CN101599969B - Method for extracting worm features and device thereof - Google Patents

Method for extracting worm features and device thereof Download PDF

Info

Publication number
CN101599969B
CN101599969B CN 200910088358 CN200910088358A CN101599969B CN 101599969 B CN101599969 B CN 101599969B CN 200910088358 CN200910088358 CN 200910088358 CN 200910088358 A CN200910088358 A CN 200910088358A CN 101599969 B CN101599969 B CN 101599969B
Authority
CN
China
Prior art keywords
byte sequence
network packet
false alarm
worm
rate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN 200910088358
Other languages
Chinese (zh)
Other versions
CN101599969A (en
Inventor
陈厅
张小松
孙志敏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Electronic Science and Technology of China
Huawei Digital Technologies Chengdu Co Ltd
Original Assignee
University of Electronic Science and Technology of China
Huawei Symantec Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Electronic Science and Technology of China, Huawei Symantec Technologies Co Ltd filed Critical University of Electronic Science and Technology of China
Priority to CN 200910088358 priority Critical patent/CN101599969B/en
Publication of CN101599969A publication Critical patent/CN101599969A/en
Application granted granted Critical
Publication of CN101599969B publication Critical patent/CN101599969B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention relates to a method for extracting worm features and a device therefor. The method comprises: acquiring network data packet, extracting byte sequences from the network data packet, calculating false alarm rate of each byte sequence in the normal network data packet and assembling the byte sequences with the false alarm rate smaller or equal to the preset value into worm features. The device comprises functional modules for executing the method. The embodiment of the invention introduces calculation of false alarm rates in the process of assembling the byte sequences into worm features, the worm features are assembled according to the false alarm rates, so that the worm features can meet the requirement of false alarm rates, thus improving the accuracy of assembling worm features in real time.

Description

Worm feature extracting method and device
Technical field
The embodiment of the invention relates to the worm Feature Extraction Technology, relates in particular to a kind of worm feature extracting method and device.
Background technology
Popular a large amount of identical or similar application software on the network, worm utilizes the leak of these application software to carry out automatic spread, and its propagation velocity and harm are surprising.At present, worm detects and the defence field exists two large research directions, and one is that misuse detects, and another is abnormality detection.
The thought that misuse detects is to utilize worm feature and the network packet known to compare, if comprised the worm feature in the network packet then be considered as detecting worm.So-called worm feature is a section or several sections features that byte sequence forms in the worm sample, common one accurately the worm feature should in all worm copies, all occur, and in other worms and proper network packet, can not occur.The distortion worm can produce usually that but function is identical sees different samples from the byte angle, and each such worm sample is the copy of this worm.The thought of abnormality detection is that network condition is under normal circumstances carried out modeling, if discovering network situation and normal condition do not meet then be considered as detecting worm during detection.
But the inventor finds that in carrying out research process of the present invention there is the defective of poor accuracy in such scheme, and the accuracy of especially extracting the worm feature in the worm of high deformation is not high.
Summary of the invention
The embodiment of the invention provides a kind of worm feature extracting method and device, with the accuracy of the worm feature that improves extract real-time.
The embodiment of the invention provides a kind of worm feature extracting method, comprising:
Obtain network packet;
From the network packet of obtaining, extract byte sequence, comprising: extract length more than or equal to predefined minimum length value, and involved number of times is more than or equal to the byte sequence of predefined minimum number value;
Identification has the paired byte sequence of substring and female string relation in each byte sequence, when the mother who also comprises described substring when the network data flow that comprises described substring byte sequence goes here and there byte sequence, will be defined as the byte sequence of described substring useless byte sequence and remove;
In the proper network packet that gets access in advance, calculate the rate of false alarm of each described byte sequence, and the byte sequence that rate of false alarm is less than or equal to preset value is assembled into the worm feature, wherein, the described rate of false alarm probability that to be the proper network packet that comprises described byte sequence occur in whole proper network packets.
The embodiment of the invention also provides a kind of worm feature deriving means, comprising:
The network packet acquisition module is used for obtaining network packet;
The byte sequence extraction module is used for extracting byte sequence from the network packet of obtaining;
Worm feature Knockdown block, for the proper network packet that is getting access in advance, calculate the rate of false alarm of each described byte sequence, and the byte sequence that rate of false alarm is less than or equal to preset value is assembled into the worm feature, wherein, the described rate of false alarm probability that to be the proper network packet that comprises described byte sequence occur in whole proper network packets;
Wherein, described byte sequence extraction module comprises: the first Parameter analysis of electrochemical unit, obtain source IP address, purpose IP address and destination slogan for resolving respectively from each network packet; The first data flow assembling unit is used for source IP address, the purpose IP address network packet identical with the destination slogan are assembled into a network data flow; Byte sequence extracts subelement, is used for extracting byte sequence from each network data flow;
Wherein, described byte sequence extracts subelement and comprises: length value is set subelement, is used for the minimum length value of storing predefined byte sequence to be extracted; Inferior numerical value is set subelement, is used for the minimum number value of storing predefined byte sequence to be extracted; Extract subelement, be used for extracting length more than or equal to predefined described minimum length value, and the involved number of times in network data flow is more than or equal to the byte sequence of predefined described minimum number value;
Also comprise: useless byte sequence is removed module, comprising: recognition unit is used for the paired byte sequence that has substring and female string relation in each byte sequence identification; Judging unit is used for will being defined as the byte sequence of described substring useless byte sequence when the mother who judges the network data flow that comprises the substring byte sequence and also comprise substring goes here and there byte sequence; Remove the unit, be used for described useless byte sequence is removed.
By above technical scheme as can be known, the embodiment of the invention has been introduced the calculating of rate of false alarm in the process of byte sequence assembling worm feature, assemble the worm feature according to rate of false alarm, make the worm feature can satisfy the rate of false alarm requirement, thereby can improve the accuracy of real-time assembling worm feature.Byte sequence extracts, rate of false alarm is calculated and the operation of worm feature assembling owing to can automatically finish, and drops into so can reduce human resources, reduces cost, can also extract immediately the worm feature when new worm occurring, and real-time obtains strong guarantee.
Description of drawings
The flow chart of the worm feature extracting method that Fig. 1 provides for first embodiment of the invention;
Extract the flow chart of byte sequence in the worm feature extracting method that Fig. 2 provides for second embodiment of the invention;
The flow chart of capture network data bag in the worm feature extracting method that Fig. 3 provides for third embodiment of the invention;
A kind of flow chart of removing useless byte sequence preference execution mode in the worm feature extracting method that Fig. 4 provides for fifth embodiment of the invention;
The flow chart of assembling worm feature in the worm feature extracting method that Fig. 5 provides for sixth embodiment of the invention;
The flow chart of a kind of preferred implementation of assembling worm feature in the worm feature extracting method that Fig. 6 provides for seventh embodiment of the invention;
The flow chart of the worm feature extracting method that Fig. 7 provides for eighth embodiment of the invention;
The structural representation of the worm feature deriving means that Fig. 8 provides for ninth embodiment of the invention;
The structural representation of byte sequence extraction module in the worm feature deriving means that Fig. 9 provides for tenth embodiment of the invention;
The structural representation of network packet acquisition module in the worm feature deriving means that Figure 10 provides for eleventh embodiment of the invention;
Byte sequence extracts the structural representation of subelement in the worm feature deriving means that Figure 11 provides for twelveth embodiment of the invention;
Useless byte sequence is removed the structural representation of module in the worm feature deriving means that Figure 12 provides for thriteenth embodiment of the invention;
The structural representation of worm feature Knockdown block in the worm feature deriving means that Figure 13 provides for fourteenth embodiment of the invention;
The structural representation of worm feature assembling subelement in the worm feature deriving means that Figure 14 provides for fifteenth embodiment of the invention;
The structural representation of the worm feature deriving means that Figure 15 provides for sixteenth embodiment of the invention.
Embodiment
Also by reference to the accompanying drawings the present invention is described in further detail below by specific embodiment.
The first embodiment
The flow chart of the worm feature extracting method that Fig. 1 provides for first embodiment of the invention.The method can realize by the worm feature deriving means, and the worm feature deriving means can adopt hardware or software, or the mode of software and hardware combining consists of.The method of the present embodiment specifically comprises the steps:
Step 100, obtain network packet;
Step 200, from the network packet of obtaining, extract byte sequence (token);
Step 300, in the proper network packet that gets access in advance, calculate the rate of false alarm of each byte sequence, and the byte sequence that rate of false alarm is less than or equal to preset value is assembled into the worm feature, wherein, the rate of false alarm probability that to be the proper network packet that comprises byte sequence occur in whole proper network packets.
In the present embodiment, at first to obtain network packet, specifically can be at the turnover port of network packet capture network data bag, for example adopt and smell the spy mode network packet is caught, perhaps can obtain network packet by existing instrument, for example adopt intruding detection system " Snort " to finish the seizure of network packet.The network packet of obtaining should reach some, in the practical application, can set the network packet quantitative value that should obtain or set the time that catches, and for example can set the network packet in 5 minutes is caught to extract the worm feature.
In the present embodiment, after extracting byte sequence, calculating and the comparison of rate of false alarm have been introduced.A kind of preferably rate of false alarm computational methods that the present embodiment proposes are to calculate the rate of false alarm of byte sequence in the proper network packet, namely calculate the probability of occurrence of byte sequence in the proper network packet, rate of false alarm and the preset value that calculates compared, set point can be the standard rate of false alarm value of rule of thumb formulating again.After rate of false alarm screening, the byte sequence that rate of false alarm is less than or equal to preset value is put into and is accepted the byte sequence pond and be used for assembling worm feature.
So-called proper network packet, the network packet that does not namely comprise known worm feature and be not subject to other network attacks.Can obtain in advance by existing intruding detection system or misuse detection system the proper network packet of some.The approach that obtains the proper network packet is a lot, can adopt the proper network packet in the network packet that captures in the step 100, also can adopt separately intruding detection system to catch and obtain.Because the data set in the intruding detection system is general, the attacking network packet of the inside also is known, therefore can remove attacking network packet wherein, only keeps the proper network packet.
The network data flow that each proper network packet or network packet assemble all can be regarded a comparing unit as, and then a kind of preferably rate of false alarm Fp computational methods of proposing of the present embodiment are to calculate according to following formula:
Fp=m/n×100%
Wherein, n is the sum of all comparing units, m is the number that comprises the comparing unit of byte sequence, if calculate the rate of false alarm of a byte sequence, then m is the number that comprises the comparing unit of this byte sequence, if calculate the rate of false alarm of a plurality of byte sequences, then m is the number that comprises the comparing unit of all these byte sequences.
Can assemble the worm feature according to the byte sequence that the result of calculation of rate of false alarm is selected to satisfy the rate of false alarm requirement, for example select the lower byte sequence set assembling worm feature of rate of false alarm, thereby improve the accuracy of worm feature.And technique scheme can realize in real time automatically extracting the worm feature from network packet, and cost of human resources is low, real-time is high, can in time obtain the worm feature of Unknown Worm.
The second embodiment
Extract the flow chart of byte sequence in the worm feature extracting method that Fig. 2 provides for second embodiment of the invention.The present embodiment can above-mentioned the first embodiment be the basis, and in the present embodiment, step 200 specifically comprises the steps:
Step 201, the network packet that gets access to is assembled into network data flow;
Step 202, from each network data flow, extract byte sequence.
The assembling network data flow namely carries out shaping to network packet according to setting the shaping rule.Worm often is not to send the single network packet when propagating, but a plurality of network packet, worm feature or byte sequence may be dispersed in a plurality of network packet accurately, therefore a plurality of network packet need to be coupled together to analyze the accuracy that could improve extraction worm feature as a network data flow.
The setting shaping rule of assembling network data flow can have various ways, according to the worm propagation characteristics, one of preferred setting shaping rule is that step 201 is specially: resolve respectively from each network packet and obtain source IP address, purpose IP address and destination slogan, source IP address, the purpose IP address network packet identical with the destination slogan are assembled into a network data flow.
After the assembling of above-mentioned setting shaping rule, the possibility that comprises a worm copy all-network packet in a network data flow significantly increases, and simultaneously the network packet of the heterogeneous networks data flow possibility that belongs to the different copies of a worm or belong to different worms also increases severely.Therefore, network packet is assembled into network data flow extracts again byte sequence, help to improve the accuracy of worm feature.
The 3rd embodiment
The flow chart of capture network data bag in the worm feature extracting method that Fig. 3 provides for third embodiment of the invention, the present embodiment can the various embodiments described above be the basis, the operation that step 100 is obtained network packet can be specially:
Step 101, capture network data bag;
Step 102, the network packet that captures is screened operation, keep unusual network packet.
Can be capture network data bag in setting cycle, the network packet that captures have generally included proper network packet and unusual network packet.The concept of proper network packet as previously mentioned, remaining network packet can be seen unusual network packet as.
It is not necessary step that network packet is carried out above-mentioned screening operation, but its advantage is remarkable, can reduce the quantity of network packet, reduce the workload of extracting byte sequence, the probability that can be used in assembling worm feature in the byte sequence that extracts is also higher, therefore carry out the extraction rate that the screening operation can significantly improve the worm feature, improve real-time.The probability that comprises the worm feature in the proper network packet is generally lower, and the accuracy that the proper network packet is screened down the worm feature does not have considerable influence.
The network packet that captures is screened operation, and the operation that keeps unusual network packet can be summed up as the abnormality detection operation, and specific implementation has multiple, and the below is a kind of preferred implementation:
From each network packet that captures, resolve respectively to obtain and unsuccessfully connect number of times, unsuccessfully connect number of times when setting failed threshold value when recognizing, with the network packet of correspondence as unusual network packet.
Because the target of proper network communication is normally clear and definite; therefore the failed connection that produces seldom; but worm can be scanned before propagation usually, and scanning process will produce a large amount of failed connections, just can obtain unusual network packet by monitoring and the analysis that failure is connected.Said method can simple and effectively filter out unusual network packet, improves worm feature extraction speed.
The 4th embodiment
The worm feature extracting method that fourth embodiment of the invention provides can the various embodiments described above be the basis.The byte sequence that extracts from network packet is the basis of assembling worm feature, and the extraction of byte sequence affects the accuracy of the worm feature of assembling.The extraction of byte sequence is carried out according to setting extracting rule, can be the byte sequence of preseting length, preferably extracts the byte sequence of on-fixed length in the present embodiment, thereby improves the probability that byte sequence comprises the worm feature.
Concrete, extracting byte sequence setting extracting rule can have multiple, preferably extract length more than or equal to predefined minimum length value MIN_LEN, and involved number of times is more than or equal to the byte sequence of predefined minimum number value MIN_STREAM.
So-called involved number of times namely includes the network packet of this byte sequence or the number of network data flow.Minimum length value MIN_LEN and minimum number value MIN_STREAM generally are the integers greater than 1, can be set by the expert.
The below illustrates, and can set MIN_LEN and MIN_STREAM is 2, adopts the suffix array to improve algorithm and extracts the byte sequence that meets above-mentioned condition.At first the length of byte sequence must be more than or equal to 2, and byte sequence must occur in 2 network data flows at least.Illustrate as an example of following network data flow example:
The data of first network data flow: abcdefghp
The data of second network data flow: abcdefghk
The data of the 3rd network data flow: abcdefghi
The data of the 4th network data flow: abcdefu
Meeting the byte sequence that MIN_LEN and MIN_STREAM be 2 condition is: abcdefgh, abcdefg, abcdef, abcde, abcd, abc, ab, bcdefgh, bcdefg, bcdef, bcde, bcd, bc, cdefgh, cdefg, cdef, cde, cd, defgh, defg, def, de, efgh, efg, ef, fgh, fg and gh.
Extract non-fixed length byte sequence and can make byte sequence comprise the probability raising of worm feature, be particularly useful for high distortion worm.Because high distortion worm is very low from the byte sequence similarity, the length of identical sequence fragment is very little in two copies of same worm, so the regular length extracting method can't be extracted the worm feature of high deformation.In addition, because the worm characteristic differences of different worms is very large, regular length may be fit to some worm and be not suitable for other worm.Therefore, the extraction of non-fixed length byte sequence more can adapt to the worm feature of extracting extensive multiple worm, thereby improves the accuracy of worm feature extraction.
The 5th embodiment
The worm feature extracting method that fifth embodiment of the invention provides can be the basis by above-mentioned the 4th embodiment, further after extracting byte sequence, removes useless byte sequence from each byte sequence that extracts.So-called useless byte sequence is to become the almost nil or probability of the probability of worm feature less than to a certain degree byte sequence.
In giving an actual example among the 4th embodiment, can find out, only the byte sequence that comprises of four network data flows just reaches 28, the quantity of network data flow will be huge in the reality, if all calculate then amount of calculation is excessive, and most of byte sequence is that contribution is minimum in the operation of follow-up assembling worm feature.Therefore can before calculating rate of false alarm, at first remove useless byte sequence and improve worm feature packaging efficiency.
Preferably select the long byte sequence of length to assemble the worm feature, but with reference to above-mentioned example, if only keep the longest byte sequence abcdefgh the probability that comprises the worm feature is descended, then the worm feature accuracy of assembling also can descend.If reserve bytes sequence abcdef again, then abcdef can cover more network data flow, and the probability that comprises the worm feature is better than abcdefgh.The method of removing useless byte sequence from byte sequence should be taken into account probability and the computational efficiency that comprises the worm feature.Specifically can in each byte sequence, screen, identification has the paired byte sequence of substring and female string relation, and when the mother who also comprises this substring when the network data flow that comprises the substring byte sequence goes here and there byte sequence, will be defined as the byte sequence of substring useless byte sequence and remove.So-called female string and substring, namely the byte sequence of female string comprises the byte sequence of substring.Also comprise female string owing to comprising the network data flow of substring, namely do not exist only to comprise the network data flow that substring does not comprise female string, so can go here and there the screen data flow with mother, substring will be repetition to the filtration of network data flow, so this substring is useless byte sequence, should remove.
A kind of flow chart of removing useless byte sequence preference execution mode in the worm feature extracting method that Fig. 4 provides for fifth embodiment of the invention, namely after extracting byte sequence, before the assembling worm feature, from each byte sequence that extracts, remove useless byte sequence and specifically comprise the steps:
Steps A 1, each byte sequence that will extract screen formation according to length one-tenth arranged sequentially from small to large;
Steps A 2, take out be positioned at the screening queue heads byte sequence as byte sequence to be selected, after the taking-up then this byte sequence to be selected be not included in the screening formation, if screen in the formation without byte sequence, then remove the EO of useless byte sequence;
Steps A 3, judge in the screening formation whether also have byte sequence, if execution in step A4 then if not, then removes the EO of useless byte sequence;
Steps A 4, from first byte sequence, choose one by one the byte sequence of screening in the formation as the standard byte sequence;
Steps A 5, judge whether byte sequence to be selected is the substring of standard byte sequence, if, execution in step A6 then, otherwise execution in step A7;
Whether the network data flow that steps A 6, judgement comprise byte sequence to be selected comprises the standard byte sequence, if, illustrate that then byte sequence to be selected and standard byte sequence are to be included in simultaneously in some network data flow, and in other network data flows, do not exist simultaneously, this byte sequence to be selected is useless byte sequence, continue execution in step A8, otherwise illustrate that byte sequence to be selected is not useless byte sequence, continue execution in step A7;
After the standard byte sequence, whether also have byte sequence in steps A 7, the judgement screening formation, if having, then return execution in step A4, replace as the standard byte sequence with the next byte sequence after the standard byte sequence, if do not have, then return execution in step A2;
Steps A 8, byte sequence to be selected is removed as useless byte sequence, and returned execution in step A2.
Each byte sequence that said process will screen in the formation is judged screening with screening other byte sequences in the formation one by one, is that useless byte sequence is removed until judge this byte sequence to be selected, or judges this byte sequence to be selected and should keep.Judge that byte sequence to be selected later no longer participates in screening the next round screening of formation.
Adopt above-mentioned screening process, can preferably filter out useless byte sequence, improve subsequent calculations speed.Still illustrate with above-mentioned example, after screening, abcdef and abcdefgh keep, and the byte sequence above 90% is removed, and can significantly improve subsequent calculations speed, and worm feature built-up time is without 2/28 of screening.This difference in actual applications can be larger, may reach hundreds and thousands of times, because the byte sequence number in the practical application and length may be more much larger than above-mentioned example.
The 6th embodiment
The flow chart of assembling worm feature in the worm feature extracting method that Fig. 5 provides for sixth embodiment of the invention, the present embodiment can the various embodiments described above be the basis, step 300 is in the proper network packet, calculate the rate of false alarm of each byte sequence, and according to rate of false alarm byte sequence is assembled into the worm feature and specifically comprises the steps:
Step 301, each proper network data packet group that will get access to are in advance dressed up the proper network data flow, concrete assembling process can be with reference to previous embodiment, can from each the proper network packet that gets access in advance, resolve respectively and obtain source IP address, purpose IP address and destination slogan, source IP address, the purpose IP address proper network data packet group identical with the destination slogan are dressed up a proper network data flow;
Step 302, in the proper network data flow, calculate the rate of false alarm of each byte sequence, the byte sequence that rate of false alarm is less than or equal to preset value is assembled into the worm feature.Wherein, calculate rate of false alarm and still can adopt aforementioned formula, this moment is with proper network data flow unit as a comparison, calculate the rate of false alarm of each byte sequence in the proper network data flow, that is: the quantity of calculating the proper network data flow that comprises simultaneously each byte sequence accounts for the percentage of whole proper network data flow.
In order to calculate the rate of false alarm of worm feature, the number needs of proper network data flow considers computational speed and rate of false alarm accuracy.The quantity of proper network data flow is larger, and the rate of false alarm of the worm feature that calculates is more accurate.In fact the quantity of proper network data flow preferably reaches 100,000,000 ranks.
In the technical scheme of the present embodiment, the byte sequence that rate of false alarm is less than or equal to preset value is assembled into the worm feature, namely according to rate of false alarm byte sequence is screened, and can effectively control the rate of false alarm of worm feature, improves the accuracy of worm feature.
The present embodiment is to judge according to rate of false alarm whether byte sequence is suitable for assembling a kind of concrete mode of worm formation, the target that byte sequence is suitable for assembling the worm formation namely is that this byte sequence is put into and accepted after the byte sequence pond, accept in the byte sequence pond the whole rate of false alarm of all byte sequences as far as possible low, and whole all byte sequences of accepting in the byte sequence pond cover network data flow as much as possible, and namely coverage rate is high.So-called coverage rate refers in unusual network data flow or suspicious network data flow, and the network data flow that contains simultaneously each byte sequence or worm feature accounts for the percentage of sum.For example, two byte sequence ab and cd are arranged in accepting the byte sequence pond, suspicious network data flow has three, is respectively abeeee, cdeeee and abeecd, and then ab and cd only occur in a network data flow simultaneously, so coverage rate is 1/3 * 100%.
On the basis of the present embodiment technical scheme, can also further judge based on following principle whether byte sequence is suitable for assembling the worm feature, that is: when the rate of false alarm of several byte sequences and coverage rate all meet the demands, preferentially select the larger byte sequence of length value.Before the byte sequence that rate of false alarm is less than or equal to preset value is assembled into the worm feature, also comprise: according to the rate of false alarm of each byte sequence that in the proper network data flow, calculates respectively, the rate of false alarm that each byte sequence independently calculates gained may equate also may not wait, the byte sequence that respectively rate of false alarm is equated carries out Length Ratio, and keeping wherein, the byte sequence of length maximum is used for assembling worm feature.If in the byte sequence that rate of false alarm equates, the syllable sequence of length maximum is shown a plurality of, then can select arbitrarily one.
The 7th embodiment
The flow chart of a kind of preferred implementation of assembling worm feature in the worm feature extracting method that Fig. 6 provides for seventh embodiment of the invention, the present embodiment can above-mentioned the 6th embodiment be the basis, in the proper network data flow, calculate the rate of false alarm Fp of each byte sequence, the byte sequence that rate of false alarm Fp is less than or equal to preset value is assembled into the worm feature.Assembling worm feature can be carried out based on following thinking:
Form do not comprise byte sequence when initial accept the byte sequence pond;
Take out one by one byte sequence according to the setting order, in the proper network data flow, calculate the byte sequence that takes out and the rate of false alarm of accepting byte sequence in the byte sequence pond, along with the carrying out of the process of taking-up, the byte sequence quantity of accepting in the byte sequence pond is increasing gradually;
Judge whether rate of false alarm is less than or equal to preset value, if then the byte sequence that takes out is put into and accepted the byte sequence pond, the byte sequence of accepting in the byte sequence pond is assembled into the worm feature, if not, and when not having the byte sequence that can take out, the worm feature is assembled unsuccessfully.
A kind of specific implementation form of above-mentioned assembling process can be following flow process:
Step B1, with each byte sequence according to length one-tenth arranged sequentially assembling formation from big to small;
Step B2, taking-up are positioned at the byte sequence of assembling queue heads as the pending trial byte sequence, then assemble after the taking-up no longer to comprise the pending trial byte sequence in the formation;
Step B3, in the proper network data flow, calculate the byte sequence accept in the byte sequence pond and the rate of false alarm Fp of pending trial byte sequence, when initial condition, accepting does not have byte sequence in the byte sequence pond;
The number of byte sequence in the byte sequence pond is accepted in step B4, identification, when number equals 0, execution in step B5, when number equals 1, execution in step B6, when number greater than 1 the time, execution in step B7;
The numerical values recited of step B5, identification rate of false alarm Fp is when rate of false alarm Fp is less than or equal to the first set point ρ 1And greater than the 3rd set point ρ RevThe time, this pending trial byte sequence put into accepts the byte sequence pond, and execution in step B8, when rate of false alarm Fp greater than the first set point ρ 1The time, execution in step B8 is when rate of false alarm Fp is less than or equal to the 3rd set point ρ RevThe time, this pending trial byte sequence put into accept the byte sequence pond, and execution in step B9;
The numerical values recited of step B6, identification rate of false alarm Fp is when rate of false alarm Fp is less than or equal to the second set point ρ 2And greater than the 3rd set point ρ RevThe time, this pending trial byte sequence put into accept the byte sequence pond, and execution in step B8, wherein the second set point ρ 2Less than the first set point ρ 1, when rate of false alarm Fp greater than the second set point ρ 2The time, execution in step B8 is when rate of false alarm Fp is less than or equal to the 3rd set point ρ RevThe time, this pending trial byte sequence put into accept the byte sequence pond, and execution in step B9;
The numerical values recited of step B7, identification rate of false alarm Fp is when rate of false alarm Fp is less than or equal to the 3rd set point ρ RevThe time, this pending trial byte sequence put into accepts the byte sequence pond, and execution in step B9, when rate of false alarm Fp greater than the 3rd set point ρ RevThe time, execution in step B8;
Whether also have byte sequence in step B8, the judgement assembling formation, if then return execution in step B2, in order to begin to examine next pending trial byte sequence, otherwise, because the rate of false alarm of accepting the byte sequence in the byte sequence pond still is not less than or equals the 3rd set point ρ RevCondition, and assembling do not have other byte sequences that rate of false alarm is further reduced in the formation yet, so the failure of assembling worm feature, EO can empty accepting the byte sequence pond;
Step B9, the byte sequence that will accept in the byte sequence pond are assembled into the worm feature, and remaining byte sequence can no longer participate in the assembling of worm feature in the assembling formation, directly abandon to get final product.
For accelerating computational speed, the present embodiment has adopted a kind of AC algorithm, and so-called AC algorithm is the multi-pattern matching algorithm that is proposed by Aho and Corasick, namely once searches for to search and can judge a plurality of string matching problems.Above-mentioned assembling process has been distinguished the situation of accepting to comprise in the byte sequence pond 0,1 and 1 above byte sequence.When in accepting the byte sequence pond, comprising 0 or 1 byte sequence, even do not reach the condition that rate of false alarm is less than or equal to the 3rd set point, as long as less than or equal to the first set point or the second set point, namely can first byte sequence be put into and accept the byte sequence pond, treat the follow-up byte sequence that adds again, can along with the increase of byte sequence, the rate of false alarm that calculates further be reduced.When rate of false alarm was less than or equal to the 3rd set point along with the increase of accepting byte sequence quantity in the byte sequence pond is decreased to, then the worm feature was assembled successfully.If there has not been byte sequence in the assembling formation, but when accepting byte sequence set in the byte sequence pond and still not satisfying rate of false alarm and be less than or equal to the 3rd set point, then the worm feature is assembled unsuccessfully.Above-mentioned the first set point, the second set point and the 3rd set point can be set by the expert, are generally positive decimal.Removing in the aforementioned embodiment useless byte sequence will have very great help to the packaging efficiency that improves the worm feature in the present embodiment.
The 8th embodiment
The flow chart of the worm feature extracting method that Fig. 7 provides for eighth embodiment of the invention, the present embodiment can above-described embodiment be the basis, after being assembled into the worm feature, also be included in each network packet, removal comprises the network packet of this worm feature, and return and carry out to extract byte sequence, the operation of assembling worm feature, until the byte sequence quantity of extracting be 0 or network packet be completely removed.The flow process that the present embodiment repeats the assembling of worm feature, removes the unusual network packet of the worm feature that comprises new assembling, then carries out the assembling of worm feature again is applicable to extract a plurality of worm features.Idiographic flow comprises the steps:
Network packet is obtained in step 100, seizure;
Step 200, from the network packet of obtaining, extract byte sequence, and judge whether to extract byte sequence, if can't extract then execution in step 500 of byte sequence, then continue execution in step 300 if extract;
Step 300, in the proper network packet that gets access in advance, calculate the rate of false alarm of each byte sequence, and according to rate of false alarm, the byte sequence that rate of false alarm is less than or equal to preset value is assembled into the worm feature;
The worm feature of step 400, the new assembling of preservation in each network packet, is removed the network packet of the worm feature that comprises new assembling, and execution in step 200;
Step 500, worm feature extraction are complete, can remove network packet and accept the resource that byte sequence pond etc. does not re-use.
Adopt the technical scheme of the present embodiment, can extract by circulation the operation of byte sequence, assembling worm feature, full automatic a plurality of worm features are carried out extract real-time, therefore be applicable to extensive worm feature extraction occasion.
The 9th embodiment
The structural representation of the worm feature deriving means that Fig. 8 provides for ninth embodiment of the invention.This worm feature deriving means specifically comprises: network packet acquisition module 801, byte sequence extraction module 802 and worm feature Knockdown block 803.Wherein, network packet acquisition module 801 is used for obtaining network packet; Byte sequence extraction module 802 is used for extracting byte sequence from the network packet of obtaining; Worm feature Knockdown block 803 is for the proper network packet that is getting access in advance, calculate the rate of false alarm of each byte sequence, and the byte sequence that rate of false alarm is less than or equal to preset value is assembled into the worm feature, wherein, the rate of false alarm probability that to be the proper network packet that comprises byte sequence occur in whole proper network packets.
The worm feature deriving means of the present embodiment can be carried out the technical scheme of first embodiment of the invention, introduces calculating and the comparison of rate of false alarm, makes the worm feature satisfy the rate of false alarm requirement, thereby improves the accuracy of worm feature.And technique scheme can realize in real time automatically extracting the worm feature from network packet, and cost of human resources is low, real-time is high, can in time obtain the worm feature of Unknown Worm.
The tenth embodiment
The structural representation of byte sequence extraction module in the worm feature deriving means that Fig. 9 provides for tenth embodiment of the invention.On the basis of the 9th embodiment, byte sequence extraction module 802 can comprise specifically that the first Parameter analysis of electrochemical unit 901, the first data flow assembling unit 902 and byte sequence extract subelement 903.Wherein, the first Parameter analysis of electrochemical unit 901 obtains source IP address, purpose IP address and destination slogan for resolving respectively from each network packet; The first data flow assembling unit 902 is used for source IP address, the purpose IP address network packet identical with the destination slogan are assembled into a network data flow; Byte sequence extracts subelement 903 and is used for extracting byte sequence from each network data flow.
The present embodiment can be carried out the technical scheme of second embodiment of the invention, network packet is carried out shaping be assembled into network data flow.The mode that realizes the shaping assembling is various, is not limited to assemble take source IP address, purpose IP address and destination slogan as standard.
After the assembling of above-mentioned setting shaping rule, the possibility that comprises a worm copy all-network packet in a network data flow significantly increases, and simultaneously the network packet of the heterogeneous networks data flow possibility that belongs to the different copies of a worm or belong to different worms also increases severely.Therefore, network packet is assembled into network data flow extracts again byte sequence, help to improve the accuracy of worm feature.
The 11 embodiment
The structural representation of network packet acquisition module in the worm feature deriving means that Figure 10 provides for eleventh embodiment of the invention.The present embodiment can above-mentioned the 9th, the tenth embodiment be the basis, and network packet acquisition module 801 specifically comprises: network packet capture unit 1001 and network packet screening unit 1002.Network packet capture unit 1001 is used for the capture network data bag; Network packet screening unit 1002 is used for the network packet that captures is screened operation, keeps unusual network packet.
Anomaly sieving packet various informative, for example, the concrete structure of network packet screening unit 1002 can be resolved subelement 10021 and packet screening subelement 10022 for comprising the frequency of failure.Wherein, the frequency of failure is resolved subelement 10021 and is used for resolving respectively to obtain from each network packet that captures unsuccessfully connecting number of times; Packet screening subelement 10022 is used for unsuccessfully connecting number of times when setting failed threshold value when recognizing, with the network packet of correspondence as unusual network packet.
The present embodiment can be carried out the technical scheme of third embodiment of the invention, network packet is carried out the quantity that above-mentioned screening operation can reduce network packet, reduce the workload of extracting byte sequence, can significantly improve the extraction rate of worm feature, improve real-time.
The 12 embodiment
Byte sequence extracts the structural representation of subelement in the worm feature deriving means that Figure 11 provides for twelveth embodiment of the invention.The present embodiment can above-mentioned the tenth embodiment be the basis, and byte sequence extracts subelement 903 and specifically comprises: length value is set subelement 1101, inferior numerical value is set subelement 1102 and extracted subelement 1103.Wherein, length value is set subelement 1101 for the minimum length value of storing predefined byte sequence to be extracted; Inferior numerical value is set subelement 1102 for the minimum number value of storing predefined byte sequence to be extracted; Extract subelement 1103 and be used for extracting length more than or equal to predefined minimum length value, and the involved number of times in network data flow is more than or equal to the byte sequence of predefined minimum number value.
The present embodiment can be carried out the technical scheme of fourth embodiment of the invention, extracts non-fixed length byte sequence and can make byte sequence comprise the probability raising of worm feature, is particularly useful for high distortion worm.The extraction of non-fixed length byte sequence more can adapt to the worm feature of extracting extensive multiple worm, thereby improves the accuracy of worm feature extraction.
The 13 embodiment
Useless byte sequence is removed the structural representation of module in the worm feature deriving means that Figure 12 provides for thriteenth embodiment of the invention.The present embodiment can above-mentioned the 12 embodiment be the basis, also comprises useless byte sequence removal module in the worm feature deriving means.Useless byte sequence is removed module and is used for removing useless byte sequence from each byte sequence that extracts.
Concrete, a kind of concrete structure that useless byte sequence is removed module can comprise: recognition unit, judging unit and removal unit.Recognition unit is used for having in each byte sequence identification the paired byte sequence of substring and mother's string relation; Judging unit is used for will being defined as the byte sequence of substring useless byte sequence when the mother who judges the network data flow that comprises the substring byte sequence and also comprise substring goes here and there byte sequence; Removing the unit is used for useless byte sequence is removed.
Concrete, remove a kind of implementation structure of module and choose unit 1204, the second judging unit 1205, the 3rd judging unit 1206, the 4th judging unit 1207 and remove unit 1208 for comprising screening queue column unit 1201, byte sequence acquiring unit 1202 to be selected, the first judging unit 1203, standard byte sequence.Wherein, screening queue column unit 1201 screens formation for each byte sequence that will extract according to length one-tenth arranged sequentially from small to large; Byte sequence acquiring unit 1202 to be selected is used for taking-up and is positioned at the byte sequence of screening queue heads as byte sequence to be selected; The first judging unit 1203 is used for judging whether the screening formation exists byte sequence, if then the trigger criteria byte sequence is chosen unit 1204 actions, if not, then removes the EO of useless byte sequence; The standard byte sequence is chosen unit 1204 and is used for from first byte sequence, chooses one by one a byte sequence in the screening formation as the standard byte sequence; The second judging unit 1205 is used for judging whether byte sequence to be selected is the substring of standard byte sequence, if, then trigger 1206 actions of the 3rd judging unit, if not, then trigger 1207 actions of the 4th judging unit; The 3rd judging unit 1206 is used for judging whether the network data flow that comprises byte sequence to be selected comprises the standard byte sequence, if, then trigger and remove unit 1208 actions, if not, then trigger 1207 actions of the 4th judging unit; The 4th judging unit 1207 is used for judging whether the screening formation also has byte sequence after the standard byte sequence, if have, then the trigger criteria byte sequence is chosen unit 1204 action and is replaced as the standard byte sequence with the next byte sequence after the selection standard byte sequence, if no, then trigger byte sequence acquiring unit 1202 actions to be selected; Remove unit 1208 and be used for byte sequence to be selected is removed as useless byte sequence, and can trigger byte sequence acquiring unit 1202 to be selected and begin to carry out next round and remove and operate.
The present embodiment can be carried out the technical scheme of fifth embodiment of the invention, removes useless byte sequence and can improve subsequent calculations speed from byte sequence.
The 14 embodiment
The structural representation of worm feature Knockdown block in the worm feature deriving means that Figure 13 provides for fourteenth embodiment of the invention.The present embodiment can above-mentionedly respectively install embodiment and be the basis, and worm feature Knockdown block 803 can specifically comprise: proper network packet acquiring unit 1301, the second Parameter analysis of electrochemical unit 1302, the second data flow assembling unit 1304 and worm feature assembling subelement 1303.Wherein, proper network packet acquiring unit 1301 is used for obtaining the proper network packet; The second Parameter analysis of electrochemical unit 1302 obtains source IP address, purpose IP address and destination slogan for resolving respectively from each proper network packet; The second data flow assembling unit 1304 is used for source IP address, the purpose IP address proper network data packet group identical with the destination slogan are dressed up a proper network data flow; Worm feature assembling subelement 1303 is used in the proper network data flow, calculates the rate of false alarm that respectively saves sequence, and the byte sequence that rate of false alarm is less than or equal to preset value is assembled into the worm feature.
The present embodiment can be carried out the technical scheme of sixth embodiment of the invention, the byte sequence that rate of false alarm is less than or equal to preset value is assembled into the worm feature, namely according to rate of false alarm byte sequence is screened, can effectively control the rate of false alarm of worm feature, improve the accuracy of worm feature.
Can also comprise that in worm feature assembling subelement 1303 Length Ratio removes subelement 13031.Length Ratio is removed the rate of false alarm that subelement 13031 is used for according to each byte sequence that calculates respectively in the proper network data flow, the byte sequence that respectively rate of false alarm is equated carries out Length Ratio, and keeping wherein, the byte sequence of length maximum is used for assembling worm feature.
Technique scheme can satisfy further selects long byte sequence on the basis of rate of false alarm, thereby optimize the worm feature, reduce the number of byte sequence in the worm feature, the scale of worm feature is reduced, can improve the computational speed of using the worm feature to remove unusual network packet.
The 15 embodiment
The structural representation of worm feature assembling subelement in the worm feature deriving means that Figure 14 provides for fifteenth embodiment of the invention.The present embodiment can said apparatus embodiment be basic, and the worm feature is assembled subelement 1303 and specifically comprised: subelement 1401 is arranged in the assembling formation, the pending trial byte sequence obtains subelement 1402, the second rate of false alarm computation subunit 1403, number recognin unit 1404, the first processing subelement 1405, the second processing subelement 1406, the 3rd processing subelement 1407, remainder bytes sequence judgment sub-unit 1408 and the second worm feature assembling subelement 1409.Wherein, the assembling formation is arranged subelement 1401 for each byte sequence is assembled formation according to length one-tenth arranged sequentially from big to small; The pending trial byte sequence obtains subelement 1402 and is positioned at the byte sequence of assembling queue heads as the pending trial byte sequence for taking-up; The second rate of false alarm computation subunit 1403 is used in the proper network data flow, calculates each byte sequence of accepting in the byte sequence pond and the rate of false alarm of pending trial byte sequence; Number recognin unit 1404 is used for the number that byte sequence pond byte sequence is accepted in identification, when number equals 0, trigger first and process subelement 1405 actions, when number equals 1, trigger second and process subelement 1406 actions, when number greater than 1 the time, trigger the 3rd and process subelement 1407 actions; First processes the numerical values recited that subelement 1405 is used for the identification rate of false alarm, when rate of false alarm is less than or equal to the first set point and during greater than the 3rd set point, the pending trial byte sequence put into accept the byte sequence pond, and trigger remainder bytes sequence judgment sub-unit 1408 and move, when rate of false alarm during greater than the first set point, trigger 1408 actions of remainder bytes sequence judgment sub-unit, when rate of false alarm is less than or equal to the 3rd set point, the pending trial byte sequence put into accept the byte sequence pond, and trigger 1409 actions of the second worm feature assembling subelement; Second processes the numerical values recited that subelement 1406 is used for the identification rate of false alarm, when rate of false alarm is less than or equal to the second set point and during greater than the 3rd set point, the pending trial byte sequence put into accept the byte sequence pond, and trigger remainder bytes sequence judgment sub-unit 1408 and move, wherein the second set point is less than the first set point, when rate of false alarm during greater than the second set point, and trigger remainder bytes sequence judgment sub-unit 1408 and move, when rate of false alarm is less than or equal to the 3rd set point, the pending trial byte sequence put into accept the byte sequence pond, and trigger 1409 actions of the second worm feature assembling subelement; The 3rd processes the numerical values recited that subelement 1407 is used for the identification rate of false alarm, when rate of false alarm is less than or equal to the 3rd set point, the pending trial byte sequence put into accept the byte sequence pond, and trigger the second worm feature assembling subelement 1409 and move, when rate of false alarm during greater than the 3rd set point, trigger 1408 actions of remainder bytes sequence judgment sub-unit; Remainder bytes sequence judgment sub-unit 1408 is used for judging whether the assembling formation exists byte sequence, if then trigger the pending trial byte sequence and obtain subelement 1402 actions, otherwise assembling worm characteristic manipulation finishes; The second worm feature is assembled subelement 1409 and is assembled into the worm feature for the byte sequence that will accept the byte sequence pond.
The present embodiment can be carried out the technical scheme of seventh embodiment of the invention, adopts the AC algorithm to accelerate the screening byte sequence, the computational speed of assembling worm feature.
The 16 embodiment
The structural representation of the worm feature deriving means that Figure 15 provides for sixteenth embodiment of the invention.The present embodiment can above-mentionedly respectively install embodiment and be the basis, and the worm feature deriving means further comprises removes module 1501.Removing module 1501 is used in each network packet, removal comprises the network packet of worm feature, and trigger 802 actions of byte sequential extraction procedures module, until the byte sequence quantity that byte sequence extraction module 802 extracts be 0 or network packet be completely removed.
The present embodiment can be carried out the technical scheme of eighth embodiment of the invention, and the extraction operation of worm feature is carried out in circulation, can extract a plurality of worm features, is applicable to the situation of extensive worm outburst.
The technical scheme of the various embodiments described above of the present invention can make up enforcement, has following advantage:
1) introduces rate of false alarm calculating, comparative approach, can improve accuracy and the reliability of the worm feature of extraction, false alert reduction;
2) adopt the unfixed byte sequence of a plurality of length to form a worm feature, this flexibly structure is applicable to various different worms, and especially the high deformation worm has further been improved the accuracy of worm feature extraction;
3) network packet is carried out shaping, be assembled into network data flow, also can improve accuracy and the reliability of worm feature extraction;
4) network packet is screened, adopt the screening of suffix array algroithm to remove useless byte sequence, in rate of false alarm computational process, adopt the AC algorithm, can improve computational speed, improve extraction efficiency;
5) can carry out extensive many worms feature extraction;
6) automatic extraction that can be real-time reduces human resources and expends, and extraction rate is high, and speed is fast, and the time consumption cost is low.
The technical scheme of various embodiments of the present invention has solved the Cost Problems of artificial extraction worm feature.The technical scheme of various embodiments of the present invention is extracted the experience that the worm feature does not rely on each expert, avoids the worm feature that occurs extracting incomplete same, and accuracy is different problem also; Worm feature extraction scale can not be subject to the restriction of expert's quantity and expert individual extraction rate, and when the many worms of the extensive quantity of generation were broken out, extract real-time worm feature can in time respond; The artificial worm feature of extracting all is to extract from the worm that a period of time occurs, break out the lag time that extracts the worm feature from worm long, can't carry out immediately the worm feature extraction to emerging worm, and technical scheme of the present invention can be extracted operation immediately to emerging worm feature, is swift in response.Because worm feature manual extraction depends on the minority expert, thus time, fund, manpower expend height, worm feature extraction cost is high, technical scheme of the present invention has overcome this defective, the first mate has reduced the cost that extracts the worm feature.The technical scheme of various embodiments of the present invention has also solved the difficult problem that the in real time automatic extraction of worm feature exists in the prior art, that is: accuracy and the practicality of the worm feature that extracts; Can extract the worm feature of high deformation; How extensive worm is carried out feature extraction.The technical scheme of the embodiment of the invention can directly apply to worm and detect or the network worm defect field.
It is described that the specific implementation of each step is not limited to above-described embodiment in the embodiment of the invention technical scheme, wherein, can also adopt other any modes to carry out the network data capture of packets; Can adopt other any modes to carry out the screening of network packet; Can adopt the shaping rule of other network data flows; Can adopt the byte sequence extraction algorithm of other algorithms to carry out the byte sequence extraction; Can adopt other algorithms to carry out the calculating of rate of false alarm; Can adopt additive method to remove useless byte sequence; Can adopt other algorithms to come assembling worm feature from accept the byte sequence pond based on rate of false alarm.
The embodiment of the invention also provides a kind of worm defending system that adopts the arbitrary embodiment of worm feature deriving means of the present invention, this worm defending system also comprises: removal device is used for the network packet that removal comprises the worm feature of worm feature deriving means assembling of the present invention.
The embodiment of the invention also provides a kind of Worm Detecting System that adopts the arbitrary embodiment of worm feature deriving means of the present invention, this Worm Detecting System also comprises: extraction element is used for the network packet that extraction comprises the worm feature of worm feature deriving means assembling of the present invention.
Worm feature extracting method of the present invention and device can be widely used in the defence of worm feature and detection field, and the accuracy of its worm feature extraction is high, real-time good, be applicable to the situation that extensive worm is broken out, and the cost input is little, are easy to realize.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, aforesaid program can be stored in the computer read/write memory medium, this program is carried out the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: the various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment puts down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of various embodiments of the present invention technical scheme.

Claims (11)

1. a worm feature extracting method is characterized in that, comprising:
Obtain network packet;
From the network packet of obtaining, extract byte sequence, comprising: extract length more than or equal to predefined minimum length value, and involved number of times is more than or equal to the byte sequence of predefined minimum number value;
Identification has the paired byte sequence of substring and female string relation in each byte sequence, when the mother who also comprises described substring when the network data flow that comprises described substring byte sequence goes here and there byte sequence, will be defined as the byte sequence of described substring useless byte sequence and remove;
In the proper network packet that gets access in advance, calculate the rate of false alarm of each described byte sequence, and the byte sequence that rate of false alarm is less than or equal to preset value is assembled into the worm feature, wherein, the described rate of false alarm probability that to be the proper network packet that comprises described byte sequence occur in whole proper network packets.
2. worm feature extracting method according to claim 1 is characterized in that, extracts byte sequence and comprise from the network packet of obtaining:
From each network packet, resolve respectively and obtain source IP address, purpose IP address and destination slogan, source IP address, the purpose IP address network packet identical with the destination slogan are assembled into a network data flow;
From each network data flow, extract byte sequence.
3. worm feature extracting method according to claim 1 and 2 is characterized in that, obtains network packet and comprises:
The capture network data bag;
The network packet that captures is screened operation, keep unusual network packet.
4. worm feature extracting method according to claim 3 is characterized in that, the network packet that captures is screened operation, keeps unusual network packet and comprises:
From each network packet that captures, resolve respectively to obtain and unsuccessfully connect number of times, when recognizing the described number of times that unsuccessfully connects when setting failed threshold value, with the network packet of correspondence as unusual network packet.
5. worm feature extracting method according to claim 1 and 2, it is characterized in that, in the proper network packet that gets access in advance, calculate the rate of false alarm of each described byte sequence, and the byte sequence that rate of false alarm is less than or equal to preset value is assembled into the worm feature comprises:
From each the proper network packet that gets access in advance, resolve respectively and obtain source IP address, purpose IP address and destination slogan, source IP address, the purpose IP address proper network data packet group identical with the destination slogan are dressed up a proper network data flow;
In described proper network data flow, calculate the rate of false alarm of each described byte sequence, the byte sequence that rate of false alarm is less than or equal to preset value is assembled into the worm feature.
6. worm feature extracting method according to claim 5 is characterized in that, before the byte sequence that rate of false alarm is less than or equal to preset value is assembled into the worm feature, also comprises:
According to the rate of false alarm of each byte sequence that calculates respectively in the proper network data flow, the byte sequence that respectively rate of false alarm is equated carries out Length Ratio, and keeping wherein, the byte sequence of length maximum is used for assembling worm feature.
7. a worm feature deriving means is characterized in that, comprising:
The network packet acquisition module is used for obtaining network packet;
The byte sequence extraction module is used for extracting byte sequence from the network packet of obtaining;
Worm feature Knockdown block, for the proper network packet that is getting access in advance, calculate the rate of false alarm of each described byte sequence, and the byte sequence that rate of false alarm is less than or equal to preset value is assembled into the worm feature, wherein, the described rate of false alarm probability that to be the proper network packet that comprises described byte sequence occur in whole proper network packets;
Wherein, described byte sequence extraction module comprises:
The first Parameter analysis of electrochemical unit obtains source IP address, purpose IP address and destination slogan for resolving respectively from each network packet;
The first data flow assembling unit is used for source IP address, the purpose IP address network packet identical with the destination slogan are assembled into a network data flow;
Byte sequence extracts subelement, is used for extracting byte sequence from each network data flow;
Wherein, described byte sequence extraction subelement comprises:
Length value is set subelement, is used for the minimum length value of storing predefined byte sequence to be extracted;
Inferior numerical value is set subelement, is used for the minimum number value of storing predefined byte sequence to be extracted;
Extract subelement, be used for extracting length more than or equal to predefined described minimum length value, and the involved number of times in network data flow is more than or equal to the byte sequence of predefined described minimum number value;
Also comprise: useless byte sequence is removed module, comprising:
Recognition unit is used for the paired byte sequence that has substring and female string relation in each byte sequence identification;
Judging unit is used for will being defined as the byte sequence of described substring useless byte sequence when the mother who judges the network data flow that comprises the substring byte sequence and also comprise substring goes here and there byte sequence;
Remove the unit, be used for described useless byte sequence is removed.
8. worm feature deriving means according to claim 7 is characterized in that, described network packet acquisition module comprises:
The network packet capture unit is used for the capture network data bag;
Network packet screening unit is used for the network packet that captures is screened operation, keeps unusual network packet.
9. worm feature deriving means according to claim 8 is characterized in that, described network packet screening unit comprises:
The frequency of failure is resolved subelement, unsuccessfully connects number of times for resolving respectively to obtain from each network packet that captures;
Packet screening subelement is used for when recognizing the described number of times that unsuccessfully connects when setting failed threshold value, with the network packet of correspondence as unusual network packet.
10. worm feature deriving means according to claim 7 is characterized in that, described worm feature Knockdown block comprises:
Proper network packet acquiring unit is used for obtaining the proper network packet;
The second Parameter analysis of electrochemical unit obtains source IP address, purpose IP address and destination slogan for resolving respectively from each proper network packet;
The second data flow assembling unit is used for source IP address, the purpose IP address proper network data packet group identical with the destination slogan are dressed up a proper network data flow;
Worm feature assembling subelement is used in described proper network data flow, calculates the rate of false alarm of each described byte sequence, and the byte sequence that rate of false alarm is less than or equal to preset value is assembled into the worm feature.
11. worm feature deriving means according to claim 10 is characterized in that, described worm feature assembling subelement also comprises:
Length Ratio is removed subelement, is used for the rate of false alarm according to each byte sequence that calculates respectively in the proper network data flow, and the byte sequence that respectively rate of false alarm is equated carries out Length Ratio, and keeping wherein, the byte sequence of length maximum is used for assembling worm feature.
CN 200910088358 2009-06-26 2009-06-26 Method for extracting worm features and device thereof Expired - Fee Related CN101599969B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200910088358 CN101599969B (en) 2009-06-26 2009-06-26 Method for extracting worm features and device thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200910088358 CN101599969B (en) 2009-06-26 2009-06-26 Method for extracting worm features and device thereof

Publications (2)

Publication Number Publication Date
CN101599969A CN101599969A (en) 2009-12-09
CN101599969B true CN101599969B (en) 2013-01-09

Family

ID=41421216

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200910088358 Expired - Fee Related CN101599969B (en) 2009-06-26 2009-06-26 Method for extracting worm features and device thereof

Country Status (1)

Country Link
CN (1) CN101599969B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102710627B (en) * 2012-05-25 2015-03-25 北京神州绿盟信息安全科技股份有限公司 Worm detection method and device
CN104243407A (en) * 2013-06-13 2014-12-24 华为技术有限公司 Generation method and device for malicious software network intrusion detection feature codes

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1710906A (en) * 2005-07-08 2005-12-21 清华大学 P2P worm defending system
CN101030835A (en) * 2007-02-09 2007-09-05 华为技术有限公司 Apparatus and method for obtaining detection characteristics

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1710906A (en) * 2005-07-08 2005-12-21 清华大学 P2P worm defending system
CN101030835A (en) * 2007-02-09 2007-09-05 华为技术有限公司 Apparatus and method for obtaining detection characteristics

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
王平.基于自动特征提取的大规模网络蠕虫检测.《通信学报》.2006,第27卷(第6期), *

Also Published As

Publication number Publication date
CN101599969A (en) 2009-12-09

Similar Documents

Publication Publication Date Title
CN112003870B (en) Network encryption traffic identification method and device based on deep learning
CN101976313B (en) Frequent subgraph mining based abnormal intrusion detection method
CN111314329B (en) Traffic intrusion detection system and method
CN111931179B (en) Cloud malicious program detection system and method based on deep learning
CN102420723A (en) Anomaly detection method for various kinds of intrusion
CN113037567B (en) Simulation method of network attack behavior simulation system for power grid enterprise
CN111800430A (en) Attack group identification method, device, equipment and medium
CN111177469A (en) Face retrieval method and face retrieval device
CN117220920A (en) Firewall policy management method based on artificial intelligence
CN101599969B (en) Method for extracting worm features and device thereof
CN110007967A (en) A kind of data processing method based on streaming frame, device and equipment
CN117097578B (en) Network traffic safety monitoring method, system, medium and electronic equipment
CN109347873A (en) A kind of detection method, device and the computer equipment of order injection attacks
CN113377998A (en) Data loading method and device, electronic equipment and storage medium
CN113282920A (en) Log abnormity detection method and device, computer equipment and storage medium
CN117857088A (en) Network traffic abnormality detection method, system, equipment and medium
CN102769607B (en) Malicious code detecting method and system based on network packet
CN115905021B (en) Fuzzy test method and device, electronic equipment and storage medium
CN115225731B (en) Online protocol identification method based on hybrid neural network
CN114595136A (en) Log analysis method, device and equipment
CN111209158B (en) Mining monitoring method and cluster monitoring system for server cluster
CN114186637A (en) Traffic identification method, traffic identification device, server and storage medium
CN110620682B (en) Resource information acquisition method and device, storage medium and terminal
CN113242160A (en) Protocol identification method based on state machine
CN113553579A (en) Internal threat detection method and device based on user long-term and short-term behavior characterization

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C56 Change in the name or address of the patentee

Owner name: HUAWEI DIGITAL TECHNOLOGY (CHENGDU) CO., LTD.

Free format text: FORMER NAME: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES CO., LTD.

CP03 Change of name, title or address

Address after: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River

Patentee after: Huawei Symantec Technologies Co., Ltd.

Patentee after: University of Electronic Science and Technology of China

Address before: High tech Park No. 88 University of Electronic Science and technology of Sichuan province 611731 Chengdu Tianchen Road

Patentee before: Chengdu Huawei Symantec Technologies Co., Ltd.

Patentee before: University of Electronic Science and Technology of China

CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20130109

Termination date: 20190626