CN1549126A - Method for detecting worm virus and delaying virus spreading - Google Patents
Method for detecting worm virus and delaying virus spreading Download PDFInfo
- Publication number
- CN1549126A CN1549126A CNA031310575A CN03131057A CN1549126A CN 1549126 A CN1549126 A CN 1549126A CN A031310575 A CNA031310575 A CN A031310575A CN 03131057 A CN03131057 A CN 03131057A CN 1549126 A CN1549126 A CN 1549126A
- Authority
- CN
- China
- Prior art keywords
- virus
- network
- ids
- detection system
- intruding detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention is method of testing helminth virus and delaying the propagation of helminth virus. The method is to setting virus guarding system in network, and the virus guarding system includes virus monitoring program and invasion detecting system (IDS). The virus monitoring program monitors all the computers connected to the network and the number of computers connected also to other networks, sets certain threshold of the number of computers connected also to other networks, imperatively eliminating the connection exceeding the threshold and sending alarm to the IDS. The IDS receives the virus alarm, and performs statistical analysis to form complete virus statistic report. The said method of the present invention can judge virus source, delay the propagation of the virus and protect the normal operation of network.
Description
Technical field
The present invention relates to the network security technology field, particularly a kind of IDS of utilization carries out the method that worm-type virus detects, delays virus disseminating.
Background technology
At present, be to finish detection mostly to worm-type virus by real-time virus checker.Main detection method is traditional detection based on virus signature, at first by virus research man analysis Virus Sample, sums up virus signature, upgrades the virus characteristic storehouse, and virus checker could detect virus then.A deadly defect of this method is when virus generation mutation, just to need new virus base support when condition code changes.Another kind method is to detect worm-type virus by IDS (Intrusion DetectionSystem), equally also is based on the detection of virus signature.These two kinds of methods all can not adapt to the mutation of virus and the appearance of new worm-type virus, also can't stop or delay the propagation of virus.
On the other hand, worm-type virus forms very big pressure in case outbreak can produce lot of data on network to the network equipment, IDS and other virus checkers, even cause these equipment denials of service, cause whole network system, IDS and other viral detection system paralysis.
For the control of worm-type virus, also has the judgement that importance is viral source.In the network system of an enterprise,, can't judge the source of virus in present networks if virus outburst causes the network system collapse.
Summary of the invention
The objective of the invention is in order to overcome the deficiency of existing virus detection techniques, a kind of method that can stop or delay virus disseminating is provided, it can adapt to the outbreak of virus mutation and unknown worm-type virus effectively, find the source of virus, stop or delay the propagation of virus, thereby under network system can the prerequisite of operate as normal, finish virus and detect.
The technical scheme that realizes the object of the invention is;
Can not adapt to virus mutation in order to overcome existing virus detection techniques, the problem that can't judge viral source and can not stop the velocity of propagation of virus, the invention provides a kind of new detection method, detection worm-type virus provided by the invention and delay the method for virus disseminating, it is characterized in that, utilization is arranged on the virus protection system in the network, its virus protection system comprises virus monitor program and intruding detection system IDS, the number of connection of the computing machine of the computing machine of and net connection arbitrary and other and net connection by the virus monitor sequential monitoring, and the number of connection of the computing machine of the computing machine of threshold values restriction and net connection and other net connection is set, to abandon by force the connection that surpasses threshold values, IDS sends warning to intruding detection system.
The present invention is owing to utilize the intruding detection system IDS of virus monitor program and the reasonable laying in network; the virus of forming an interaction detects guard system; thereby can effectively find virus and viral source and can delay viral velocity of propagation, the protecting network system normally moves.
Found through experiments, in case virus has been invaded a computing machine, it will make this computing machine and other computing machines as much as possible connect fast, and bamboo telegraph virus.Therefore, one of key of present technique is exactly by the number of connection between virus monitor this machine of sequential monitoring and other computing machines, threshold values is set limits the number of connection of this machine to other computing machines, to abandon by force the connection virus monitor program that surpasses threshold values, so just alleviated the pressure that virus disseminating causes network, intruding detection system IDS also can operate as normal.Therefore have only combination could effectively detect worm-type virus, and delay its propagation by virus monitor program and IDS system.
The present invention realizes the virus protection system that detects worm-type virus and delay the virus disseminating method, it comprises the switch of swap data in virus monitor program and intruding detection system IDS and the network, and virus monitor program and intruding detection system IDS adopt computer network with standard network protocol to carry out communicating to connect of standard; The virus monitor program be installed in each with computing machine that network is connected on, intruding detection system IDS links to each other with switch by network interface.
The present invention for the technical method that solves its technical matters and adopt is: a virus monitor program is installed on the computing machine of each in network, monitors the connection that is initiated to other computing machines from this machine.If in the unit interval of definition, this machine is attempted to be connected with the computing machine of a large amount of (surpassing threshold values), and the virus monitor program will limit the number of connection of this machine and other computing machines, reach the effect that delays virus disseminating.The IDS system is installed in position suitable in network, is used for detecting the propagation of virus.Since the virus monitor program limit viral velocity of propagation, alleviated the pressure of network, so the IDS system just can operate as normal, can carry out continuous many bags analysis, detects viral accurately.By the IDS system that lays at the network diverse location, just can determine the source of virus and the scope of analyzing the infection of virus.Also can send a specific warning message to IDS by the virus monitor program when beginning the limiting network number of connection, IDS judges the source of virus according to warning message.
The method that the present invention detects worm-type virus and delays virus disseminating comprises the steps;
A. intercept and capture by the data of the computer utility layer that is connected with network to the TCP/IP core;
B. being connected of its machine and other computing machine added up in analysis purpose address, comprises that its machine is initiated to the UDP that TCP connects and its machine the sends bag of other computing machine;
C. judge whether destination address arrives the address of intruding detection system IDS, the data to intruding detection system IDS then are forwarded to network interface;
D. to not being data, judge whether to surpass the threshold values of regulation, surpass threshold values and then data are abandoned, and send warning message, otherwise be forwarded to network interface to intruding detection system IDS to intruding detection system IDS;
E. intruding detection system IDS accepts the virus alert send, carries out statistical study, forms complete viral statistical report.
The invention has the beneficial effects as follows and to judge viral source,, prevent the wide-scale distribution of virus, delay the velocity of propagation of virus, thereby the protecting network system moves normally so that just controlled at the initial stage of virus outburst.
Description of drawings
Fig. 1 is that virus detects the typical case laying of guard system in network.
Fig. 2 is a virus monitor program module schematic diagram, and the groundwork principle of monitoring module has been described.
A, B among Fig. 1, C, D ... computing machine is equipped with the virus monitor program, and IDS is an intruding detection system.
Embodiment
As shown in Figure 1, in each subnet of LAN (Local Area Network), lay an IDS system, the virus monitor program all is installed on each computing machine.Intruding detection system IDS is a kind of Network Security Device, can show as hardware, also can show as software.Hardware ID S can directly be connected with switch by network interface, and software I DS then needs to be installed on the computing machine, and the network interface by computing machine links to each other with switch.Adopt software I DS in the embodiment of the invention.Network interface the IDS to network in of virus monitor agency by the computing machine at self place that communicate to connect that virus monitor program and intruding detection system IDS adopt computer network with standard network protocol to carry out standard sends warning message.If the computer A in the subnet 1 has infected worm-type virus, when A attempts to infect in this subnet other computing machines, can connect with other computing machines in this subnet fast, in network, cause a large amount of network traffics, IDS system down might be caused, virus disseminating can't be judged.If the virus monitor program on the A computing machine can be controlled the connection that this machine is externally initiated timely, just can alleviate offered load greatly, thereby make the IDS system can operate as normal, detect virus disseminating.
By laying the IDS system in the subnets different in network,, virus is controlled according to the source of finding virus disseminating at first or receive the alarm that the virus monitor program is sent at first, just have to find virus.
Shown in Figure 2, the virus monitor program is intercepted and captured the data of TCP/IP core, judges that at first destination address is the address of IDS, if arrive the data of IDS, then is forwarded to network interface; If not data to IDS, then judge whether to surpass the threshold values of regulation, surpass threshold values and then data are abandoned, and send warning message, otherwise be forwarded to network interface to IDS.
The virus monitor program has multiple realization means, such as driving by revising the middle layer, perhaps revises network interface card and drives, and fundamental purpose is to intercept and capture the data that this machine sends, and limits the linking number with other computing machines.
The virus monitoring program of present embodiment can be collected the function that function sensing monitoring facilities provides with the packet that NDIS derives, thereby reach the purpose that monitor data sends by revising the derived table (Export table) among the driving N DIS.sys of middle layer.
It is by filling in two table: NDIS_MINIPORT_CHARACTERISTICS, NDIS_PROTOCOL_CHARACTERISTICS that the NDIS middle layer drives, and calls NDIS api function NdisIMRegisterLayeredMiniport, NdisRegisterProtocol registration and the relevant entrance function of middle layer driving.In NDIS_MINIPORT_CHARACTERISTIC and NDIS_MINIPORT_CHARACTERISTICS table, deposited all protocol driver and bottom and distributed the inlet of function, as SendHandler, ReceiveHandler, BindAdapterHandler etc.When network interface card has packet to enter, can have the packet of this agreement to enter by ReceiveHandle or ReceivePacketHandler notification protocol driver in the table, otherwise protocol driver drive the transmission packet by SendHandler or SendPacketsHandler function in network to network interface card.Therefore as long as revise the address of NdisRegisterProtocol, NdisIMRegisterLayeredMiniport, NdisDeRegisterProtocol, NdisOpenAdapter, NdisCloseAdapter function among the ndis.sys, finally realize the control that packet is sent.
The virus monitoring module is by intercepting and capturing the data that the TCP/IP core transmits, the analysis purpose address, this machine of statistics is connected with other computing machines, comprise that this machine is initiated to the UDP that TCP connects and this machine the sends bag of other computing machines, if in the unit interval of definition, this machine is attempted to be connected with the computing machine that surpasses prescribed threshold, then abandons the packet that all these machines initiatively connect other computing machines, sends warning message to the IDS system simultaneously.
The IDS system accepts the virus alert that the virus monitor program is sent, and carries out statistical study, forms complete viral statistical report.
Claims (4)
1. method that detects worm-type virus and delay virus disseminating, it is characterized in that, utilization is arranged on the virus protection system in the network, its virus protection system comprises virus monitor program and intruding detection system IDS, the number of connection of the computing machine of the computing machine of and net connection arbitrary and other and net connection by the virus monitor sequential monitoring, and the number of connection of the computing machine of the computing machine of threshold values restriction and net connection and other net connection is set, to abandon by force the connection that surpasses threshold values, IDS sends warning to intruding detection system.
2. according to the described a kind of method that detects worm-type virus and delay virus disseminating of claim 1, it is characterized in that this method comprises the steps;
A. intercept and capture by the data of the computer utility layer that is connected with network to the TCP/IP core;
B. being connected of its machine and other computing machine added up in analysis purpose address, comprises that its machine is initiated to
The UDP bag that the TCP of other computing machine connects and its machine sends;
C. judge whether destination address arrives the address of intruding detection system IDS, to arriving intrusion detection
The data of system identifier S then are forwarded to network interface;
D. to not being data, judge whether to surpass the threshold values of regulation to intruding detection system IDS,
Surpass threshold values and then data abandoned, and send warning message to intruding detection system IDS,
Otherwise be forwarded to network interface;
E. intruding detection system IDS accepts the virus alert send, carries out statistical study, forms complete viral statistical report.
3. according to the described a kind of method that detects worm-type virus and delay virus disseminating of claim 1, it is characterized in that the virus monitor program can adopt revises the transmission that the middle layer drove or revised network interface card driving realization monitor data.
4. virus protection system of realizing detecting worm-type virus and delaying the virus disseminating method, it is characterized in that, it comprises the switch of swap data in virus monitor program and intruding detection system IDS and the network, and virus monitor program and intruding detection system IDS adopt computer network with standard network protocol to carry out communicating to connect of standard; The virus monitor program be installed in each with computing machine that network is connected on, intruding detection system IDS links to each other with switch by network interface.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA031310575A CN1549126A (en) | 2003-05-16 | 2003-05-16 | Method for detecting worm virus and delaying virus spreading |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA031310575A CN1549126A (en) | 2003-05-16 | 2003-05-16 | Method for detecting worm virus and delaying virus spreading |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1549126A true CN1549126A (en) | 2004-11-24 |
Family
ID=34322768
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA031310575A Pending CN1549126A (en) | 2003-05-16 | 2003-05-16 | Method for detecting worm virus and delaying virus spreading |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1549126A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1330131C (en) * | 2005-06-10 | 2007-08-01 | 广东省电信有限公司研究院 | System and method for detecting network worm in interactive mode |
| CN100377534C (en) * | 2006-02-20 | 2008-03-26 | 华为技术有限公司 | System and method for detecting network worm |
| WO2008106876A1 (en) * | 2007-03-05 | 2008-09-12 | Huawei Technologies Co., Ltd. | A system and a method of preventing virus from intruding into a network |
| CN100433641C (en) * | 2005-04-07 | 2008-11-12 | 西安交大捷普网络科技有限公司 | Method for real-time detecting network worm virus |
| CN100464548C (en) * | 2005-10-10 | 2009-02-25 | 广东省电信有限公司研究院 | System and method for blocking worm attack |
| CN111245855A (en) * | 2020-01-17 | 2020-06-05 | 杭州迪普科技股份有限公司 | Method and device for inhibiting virus from spreading in local area network |
| CN112653702A (en) * | 2020-12-25 | 2021-04-13 | 沈阳通用软件有限公司 | Method for identifying and building agent environment |
| US12003530B2 (en) | 2020-01-17 | 2024-06-04 | Hangzhou Dptech Technologies Co., Ltd. | Suppressing virus propagation in a local area network |
-
2003
- 2003-05-16 CN CNA031310575A patent/CN1549126A/en active Pending
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100433641C (en) * | 2005-04-07 | 2008-11-12 | 西安交大捷普网络科技有限公司 | Method for real-time detecting network worm virus |
| CN1330131C (en) * | 2005-06-10 | 2007-08-01 | 广东省电信有限公司研究院 | System and method for detecting network worm in interactive mode |
| CN100464548C (en) * | 2005-10-10 | 2009-02-25 | 广东省电信有限公司研究院 | System and method for blocking worm attack |
| CN100377534C (en) * | 2006-02-20 | 2008-03-26 | 华为技术有限公司 | System and method for detecting network worm |
| WO2008106876A1 (en) * | 2007-03-05 | 2008-09-12 | Huawei Technologies Co., Ltd. | A system and a method of preventing virus from intruding into a network |
| CN101022459B (en) * | 2007-03-05 | 2010-05-26 | 华为技术有限公司 | System and method for preventing virus invading network |
| CN111245855A (en) * | 2020-01-17 | 2020-06-05 | 杭州迪普科技股份有限公司 | Method and device for inhibiting virus from spreading in local area network |
| CN111245855B (en) * | 2020-01-17 | 2022-04-26 | 杭州迪普科技股份有限公司 | Method and device for inhibiting virus from spreading in local area network |
| US12003530B2 (en) | 2020-01-17 | 2024-06-04 | Hangzhou Dptech Technologies Co., Ltd. | Suppressing virus propagation in a local area network |
| CN112653702A (en) * | 2020-12-25 | 2021-04-13 | 沈阳通用软件有限公司 | Method for identifying and building agent environment |
| CN112653702B (en) * | 2020-12-25 | 2023-03-10 | 三六零数字安全科技集团有限公司 | Method for identifying establishment of agent environment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7200866B2 (en) | System and method for defending against distributed denial-of-service attack on active network | |
| US6308276B1 (en) | SS7 firewall system | |
| CN108063765B (en) | SDN system suitable for solving network security | |
| US8089871B2 (en) | Method and apparatus for traffic control of dynamic denial of service attacks within a communications network | |
| US7493659B1 (en) | Network intrusion detection and analysis system and method | |
| WO2011010823A2 (en) | Method for detecting and preventing a ddos attack using cloud computing, and server | |
| CA2954464C (en) | Method for detecting an attack on a work environment connected to a communication network | |
| CN103561011A (en) | Method and system for preventing blind DDoS attacks on SDN controllers | |
| CN110572412A (en) | Firewall based on intrusion detection system feedback in cloud environment and implementation method thereof | |
| CN105681313A (en) | Flow detection system and method for virtualization environment | |
| CN1175621C (en) | Method of detecting and monitoring malicious user host machine attack | |
| CN106817275A (en) | It is a kind of to automate the system and method that prevention and layout process policy conflict | |
| Hegazy et al. | A multi-agent based system for intrusion detection | |
| CN101001242A (en) | Method of network equipment invaded detection | |
| CN111800419B (en) | DDoS attack detection system and method in SDN environment | |
| White et al. | Cooperating security managers: Distributed intrusion detection systems | |
| CN1549126A (en) | Method for detecting worm virus and delaying virus spreading | |
| CN1564530A (en) | Network safety guarded distributing invading detection and internal net monitoring system and method thereof | |
| CN1152517C (en) | Method of guarding network attack | |
| CN1848745A (en) | Worm virus detecting method based on network flow characteristic | |
| KR20050090640A (en) | A system and method for analyzing harmful traffic | |
| CN1317855C (en) | Invasion detecting system and its invasion detecting method | |
| CN1349328A (en) | Easy-to-expand network invasion detecting and safety auditing system | |
| CN1794718A (en) | Linkage protocol of network safety equipment | |
| CN111404869A (en) | Network user group security management technology based on proprietary algorithm |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |