data message that listens to, to packet according to the TCP/IP hierarchical classification after, can utilize source MAC in the message, source IP address or other specific identifiers are as hash calculation of parameter index value, and set up or index is used for writing down the information table that each main frame of network sends the packet situation (equipment give out a contract for a project Statistics table) with this index value, to call the information table of being made up of above-mentioned index value in the following text is the host information hash table, as shown in Figure 4, among the figure, 10 is the host information hash table, 20 equipment that send the packet situation for each main frame in the record network Statistics table of giving out a contract for a project.Concrete steps are as follows: will calculate index value in source IP address and the source MAC substitution hash parameter calculation formula, utilize this index value index and this main frame corresponding equipment in the host information hash table Statistics table of giving out a contract for a project, when indexing list item, the corresponding field of source IP address and source MAC and this list item is mated, and upgrade this list item.Go into table information and comprise source MAC, source IP address, data time of origin.
Next, judge it whether is to judge whether it is ARP request data package (S120) in the unit 22 of ARP request data package, if the packet of receiving is the ARP broadcast request, the list item (S125) of retrieval respective hosts in hash table, the ARP request package counter that equipment is given out a contract for a project in the Statistics table 20 adds 1, and calculate ARP request frequency (S140), computational methods see below continue bright.Do not exist for corresponding list item, but the identical list item of Hash-table index value adopts mode or other method that can solve hash collision of appending the chain type list item behind list item to set up new list item, goes into to show on the information of same.
Judge whether to be the unit of the newly-built connection of IP judge whether be the newly-built connection of IP (S130), whether decision method and above-mentioned judgement are whether the unit judgement of ARP request data package is that the step S120 of ARP request data package is identical, omit its explanation here.
Next, judge that whether this equipment be that the unit 24 of suspect device is according to the give out a contract for a project content match worm abnormal behavior description scheme S155 of Statistics table 20 of equipment, judge whether infect worm S160 according to matching result, if infect worm, this main frame is labeled as the suspicious main frame of invermination, and etc. the processing of pending next packet.
In the present embodiment, judge that whether this equipment be that the unit 24 of suspect device sends the ARP request data package and judges with the threshold value whether newly-built frequency that is connected of IP surpasses regulation whether this equipment is suspicious according to the equipment statistical information list deciding of giving out a contract for a project.The computational methods of host A RP broadcast request transmission frequency are as follows: the M time/second of ARP frequency threshold that sets in advance a worm behavioural characteristic description scheme.When receiving an ARP broadcast request, ARP request package counter in the list item of this main frame correspondence in the host information hash table is added one.Up to when this counter values surpasses the M value, calculate from the last computation frequency until the time difference of current time Δ t.If the Δ t time greater than one second, then illustrated in the nearest Δ t time, the average transmission frequency of ARP broadcast request is lower than M time/second, otherwise its transmission frequency is higher than M time/second.Calculated after the ARP request frequency, will in this list item, empty ARP request package counter, and preserved the zero-time of current time as next round ARP counting.If the ARP request package transmission frequency of this main frame surpasses in the worm behavioural characteristic description scheme M time/second of certain threshold level, it is suspicious to judge that then this device A RP broadcast request sends, and the ARP request suspicious sign of giving out a contract for a project is set giving out a contract for a project with this main frame corresponding equipment in the Statistics table 20, and the suspicious sign of ARP is set up markers and is set to the current time.
Give out a contract for a project frequency above certain threshold level in the worm behavioural characteristic description scheme for current ARP request, but be noted as ARP before and asked to give out a contract for a project suspicious main frame, to add up following several data: after suspect device is given out a contract for a project in one-tenth ARP request under a cloud, last till that the current time never sends the time Δ T1 of ARP broadcast request data once more; The ARP request frequency has continued to be lower than the time Δ T2 of certain threshold level in some worm behavioural characteristic description schemes.Request sends no longer suspicious if Δ T1 or Δ T2, then think this device A RP greater than the certain threshold level in the predefined worm behavioural characteristic description scheme of their correspondences.And remove the ARP that gives out a contract for a project in the Statistics table 20 with this main frame corresponding equipment and ask to give out a contract for a project suspicious sign.Otherwise it is still suspicious to think that this host A RP request package sends, and is not configured to the ARP request suspicious markers of giving out a contract for a project but do not upgrade.
For the IP message, adopt newly-built connection request frequency with ARP similar fashion statistics IP.These newly-built connection requests comprise TCP, UDP, ICMP etc.
In addition, in the present embodiment, in order further to increase the reliability of judging, also further judge whether it is worm from ARP destination address abnormal behavior and two aspects of IP target port abnormal behavior, ARP packet rs destination address abnormal behavior and the dystropic statistical method of IP target port are as follows:
ARP packet rs destination address distribution statistics computational methods:
(1) this host A RP destination address is registered in the corresponding list item of this host information hash table, in the historical destination address tabulation of this list item, safeguard the information of long interior several destination addresses of nearest some special times;
(2) do not exist this host information to tabulate for this destination address, will represent that then the counter of destination address statistical number adds 1.In the tabulation of this host information, then jump out this statistics for this destination address
(3) when adding up the destination address distribution situation, at first need this order way address tabulation is worn out at every turn.Because each main frame corresponding historical destination address tabulation and little, therefore, aging strategy can directly travel through this tabulation, and deletes the list item that this list item surpasses the scheduled time settling time.
IP newdata bag target similarity distribution statistics computational methods:
(1) is the packet of the newly-built connection of IP for judging, will analyzes its target port.In the list item of this main frame correspondence, safeguarding the computing unit that hits of target ports some in the nearest a certain special time length in the host information hash table.
(2) in the tabulation of this history target port, occurred for this newdata bag target port, will add 1 to the counter of this target port, otherwise jump out this statistics
(3) when adding up the target port distribution situation, at first need this target port tabulation is worn out at every turn.Because each main frame corresponding historical target port tabulation and little, therefore, aging strategy can directly travel through this tabulation, and deletes the list item that this list item surpasses the scheduled time.
The equipment of detection worm of the present invention also comprises: man-machine interface 27, whether the equipment that judge to send packet is that the unit 24 of suspect device is judging that a certain equipment is when infecting the worm suspect device, result of determination is offered man-machine interface (UI) 27, and carry out self study according to the feedback of man-machine interface 27, automatically adjust worm behavioural characteristic description scheme, improve the sensitivity that detects, reduce wrong report.
The equipment of detection worm of the present invention also comprises: self study unit 26, and certain threshold level M in the described worm behavioural characteristic description scheme can be adjusted automatically according to detection case in this unit; The method of self study is as follows:
(1) utilize UI to be shown to the host information of keeper's PI worm.Management can be confirmed suspicious main frame.If the keeper confirms some main frames and has the wrong report phenomenon.The keeper can utilize UI communication native system.
(2) system is received after the UI feedback information, will adjust the threshold value of each parameter in the worm behavioural characteristic description scheme automatically in conjunction with the affirmation information of user feedback.Particularly, for the situation that more wrong report is arranged, will suitably increase each threshold value automatically.When for the user UI display result all being confirmed as worm, whether the prompting user improves the sensitivity of inspection, and operates adjustment sensitivity according to the user.
(3) by the self study of a period of time, system can be reduced to rate of false alarm in certain scope.
The equipment of detection worm of the present invention also comprises: aging unit 25, and this aging unit abandons, replaces for reaching the aging statistical information that requires, and aging is crucial as follows:
(1) aging opportunity: when data collection each time also need be created new list item in host information hash table or the hash table of IP link information, will check current internal memory remaining space.If the internal memory remaining proportion is lower than the threshold value of setting, the aging operation of two hash tables will be entered.Otherwise skip the burin-in process flow process.
(2) ageing process: for the host information hash table, the pairing list item of next hash key assignments of the hashed value of crossing from hash table last time burin-in process begins to wear out.If the equipment described in this list item after sending packet last time to the current time, some specific ageing times that sets in advance have been surpassed, and this equipment is current be not suspect to be suspicious, then this list item is deleted from hash table, if the employing chained list solves hash collision, need to adopt the chain table management method that this list item is deleted from hash table, and discharge the internal memory that it takies.If list item is followed in this list item back also chain, then aging successively follow-up list item, otherwise will continue aging next hashed key.
(3) ageing efficiency: do not take the too much time in order to guarantee to wear out, in the ageing process, pre-defined given number N the different key assignments that all wear out each time, perhaps total number is no more than a predefined given number M list item.If adopt chained list to solve the hash table that hash collision is set up, because each key-value pair is answered a chained list, therefore may be in key-value pair chained list of answering by aging a plurality of list items.Consider ageing efficiency, aging total number is got two kinds of smaller values in the scheme.If in the whole process of scanning, when not deleting any one list item, then directly select the list item that the equipment place of network packet does not take place maximum duration to delete.
(4) write down the hash key assignments that this had worn out,, begin to wear out from the list item of next hash key assignments index so that when entering next time.
The present invention is based upon the analysis to the worm behavioural characteristic, and advances with worm behavior characteristic characterization structure The row coupling. For the main frame on the coupling, will judge that it infects worm.
The method and device be based on analyzing the worm behavioural characteristic, thereby can detect efficiently net The worm that may exist in the network. Therefore, the method for Real-Time Monitoring worm of the present invention can be efficiently real-time The main frame of PI worm in the Sampling network, have wide accommodation, performance height, sensitivity is adjustable, The advantages such as rate of false alarm is low.
Claims (9)
1. a device that detects worm is characterized in that, comprising:
Intercept network packet and to its unit of handling, this unit carries out layering and classification to the packet of collecting according to the ICP/IP protocol model, and sets up equipment that each main frame of record sends the packet situation Statistics table of giving out a contract for a project;
Whether judge whether be the unit of ARP request data package, if then update the equipment the Statistics table of giving out a contract for a project, be the newly-built connection of IP if not then judging;
Judge whether be the unit of the newly-built connection of IP, if the packet of receiving is not newly-built connection then does not deal with, the Statistics table of giving out a contract for a project if newly-built connection is then updated the equipment;
Judge whether the equipment that sends this packet is the unit of suspect device, judge according to the give out a contract for a project content of Statistics table of equipment whether the equipment of this transmission packet is the suspect device that infects worm, then it is carried out mark if infect the equipment of worm, if not then not dealing with.
2. the device of detection worm as claimed in claim 1, it is characterized in that, describedly intercept network data and to its unit of handling, utilize source MAC in the message, source IP address as hash calculation of parameter index value, and set up the host information hash table with this index value, this host information hash table is used for according to the equipment of each equipment sending data bag situation of the index value index record network Statistics table of giving out a contract for a project.
3. the device of detection as claimed in claim 1 or 2 worm is characterized in that, also comprises: the unit of self study, this unit is adjusted certain threshold level M in the described worm behavioural characteristic description scheme during greater than certain value automatically in rate of false alarm.
4. the device of detection worm as claimed in claim 1 or 2 is characterized in that, also comprises: aging unit, this aging unit abandons, replaces for reaching the aging statistical information that requires.
5. the device of detection as claimed in claim 3 worm describedly judges whether this equipment be that the unit of suspect device judges whether be worm according to ARP packet rs destination address distribution situation.
6. the device of detection as claimed in claim 4 worm describedly judges whether this equipment be that the unit of suspect device distributes to judge whether be worm according to the newly-built connection packet of IP target similarity.
7. a method that detects worm is characterized in that, comprising:
Intercept network packet and to its step of handling, in this step, the packet of collecting is carried out layering and classification according to the ICP/IP protocol model, and set up equipment that each main frame of record sends the packet situation Statistics table of giving out a contract for a project;
Whether judge whether to be the step of ARP request data package, if then upgrade the described equipment Statistics table of giving out a contract for a project, be the newly-built connection of IP if not then judging;
Judge whether to be the newly-built step of connecting of IP, intercept network packet and to its step of handling, if the described equipment Statistics table of giving out a contract for a project is then upgraded in newly-built connection if not then turning back to;
Judge whether the equipment that sends this packet is the step of suspect device, judge whether be the suspect device that infects worm according to ARP request data package transmission frequency and the newly-built frequency that is connected of IP, if infect the equipment of worm it is carried out mark, intercept network packet and to its step of handling if not then turning back to.
8. the method for detection as claimed in claim 7 worm is characterized in that, the frequency of described newly-built connection is by setting in the worm behavioural characteristic description scheme certain threshold level M and calculating the last computation frequency and calculate until the time difference of current time Δ t.
9. the method for detection as claimed in claim 7 worm is characterized in that, also comprises: the step of self study, this step is adjusted certain threshold level M in the described worm behavioural characteristic description scheme during greater than certain value automatically in rate of false alarm.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2006101652900A CN101202744A (en) | 2006-12-15 | 2006-12-15 | Devices for self-learned detecting helminth and method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2006101652900A CN101202744A (en) | 2006-12-15 | 2006-12-15 | Devices for self-learned detecting helminth and method thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101202744A true CN101202744A (en) | 2008-06-18 |
Family
ID=39517707
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2006101652900A Pending CN101202744A (en) | 2006-12-15 | 2006-12-15 | Devices for self-learned detecting helminth and method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101202744A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102487339A (en) * | 2010-12-01 | 2012-06-06 | 中兴通讯股份有限公司 | Attack preventing method for network equipment and device |
| CN104539554A (en) * | 2014-12-22 | 2015-04-22 | 上海斐讯数据通信技术有限公司 | Message transmission method and message processing system |
| CN109245955A (en) * | 2017-07-10 | 2019-01-18 | 阿里巴巴集团控股有限公司 | A kind of data processing method, device and server |
| CN111245855A (en) * | 2020-01-17 | 2020-06-05 | 杭州迪普科技股份有限公司 | Method and device for inhibiting virus from spreading in local area network |
| CN111597556A (en) * | 2020-05-21 | 2020-08-28 | 四川英得赛克科技有限公司 | ARP scanning detection method and system applied to industrial control environment |
| CN112532615A (en) * | 2020-11-26 | 2021-03-19 | 深圳供电局有限公司 | Smart grid worm detection method |
-
2006
- 2006-12-15 CN CNA2006101652900A patent/CN101202744A/en active Pending
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102487339A (en) * | 2010-12-01 | 2012-06-06 | 中兴通讯股份有限公司 | Attack preventing method for network equipment and device |
| CN102487339B (en) * | 2010-12-01 | 2015-06-03 | 中兴通讯股份有限公司 | Attack preventing method for network equipment and device |
| CN104539554A (en) * | 2014-12-22 | 2015-04-22 | 上海斐讯数据通信技术有限公司 | Message transmission method and message processing system |
| CN104539554B (en) * | 2014-12-22 | 2018-05-18 | 上海斐讯数据通信技术有限公司 | A kind of message transmitting method and message handling system |
| CN109245955A (en) * | 2017-07-10 | 2019-01-18 | 阿里巴巴集团控股有限公司 | A kind of data processing method, device and server |
| CN111245855A (en) * | 2020-01-17 | 2020-06-05 | 杭州迪普科技股份有限公司 | Method and device for inhibiting virus from spreading in local area network |
| CN111245855B (en) * | 2020-01-17 | 2022-04-26 | 杭州迪普科技股份有限公司 | Method and device for inhibiting virus from spreading in local area network |
| CN111597556A (en) * | 2020-05-21 | 2020-08-28 | 四川英得赛克科技有限公司 | ARP scanning detection method and system applied to industrial control environment |
| CN111597556B (en) * | 2020-05-21 | 2023-05-02 | 四川英得赛克科技有限公司 | ARP scanning detection method and system applied to industrial control environment |
| CN112532615A (en) * | 2020-11-26 | 2021-03-19 | 深圳供电局有限公司 | Smart grid worm detection method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10867034B2 (en) | Method for detecting a cyber attack | |
| CN112738015B (en) | Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection | |
| CN101282340B (en) | Method and apparatus for processing network attack | |
| CN100448203C (en) | System and method for identifying and preventing malicious intrusions | |
| KR100942456B1 (en) | Method for detecting and protecting ddos attack by using cloud computing and server thereof | |
| EP1995929B1 (en) | Distributed system for the detection of eThreats | |
| CN103368976B (en) | Network security evaluation device based on attack graph adjacent matrix | |
| CN1330131C (en) | System and method for detecting network worm in interactive mode | |
| CN109040130B (en) | Method for measuring host network behavior pattern based on attribute relation graph | |
| CN110213226B (en) | Network attack scene reconstruction method and system based on risk full-factor identification association | |
| Peng et al. | Network intrusion detection based on deep learning | |
| US20140165207A1 (en) | Method for detecting anomaly action within a computer network | |
| CN107172022A (en) | APT threat detection method and system based on intrusion feature | |
| KR20150091775A (en) | Method and System of Network Traffic Analysis for Anomalous Behavior Detection | |
| CN101202744A (en) | Devices for self-learned detecting helminth and method thereof | |
| CN101212338A (en) | Detecting probe interlock based network security event tracking system and method | |
| CN106850647B (en) | Malicious domain name detection algorithm based on DNS request period | |
| CN110896386B (en) | Method, device, storage medium, processor and terminal for identifying security threat | |
| CN113037567B (en) | Simulation method of network attack behavior simulation system for power grid enterprise | |
| CN110071934B (en) | Local sensitivity counting abstract method and system for network anomaly detection | |
| CN110768946A (en) | Industrial control network intrusion detection system and method based on bloom filter | |
| CN108683686A (en) | A kind of Stochastic subspace name ddos attack detection method | |
| CN104871171A (en) | Distributed pattern discovery | |
| CN106446720B (en) | The optimization system and optimization method of IDS rule | |
| CN101197810A (en) | Method for real-time detection of worm |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20080618 |