CN100433641C - Method for real-time detecting network worm virus - Google Patents
Method for real-time detecting network worm virus Download PDFInfo
- Publication number
- CN100433641C CN100433641C CNB2005100419073A CN200510041907A CN100433641C CN 100433641 C CN100433641 C CN 100433641C CN B2005100419073 A CNB2005100419073 A CN B2005100419073A CN 200510041907 A CN200510041907 A CN 200510041907A CN 100433641 C CN100433641 C CN 100433641C
- Authority
- CN
- China
- Prior art keywords
- address
- packet
- network
- source
- execution
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to the technical field of a firewall applied by a computer network, particularly to a method for detecting network worm virus in real time, which aims to overcome the problems of narrow accommodation, low efficiency and poor enforcement efficiency existing in the prior art. In order to overcome the problems existing in the prior art, the method for detecting network worm virus in real time has the technical scheme that the virus is identified by carrying out the characteristic analysis of network connection of a received data packet on the firewall, and a network worm is detected in the real time. The method for detecting network worm virus in real time initiates from the mechanism of the transmission of the worm, changes the clew of processing after the burst of the worm of the prior art and carries out real-time detection and containment. Compared with the prior art, the method for detecting network worm virus in real time has the advantages of wide accommodation, high efficiency and good enforcement effect.
Description
Affiliated technical field:
The present invention relates to the firewall technology field of the applications of computer network, be specifically related to a kind of method of real-time detecting network worm virus.
Background technology:
Network worm is a kind of rogue program of serious threat information system security, has self-replacation and automatic communication function.Quick self-replication that network worm is a large amount of and propagation will take a large amount of Internet resources, cause network congestion even network paralysis, finally cause enormous economic loss.
To the control of network worm, mainly contain three kinds of methods at present.First method is to prevent worm by the installation system patch: because worm mainly is the leak of attacking system, after the worm outburst, relevant system development merchant issues up-to-date system mend, passes through auto-update or manual installation by the user, thus the control worm; Second method is to depend on traditional virus killing technology after the worm outburst to prevent and treat (virus killing): after the worm outburst, antivirus software manufacturer is by analyzing the network packet of worm propagation, find out the feature of worm network packet or the feature string that is comprised, issue up-to-date virus killing upgrade patch then, pass through auto-update or manual installation by the user, thus the control worm.The third method principle is similar to second kind, it is after the worm outburst, and the network manager is by finding out the transmission feature of worm network packet, by manually adding corresponding filtering rule at router or fire compartment wall, filter the particular network packet, thereby suppress, slow down the propagation of worm.
The total problem that prior art exists is: 1, accommodation is narrow: these three kinds of methods all can only be at the known and virus of wide-scale distribution, and are for virus unknown or new outburst, just powerless; 2, efficient is low: these three kinds of methods all have bigger hysteresis quality, all are to remedy after the worm outburst, can't effectively suppress to propagate network worm rapidly; 3, implementation result is poor: three kinds of methods all depend on manual operations; but in actual environment, since the weakness of the sense of security of users, a variety of causes such as the limitation of network manager's technology management level and unit operation; it is relatively poor to implement effect, can't form effective catch net at all.Therefore these three kinds of methods all can't the good restraining worm-type virus.
Summary of the invention:
The present invention will provide a kind of method of real-time detecting network worm virus, and the accommodation that prior art exists is narrow, efficient is low and the problem of implementation result difference to overcome.
For overcoming the problem that prior art exists, technical scheme of the present invention is: a kind of method of real-time detecting network worm virus, it is to analyze the identification of carrying out virus by on fire compartment wall the packet that receives being carried out the network connection features, real-time detecting network worm, its concrete steps are as follows:
(1) the packet concrete analysis of network reception internally process is,
Step 1: the network port receives the IP packet internally;
Step 2:, the IP packet is filtered according to the firewall filtering list of rules; If filtering rule allows to receive the IP packet, then execution in step 3, otherwise execution in step 1;
Step 3: source IP address, purpose IP address, source port number, destination slogan according to the IP packet are searched in network connection chained list, judge whether to belong to one that connects in the chained list, if belong to, it is REPLYED that its state is set, and this ageing time is reset to T
0, execution in step 5 then, if do not belong to, and execution in step 4;
Described network connects chained list and is used for writing down current connection of having set up, and contents in table comprises source IP address, purpose IP address, source port number, destination slogan, the state of connection, the connection ageing time content of connection; During initialization, chained list is empty, and the state of connection comprises two kinds: NEW, REPLYED; Main frame linking number table record internal network main frame connects sets up situation, and contents in table comprises: host IP address, dont answer linking number;
Step 4: connecting in the chained list at network increases by one, and source IP address, purpose IP address, source port number, destination slogan that this is set are for receiving the analog value of packet; The state that connection is set simultaneously is NEW, and it is T that the connection ageing time is set
0Second, execution in step 9 after handling;
Step 5: connect numerical table at main frame, search the source IP address of packet,, in the dont answer linking number of correspondence, add 1 if occurrence is arranged; If there is not occurrence, newly-increased one, and the dont answer linking number is set to 1;
Step 6: check that main frame connects the dont answer linking number of numerical table, if the dont answer linking number surpasses predetermined threshold A, then execution in step 7, otherwise execution in step 9;
Step 7: this source IP address of record in daily record, send warning information; Add a rule in fire compartment wall, abandon source IP address all packets for this address, the taking effect rules time is T;
Step 8: abandon this packet;
Step 9:, transmit the IP packet to external network interface according to routing table;
(2) the concrete analysis process from external network reception packet is,
Step 1: receive the IP packet from the external network port;
Step 2:, the IP packet is filtered according to the firewall filtering list of rules;
Step 3: extract source IP address, purpose IP address, source port number, destination slogan in the IP packet, retrieve in corresponding network connection chained list, the standard of retrieval is purpose IP address, source IP address, destination slogan, the source port number that corresponding catena distinguished in source IP address, purpose IP address, source port number, the destination slogan of IP packet.If occurrence is arranged, execution in step 4, otherwise execution in step 6;
Step 4: if connection status that should the correspondence catena is NEW, then corresponding states is revised as REPLYED, and execution in step 5; If corresponding states is REPLYED, then execution in step 6;
Step 5: search in main frame connection numerical table the purpose IP address according to packet, if occurrence is arranged, subtracts 1 in the dont answer linking number with correspondence; If the dont answer linking number is kept to 0, then delete this list item;
Step 6:, transmit the IP packet to internal network interface according to routing table.
Above-mentioned timer processing process is,
(1) initialization: timer is by system's timing interrupt call, and each second carries out once;
(2) step: check that successively network connects each in the chained list, and will connect ageing time and subtract 1,, then delete this list item if the connection ageing time is 0.
By worm propagation mechanism is analyzed, can find that worm propagation has apparent in view, unusual Network Transmission feature, the main frame that infects network worm virus mainly contains following three features:
(1), initiates connection request with maximal rate as much as possible to the different computer in IP address.New connection of infecting the main frame of network worm virus is initiated frequency and may be reached at least more than the 100HZ, and a normal main frame only arrives 2HZ for 0.5HZ usually.
(2), network lacks address correlations between connecting.Infect the main frame of network worm virus and will attempt initiating to connect, and normal main frame has certain address correlations between connecting, repeat to initiate connection request to same IP address as meeting to the main frame of a large amount of different IP addresses.
(3), the network connecting request that main frame sent that infects network worm virus, the overwhelming majority can not received and reply; And normal network connects, and has only fraction not reply.
The present invention sets about from worm propagation mechanism, has changed the thinking of afterwards handling again after the worm outburst of prior art, detects in real time and takes precautions against, and therefore compared with prior art, advantage of the present invention is:
1, accommodation is wide: the present invention not only can at known and the virus of wide-scale distribution prevent and treat, more can prevent and treat for virus unknown or new outburst;
2, efficient height: the present invention prevents and treats in the propagation of worm, by the packet that fire compartment wall received is carried out the connection status analysis, the instant worm-type virus that detects in the network, and the interior computer that infects worm-type virus of location local area network (LAN), then by the automatic blocking-up rule that is provided with, in time suppress the propagation of network worm virus, can effectively suppress to propagate network worm rapidly;
3, implementation result is good: the present invention does not rely on manual operations; but by fire compartment wall after detecting worm-type virus, add fire compartment wall blocking-up filtering rule automatically, the Internet communication of the computer of worm-type virus is infected in restriction; therefore implement effective, can on network, form effective catch net.
Description of drawings:
Fig. 1 is that network receives the processing data packets flow chart internally;
Fig. 2 receives the processing data packets flow chart from external network;
Fig. 3 is the timer processing flow chart;
Fig. 4 is operational system figure of the present invention.
Embodiment:
The present invention will be further described below in conjunction with drawings and Examples.
The present invention analyzes the identification of carrying out virus by on fire compartment wall the packet that receives being carried out the network connection features, real-time detecting network worm, infect the computer of worm-type virus in the local area network (LAN) of location,, in time suppress the propagation of network worm virus by the blocking-up rule is set automatically.Increase a network worm in the firewall box according to method structure of the present invention and detect in real time and the automatic module that suppresses, this module is finished real-time detection, warning to network worm virus and the function that suppresses automatically.Referring to Fig. 4, module in the fire compartment wall network protocol stack between network filtering module and Routing Forward Module.From the packet that network interface receives, after process network filtering module is filtered, carry out the detection and the processing of network worm by network worm detection in real time and the automatic module that suppresses, handle the packet that passes through, transfer to the Routing Forward Module processing again.
The concrete steps of utilizing this method to make up fire compartment wall are:
One, at first sets up network connection chained list and be connected numerical table with main frame.
(1) network connection linked list data structure sees Table 1
(table 1)
| Source IP address | Purpose IP address | Source port | Destination interface | State | Ageing time |
| SIP | DIP | SPORT | DPORT | (NEW, REPLYED) | T 0 |
Wherein, the state that connects of network is divided into two kinds of NEW and REPLYED.Wherein NEW represents that network of the new initiation of internal host connects, and does not receive the replying from the outside; REPLYED represents that the network that internal host is initiated connects replying of having received to come from the outside.
(2) data structure of main frame connection numerical table sees Table 2
(table 2)
| Host IP address | The dont answer linking number |
| HIP | UNREPLYED_NUM |
Two, the step that detects in real time of the fire compartment wall of Gou Jianing is as follows:
(1) network receives packet concrete analysis process internally:
Step 1: the network port receives the IP packet internally;
Step 2:, the IP packet is filtered according to the firewall filtering list of rules; If filtering rule allows to receive the IP packet, then execution in step 3, otherwise execution in step 1;
Step 3: source IP address, purpose IP address, source port number, destination slogan according to the IP packet are searched in network connection chained list, judge whether to belong to one that connects in the chained list, if belong to, be provided with then that its state is REPLYED, this ageing time is reset to T
0, execution in step 5 then, if do not belong to, and execution in step 4;
Step 4: connecting in the chained list at network increases by one, and source IP address, purpose IP address, source port number, destination slogan that this is set are for receiving the analog value of packet; The state that connection is set simultaneously is NEW, and it is T that the connection ageing time is set
0Second, execution in step 9 after handling;
Step 5: connect numerical table at main frame, search the source IP address of packet,, in the dont answer linking number of correspondence, add 1 if occurrence is arranged; If there is not occurrence, newly-increased one, and the dont answer linking number is set to 1;
Step 6: check that main frame connects the dont answer linking number of numerical table, if the dont answer linking number surpasses predetermined threshold A, then execution in step 7, otherwise execution in step 9;
Step 7: this source IP address of record in daily record, send warning information; Add a rule in fire compartment wall, abandon source IP address all packets for this address, the taking effect rules time is T;
Step 8: abandon this packet;
Step 9:, transmit the IP packet to external network interface according to routing table;
For the packet that network interface is internally received, at first the filtering rule through internal network interface filters, and enters the worm detection module then and detects processing.After detecting, enter Routing Forward Module again and handle by the worm detection module.
In internal network interface, the worm detection module is connected numerical table by setting up network connection chained list with main frame, adds up the linking number of replying of not receiving that each main frame is set up in the internal network.If the linking number of dont answer surpasses default thresholding, then this main frame can be thought and infected worm-type virus, and is in abnormal network state.At this moment, can notify the information of this main frame of keeper, can suppress on this main frame worm-type virus to the propagation in the external world by the blocking-up rule is set automatically simultaneously by daily record, alarm.When thresholding was set, the keeper can be provided with different thresholdings according to the purposes of the different main frames in inside, thereby reduced False Rate.
(2) the concrete analysis process from external network reception packet is:
Step 1: receive the IP packet from the external network port;
Step 2:, the IP packet is filtered according to the firewall filtering list of rules;
Step 3: extract source IP address, purpose IP address, source port number, destination slogan in the IP packet, retrieve in corresponding network connection chained list, the standard of retrieval is purpose IP address, source IP address, destination slogan, the source port number that corresponding catena distinguished in source IP address, purpose IP address, source port number, the destination slogan of IP packet.If occurrence is arranged, execution in step 4, otherwise execution in step 6;
Step 4: if connection status that should the correspondence catena is NEW, then corresponding states is revised as REPLYED, and execution in step 5; If corresponding states is REPLYED, then execution in step 6;
Step 5: search in main frame connection numerical table the purpose IP address according to packet, if occurrence is arranged, subtracts 1 in the dont answer linking number with correspondence; If the dont answer linking number is kept to 0, then delete this list item;
Step 6:, transmit the IP packet to internal network interface according to routing table.
Network interface externally, worm detection module be by judging the packet that receives, and current network is set connects connection status in the chained list, and whether promptly current connection has received the state of replying.
Time block is regularly called by system break, and mainly timeout treatment is carried out in the connection that network is connected in the chained list, to there not being the connection of exchanges data for a long time, removes from network connection table.
Claims (1)
1, a kind of method of real-time detecting network worm virus, it is to analyze the identification of carrying out virus by on fire compartment wall the packet that receives being carried out the network connection features, real-time detecting network worm, its concrete steps are as follows:
(1) the packet concrete analysis of network reception internally process is,
Step 1: the network port receives the IP packet internally;
Step 2:, the IP packet is filtered according to the firewall filtering list of rules; If filtering rule allows to receive the IP packet, then execution in step 3, otherwise execution in step 1;
Step 3: source IP address, purpose IP address, source port number, destination slogan according to the IP packet are searched in network connection chained list, judge whether to belong to one that connects in the chained list, if belong to, it is REPLYED that its state is set, and this ageing time is reset to T
0, execution in step 5 then, if do not belong to, and execution in step 4;
Described network connects chained list and is used for writing down current connection of having set up, and contents in table comprises source IP address, purpose IP address, source port number, destination slogan, the state of connection, the connection ageing time content of connection; During initialization, chained list is empty, and the state of connection comprises two kinds: NEW, REPLYED; Main frame linking number table record internal network main frame connects sets up situation, and contents in table comprises: host IP address, dont answer linking number;
Step 4: connecting in the chained list at network increases by one, and source IP address, purpose IP address, source port number, destination slogan that this is set are for receiving the analog value of packet; The state that connection is set simultaneously is NEW, and it is T that the connection ageing time is set
0Second, execution in step 9 after handling;
Step 5: connect numerical table at main frame, search the source IP address of packet,, in the dont answer linking number of correspondence, add 1 if occurrence is arranged; If there is not occurrence, newly-increased one, and the dont answer linking number is set to 1;
Step 6: check that main frame connects the dont answer linking number of numerical table, if the dont answer linking number surpasses predetermined threshold A, then execution in step 7, otherwise execution in step 9;
Step 7: this source IP address of record in daily record, send warning information; Add a rule in fire compartment wall, abandon source IP address all packets for this address, the taking effect rules time is T;
Step 8: abandon this packet;
Step 9:, transmit the IP packet to external network interface according to routing table;
(2) the concrete analysis process from external network reception packet is,
Step 1: receive the IP packet from the external network port;
Step 2:, the IP packet is filtered according to the firewall filtering list of rules;
Step 3: extract source IP address, purpose IP address, source port number, destination slogan in the IP packet, retrieve in corresponding network connection chained list, the standard of retrieval is purpose IP address, source IP address, destination slogan, the source port number that corresponding catena distinguished in source IP address, purpose IP address, source port number, the destination slogan of IP packet; If occurrence is arranged, execution in step 4, otherwise execution in step 6;
Step 4: if connection status that should the correspondence catena is NEW, then corresponding states is revised as REPLYED, and execution in step 5; If corresponding states is REPLYED, then execution in step 6;
Step 5: search in main frame connection numerical table the purpose IP address according to packet, if occurrence is arranged, subtracts 1 in the dont answer linking number with correspondence; If the dont answer linking number is kept to 0, then delete this list item;
Step 6:, transmit the IP packet to internal network interface according to routing table.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100419073A CN100433641C (en) | 2005-04-07 | 2005-04-07 | Method for real-time detecting network worm virus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100419073A CN100433641C (en) | 2005-04-07 | 2005-04-07 | Method for real-time detecting network worm virus |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1674530A CN1674530A (en) | 2005-09-28 |
| CN100433641C true CN100433641C (en) | 2008-11-12 |
Family
ID=35046812
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005100419073A Expired - Fee Related CN100433641C (en) | 2005-04-07 | 2005-04-07 | Method for real-time detecting network worm virus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100433641C (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8020207B2 (en) * | 2007-01-23 | 2011-09-13 | Alcatel Lucent | Containment mechanism for potentially contaminated end systems |
| CN101184094B (en) * | 2007-12-06 | 2011-07-27 | 北京启明星辰信息技术股份有限公司 | Network node scanning detection method and system for LAN environment |
| CN101854342A (en) * | 2009-03-31 | 2010-10-06 | 凹凸电子(武汉)有限公司 | Application program identification system and device and method for identifying network application program |
| CN101707539B (en) * | 2009-11-26 | 2012-01-04 | 成都市华为赛门铁克科技有限公司 | Method and device for detecting worm virus and gateway equipment |
| CN102123396B (en) * | 2011-02-14 | 2014-08-13 | 恒安嘉新(北京)科技有限公司 | Cloud detection method of virus and malware of mobile phone based on communication network |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2002061510A2 (en) * | 2001-01-31 | 2002-08-08 | Lancope, Inc. | Network port profiling |
| CN1549126A (en) * | 2003-05-16 | 2004-11-24 | 北京爱迪安网络技术有限公司 | Method for detecting worm virus and delaying virus spreading |
| US20050005017A1 (en) * | 2003-07-03 | 2005-01-06 | Arbor Networks, Inc. | Method and system for reducing scope of self-propagating attack code in network |
| CN1571362A (en) * | 2004-05-14 | 2005-01-26 | 清华大学 | Early stage prewarning method for Internet worm virus |
-
2005
- 2005-04-07 CN CNB2005100419073A patent/CN100433641C/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2002061510A2 (en) * | 2001-01-31 | 2002-08-08 | Lancope, Inc. | Network port profiling |
| CN1549126A (en) * | 2003-05-16 | 2004-11-24 | 北京爱迪安网络技术有限公司 | Method for detecting worm virus and delaying virus spreading |
| US20050005017A1 (en) * | 2003-07-03 | 2005-01-06 | Arbor Networks, Inc. | Method and system for reducing scope of self-propagating attack code in network |
| CN1571362A (en) * | 2004-05-14 | 2005-01-26 | 清华大学 | Early stage prewarning method for Internet worm virus |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1674530A (en) | 2005-09-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100471172C (en) | Method for implementing black sheet | |
| CN101087196B (en) | Multi-layer honey network data transmission method and system | |
| US8122494B2 (en) | Apparatus and method of securing network | |
| CN101547187B (en) | Network attack protection method for broadband access equipment | |
| CN101640666B (en) | Device and method for controlling flow quantity facing to target network | |
| CN100428688C (en) | Protective method for network attack | |
| CN1330131C (en) | System and method for detecting network worm in interactive mode | |
| US7830898B2 (en) | Method and apparatus for inter-layer binding inspection | |
| US20050182950A1 (en) | Network security system and method | |
| US20040255162A1 (en) | Security gateway system and method for intrusion detection | |
| CN100433641C (en) | Method for real-time detecting network worm virus | |
| CN110933111B (en) | DDoS attack identification method and device based on DPI | |
| CN101605061B (en) | Method and device for preventing denial service attack in access network | |
| CN101001242A (en) | Method of network equipment invaded detection | |
| CN101022343A (en) | Network invading detecting/resisting system and method | |
| KR20010095337A (en) | Firewall system combined with embeded hardware and general-purpose computer | |
| CN107733867B (en) | Botnet discovery and protection method, system and storage medium | |
| KR100479202B1 (en) | System and method for protecting from ddos, and storage media having program thereof | |
| CN105207997A (en) | Anti-attack message forwarding method and system | |
| CN106506531A (en) | The defence method and device of ARP attack messages | |
| CN101582880B (en) | Method and system for filtering messages based on audited object | |
| CN101741570A (en) | Method for controlling reverse data connection based on honeynet | |
| CN101202744A (en) | Devices for self-learned detecting helminth and method thereof | |
| CN111371750A (en) | Intrusion prevention system and intrusion prevention method based on computer network | |
| KR101074198B1 (en) | Method and system for isolating the harmful traffic generating host from the network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20081112 Termination date: 20210407 |