CN101820369B - Communication traffic-based intranet worm detection method - Google Patents

Communication traffic-based intranet worm detection method Download PDF

Info

Publication number
CN101820369B
CN101820369B CN2010101578985A CN201010157898A CN101820369B CN 101820369 B CN101820369 B CN 101820369B CN 2010101578985 A CN2010101578985 A CN 2010101578985A CN 201010157898 A CN201010157898 A CN 201010157898A CN 101820369 B CN101820369 B CN 101820369B
Authority
CN
China
Prior art keywords
communication
suspicious
traffic
tree
worm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2010101578985A
Other languages
Chinese (zh)
Other versions
CN101820369A (en
Inventor
林怀忠
苏啸鸣
王学松
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang University ZJU
Original Assignee
Zhejiang University ZJU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University ZJU filed Critical Zhejiang University ZJU
Priority to CN2010101578985A priority Critical patent/CN101820369B/en
Publication of CN101820369A publication Critical patent/CN101820369A/en
Application granted granted Critical
Publication of CN101820369B publication Critical patent/CN101820369B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a communication traffic-based intranet worm detection method, which comprises the following steps of: taking network mirror image traffic as a data source and observing communication among nodes in real time; classifying the communication into normal communication and suspicious communication, counting the communication traffic and communication time of the suspicious communication between each node and the other nodes, and simultaneously generating a suspicious communication tree; and synthesizing the communication traffic, communication time and the scale of the suspicious communication tree to calculate a suspicious degree, and if the suspicious degree exceeds a preset alarming threshold, determining the outbreak of worms in an intranet and reporting a worm infestation condition. The method has the advantages of overcoming the defects of the difficulty of the conventional network worm detection methods in detecting unknown worms and distinguishing the worms from P2P application, and the like, and effectively detecting the unknown worms in the intranet.

Description

A kind of intranet worm detection method based on the traffic
Technical field
The present invention relates to the computer security technical field, relate in particular to a kind of internal subnet Worm detection method.
Background technology
But network worm is a kind of rogue program of independent operating, and it finds to exist the computer system or the application service of system vulnerability through scan for networks, infects this computer, and obtains the control of this computer system, propagates; Network worm infection on a large scale can cause information leakage, resource for computer system to cross serious consequences such as consumption, network congestion.Famous Code Red worm, Slammer worm are all at the massive losses that directly causes in a short time after the outburst more than 1,000,000,000 dollars.Network worm has become a present significant threat that influences network security.
Prevent that the key that worm is spread unchecked is to find early infected worm main frame, by taking precautions against device the worm main frame is taked counter-measure then, as removing worm file, isolate main frame, filtering worm packet etc.Therefore, detecting the worm main frame is the committed step that suppresses worm propagation.Research worm detection technique has become the assurance security of network environment, safeguards pressing for of society and individual interest.
Detection for network worm at present comprises detection method and unusual detection method Network Based two big classes based on condition code.
Detection method based on condition code is more traditional method, and this method is at first analyzed the worm sample of catching, and obtains the condition code of this worm, upgrades the feature database of worm trace routine; In network traffics or Hosts file, carry out characteristic matching by the worm trace routine according to these new condition codes then, thereby realize that worm detects.This detection method has the good detection result to known worm, but has shortcoming, one of shortcoming: can't obtain the condition code of new worm or mutation worm the very first time, thus bigger to the detection delay that worm newly occurs, do not have forewarning function; Two of shortcoming: can't detect the polymorphic worm of dynamic change code, polymorphic worm does not have fixing condition code, can evade the detection method based on condition code.So such detection method has higher rate of failing to report in practical application.
Unusual detection method Network Based is the developing direction of worm detection technique, and this method monitoring particular network index is judged the outburst of worm unusually according to index.Method commonly used as: through the statistics linking number, judge whether connect aggregate-value surpasses the threshold value that is provided with and detects worm; Unusually detect the generation of worm through statistics ICMP message; Through calculating the failure connection and successfully being connected ratio, judge whether to surpass predetermined threshold value and detect worm etc.These class methods can detect unknown worm, but also have shortcoming: the detection method of the characteristic Network Based that occurs at present or complicated owing to detecting index, and amount of calculation is big, so the resource consumption of detector is big, the subnet that the incompatibility node is numerous, larger; Perhaps because characteristic is indeterminate, it is simple to detect index, is difficult to distinguish P2P and uses and Games Software, has higher rate of false alarm.
Summary of the invention
The objective of the invention is to overcome the deficiency of prior art, a kind of intranet worm detection method based on the traffic is provided.
Based on the intranet worm detection method of the traffic is to be data source with network mirror image flow; Investigate the signal intelligence between the node in real time; Communication is classified as proper communication communicate by letter, add up the traffic, the call duration time of the suspicious communication between each node and other nodes, generate suspicious communication tree simultaneously with suspicious; The scale COMPREHENSIVE CALCULATING of the traffic, call duration time and suspicious communication tree is obtained suspicious degree; If suspicious degree exceeds preset alarm threshold value, then think and broken out worm in the Intranet, specifically may further comprise the steps:
1) confirm alarm threshold value α and normality threshold β, β<α confirms regulating system k, and initialization proper communication table, suspicious communication table and suspicious communication tree table begin to receive the mirror image network flow;
2) from the mirror image network flow, extract the IP packet, if with the communication data packet of outer net, then abandon this IP packet and repeated execution of steps 2); Otherwise be Intranet IP packet; Extract the TCP or the UDP payload of IP packet, if TCP bag and be a part that splits bag, wait for that so reorganization accomplishes back execution next step; Otherwise be the independent data bag, continue to carry out next step;
3) be TCP or udp protocol and port numbers division traffic class according to packet, traffic class under this packet of proper communication table search if do not find, then is suspicious communication, continues to carry out next step, otherwise is proper communication, jumps to step 2);
4) search suspicious communication tree table, if still there is not the suspicious communication tree that is subordinated to this traffic class, then create suspicious communication tree for this traffic class, the source node of packet upgrades suspicious communication tree table as root node, continues to carry out next step;
5) travel through suspicious communication tree, search source node therein,, continue to carry out next step, otherwise do not find, jump to step 2) if find;
6) in the direct child node of the source node of suspicious communication tree, search destination node; If do not find, then destination node is added in the tree to record traffic and call duration time on the limit from the source node to the destination node as the child node of source node; If find destination node; Then upgrade the already present traffic and call duration time on from source node to the destination node limit, wherein the traffic is unit with the byte, and call duration time is unit with the millisecond;
7) the suspicious communication tree of note limit quantity is E, and distributes numbering i for each bar limit, i=1, and 2 ..., E, the traffic F on every limit i, call duration time T i, the average traffic on all limits does
Figure GSA00000098094400021
The average communication time
Figure GSA00000098094400031
The standard deviation of all limit traffics
Figure GSA00000098094400032
The standard deviation of all limit call duration times
Figure GSA00000098094400033
Obtain suspicious degree
Figure GSA00000098094400034
Upgrade suspicious degree M corresponding in the suspicious communication tree table, if M>α then thinks to produce subnet outburst worm warning and report the main frame that infects worm.
Described initialization proper communication table, suspicious communication table and suspicious communication tree table step comprise:
1) all suspicious communication trees are recorded in the suspicious communication tree table and timer are arranged; Delete this suspicious communication tree behind the timer expired, and suspicious degree M and proper communication threshold value beta are compared, if M<β; This traffic class is added the proper communication table, otherwise traffic class and M are saved in suspicious communication table;
2) M of every of suspicious communication table diminishes in time, when M=0, corresponding traffic class is added the proper communication table;
3) preserve proper communication classification and timer in the proper communication table, the corresponding traffic class of deletion from the proper communication table behind the timer expired.
The present invention has overcome existing network worm detection method and has been difficult to detect unknown worm and is difficult to distinguish deficiencies such as worm and P2P application, can detect the unknown worm of internal subnet efficiently, in time, has lower rate of false alarm.
Description of drawings
Fig. 1 is the overall testing process figure that the present invention is based on the intranet worm detection method of the traffic;
Fig. 2 is the internal process processing figure that the present invention is based on the intranet worm detection method of the traffic;
Fig. 3 is the critical data control chart that the present invention is based on the intranet worm detection method of the traffic;
Fig. 4 is that the embodiment that the present invention is based on the intranet worm detection method of the traffic disposes sketch map;
Fig. 5 is the embodiment action diagram that the present invention is based on the intranet worm detection method of the traffic.
Embodiment
The present invention is based on following theoretical foundation:
Form communication chain when (1) worm is spread in the subnet, and constitute tree-shaped communication structure.
Traffic when (2) worm is spread between main frame and call duration time are far smaller than P2P and use.
Shown in Fig. 1~3, comprise based on the intranet worm detection method of the traffic:
With network mirror image flow is data source, investigates the signal intelligence between the node in real time, communication is classified as proper communication communicate by letter with suspicious; Add up the traffic, the call duration time of the suspicious communication between each node and other nodes; Generate suspicious communication tree simultaneously, the scale COMPREHENSIVE CALCULATING of the traffic, call duration time and suspicious communication tree is obtained suspicious degree, if suspicious degree exceeds preset alarm threshold value; Then think and broken out worm in the Intranet, specifically may further comprise the steps:
1) confirm alarm threshold value α and normality threshold β, β<α confirms regulating system k, and initialization proper communication table, suspicious communication table and suspicious communication tree table begin to receive the mirror image network flow;
2) from the mirror image network flow, extract the IP packet, if with the communication data packet of outer net, then abandon this IP packet and repeated execution of steps 2); Otherwise be Intranet IP packet; Extract the TCP or the UDP payload of IP packet, if TCP bag and be a part that splits bag, wait for that so reorganization accomplishes back execution next step; Otherwise be the independent data bag, continue to carry out next step;
3) be TCP or udp protocol and port numbers division traffic class according to packet, traffic class under this packet of proper communication table search if do not find, then is suspicious communication, continues to carry out next step, otherwise is proper communication, jumps to step 2);
4) search suspicious communication tree table, if still there is not the suspicious communication tree that is subordinated to this traffic class, then create suspicious communication tree for this traffic class, the source node of packet upgrades suspicious communication tree table as root node, continues to carry out next step;
5) travel through suspicious communication tree, search source node therein,, continue to carry out next step, otherwise do not find, jump to step 2) if find;
6) in the direct child node of the source node of suspicious communication tree, search destination node; If do not find, then destination node is added in the tree to record traffic and call duration time on the limit from the source node to the destination node as the child node of source node; If find destination node; Then upgrade the already present traffic and call duration time on from source node to the destination node limit, wherein the traffic is unit with the byte, and call duration time is unit with the millisecond;
7) the suspicious communication tree of note limit quantity is E, and distributes numbering i for each bar limit, i=1, and 2 ..., E, the traffic F on every limit i, call duration time T i, the average traffic on all limits does The average communication time
Figure GSA00000098094400042
The standard deviation of all limit traffics
Figure GSA00000098094400043
The standard deviation of all limit call duration times
Figure GSA00000098094400044
Obtain suspicious degree Upgrade suspicious degree M corresponding in the suspicious communication tree table, if M>α then thinks to produce subnet outburst worm warning and report the main frame that infects worm.
Described initialization proper communication table, suspicious communication table and suspicious communication tree table step comprise:
1) all suspicious communication trees are recorded in the suspicious communication tree table and timer are arranged; Delete this suspicious communication tree behind the timer expired, and suspicious degree M and proper communication threshold value beta are compared, if M<β; This traffic class is added the proper communication table, otherwise traffic class and M are saved in suspicious communication table;
2) M of every of suspicious communication table diminishes in time, when M=0, corresponding traffic class is added the proper communication table;
3) preserve proper communication classification and timer in the proper communication table, the corresponding traffic class of deletion from the proper communication table behind the timer expired.
Embodiment
As shown in Figure 4; The detector parts of having used based on the intranet worm detection method of the traffic is deployed in the key node that Intranet is connected to outer net; Be connected with interior network switch or router formation; Be used to monitor all packets, moved intranet worm trace routine on it, detect subnet in real time and whether break out worm based on the traffic through network center's node.
As shown in Figure 5, detector is made up of flow collection unit, packet extraction unit, core analysis unit, suspicious degree comparing unit and alarm unit, and wherein the core analysis unit combines proper communication table, suspicious communication table and suspicious communication tree table to analyze.
The flow collection unit obtains the mirror image network traffics of whole subnet from switch or router;
The packet extraction unit extracts the IP packet from the flow collection unit, filter out the communication data packet with outer net, distinguishes TCP and UDP message bag, and reorganization fractionation packet sends to the core analysis unit with the packet that extracts;
The core analysis unit is different traffic categorys with packet classification; Identify suspicious communication data packet; And being suspicious communication tree of each traffic category establishment and maintenance, the node of tree is suspicious communication node, the traffic and call duration time on the limit of tree between the record suspect node;
Suspicious degree comparing unit calculates the suspicious degree of the suspicious communication tree of recent renewal, with suspicious degree and predetermined threshold value contrast, if suspicious degree, thinks then that the communication in this suspicious communication tree is worm communication greater than predetermined threshold value;
Alarm unit in time sends the report of worm warning message and suspicious main frame according to the result of suspicious degree comparing unit;
Core analysis unit inquiry proper communication table dynamically generates and upgrades suspicious communication tree table, and suspicious communication tree table and suspicious communication table, proper communication table three rely on internal timer interaction, real-time update proper communication table;
Detector can detect the outburst of intranet worm in real time by above-mentioned rule running, has the characteristics of high detection rate and low rate of false alarm, especially when there is a large amount of P2P flow in Intranet, still has lower rate of false alarm.

Claims (1)

1. intranet worm detection method based on the traffic is characterized in that:
With network mirror image flow is data source, investigates the signal intelligence between the node in real time, communication is classified as proper communication communicate by letter with suspicious; Add up the traffic, the call duration time of the suspicious communication between each node and other nodes; Generate suspicious communication tree simultaneously, the scale COMPREHENSIVE CALCULATING of the traffic, call duration time and suspicious communication tree is obtained suspicious degree, if suspicious degree exceeds preset alarm threshold value; Then think and broken out worm in the Intranet, specifically may further comprise the steps:
1) confirm alarm threshold value α and normality threshold β, β<α confirms regulating system k, and initialization proper communication table, suspicious communication table and suspicious communication tree table begin to receive the mirror image network flow;
2) from the mirror image network flow, extract the IP packet, if with the communication data packet of outer net, then abandon this IP packet and repeated execution of steps 2); Otherwise be Intranet IP packet; Extract the TCP or the UDP payload of IP packet, if TCP bag and be a part that splits bag, wait for that so reorganization accomplishes back execution next step; Otherwise be the independent data bag, continue to carry out next step;
3) be TCP or udp protocol and port numbers division traffic class according to packet, traffic class under this packet of proper communication table search if do not find, then is suspicious communication, continues to carry out next step, otherwise is proper communication, jumps to step 2);
4) search suspicious communication tree table, if still there is not the suspicious communication tree that is subordinated to this traffic class, then create suspicious communication tree for this traffic class, the source node of packet upgrades suspicious communication tree table as root node, continues to carry out next step;
5) travel through suspicious communication tree, search source node therein,, continue to carry out next step, otherwise do not find, jump to step 2) if find;
6) in the direct child node of the source node of suspicious communication tree, search destination node; If do not find, then destination node is added in the tree to record traffic and call duration time on the limit from the source node to the destination node as the child node of source node; If find destination node; Then upgrade the already present traffic and call duration time on from source node to the destination node limit, wherein the traffic is unit with the byte, and call duration time is unit with the millisecond;
7) the suspicious communication tree of note limit quantity is E, and distributes numbering i for each bar limit, i=1, and 2 ..., E, the traffic F on every limit i, call duration time T i, the average traffic on all limits does
Figure FSB00000564217400011
The average communication time
Figure FSB00000564217400012
The standard deviation of all limit traffics
Figure FSB00000564217400013
The standard deviation of all limit call duration times σ T = ( Σ i = 1 E ( T - T i ) 2 E ) 0.5 , Obtain suspicious degree M = KF 0.5 T 0.5 Ln ( σ F + 1 ) · Ln ( σ T + 1 ) + 0.01 , Upgrade suspicious communication
Corresponding suspicious degree M in the tree table as if M>α, then thinks to produce the main frame of reporting to the police and reporting the infection worm by subnet outburst worm;
Described initialization proper communication table, suspicious communication table and suspicious communication tree table step comprise:
1) all suspicious communication trees are recorded in the suspicious communication tree table and timer are arranged; Delete this suspicious communication tree behind the timer expired, and suspicious degree M and proper communication threshold value beta are compared, if M<β; This traffic class is added the proper communication table, otherwise traffic class and M are saved in suspicious communication table;
2) M of every of suspicious communication table diminishes in time, when M=0, corresponding traffic class is added the proper communication table;
3) preserve proper communication classification and timer in the proper communication table, the corresponding traffic class of deletion from the proper communication table behind the timer expired.
CN2010101578985A 2010-04-27 2010-04-27 Communication traffic-based intranet worm detection method Expired - Fee Related CN101820369B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2010101578985A CN101820369B (en) 2010-04-27 2010-04-27 Communication traffic-based intranet worm detection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2010101578985A CN101820369B (en) 2010-04-27 2010-04-27 Communication traffic-based intranet worm detection method

Publications (2)

Publication Number Publication Date
CN101820369A CN101820369A (en) 2010-09-01
CN101820369B true CN101820369B (en) 2012-01-04

Family

ID=42655322

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2010101578985A Expired - Fee Related CN101820369B (en) 2010-04-27 2010-04-27 Communication traffic-based intranet worm detection method

Country Status (1)

Country Link
CN (1) CN101820369B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104361283B (en) * 2014-12-05 2018-05-18 网宿科技股份有限公司 The method for protecting Web attacks

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101184097A (en) * 2007-12-14 2008-05-21 北京大学 Method of detecting worm activity based on flux information
CN101521672B (en) * 2009-04-03 2011-11-23 中国科学院计算技术研究所 Network worm detection method and detection system
CN101572713A (en) * 2009-06-10 2009-11-04 成都市华为赛门铁克科技有限公司 Method for detecting worm and system thereof

Also Published As

Publication number Publication date
CN101820369A (en) 2010-09-01

Similar Documents

Publication Publication Date Title
CN110011999B (en) IPv6 network DDoS attack detection system and method based on deep learning
CN106357673B (en) A kind of multi-tenant cloud computing system ddos attack detection method and system
CN106453392B (en) Whole network exception stream recognition method based on traffic characteristic distribution
CN102821002B (en) Network flow abnormal detecting method and system
CN102340485B (en) Network security situation awareness system and method based on information correlation
CN104937886B (en) Log analysis device, information processing method
Yegneswaran et al. Using honeynets for internet situational awareness
CN100531219C (en) A network worm detection method and its system
CN111541661A (en) Power information network attack scene reconstruction method and system based on causal knowledge
KR101375813B1 (en) Active security sensing device and method for intrusion detection and audit of digital substation
CN1578227A (en) Dynamic IP data packet filtering method
CN110191004B (en) Port detection method and system
CN112910918A (en) Industrial control network DDoS attack traffic detection method and device based on random forest
CN106330611A (en) Anonymous protocol classification method based on statistical feature classification
CN103532957A (en) Device and method for detecting trojan remote shell behavior
CN108965248A (en) A kind of P2P Botnet detection system and method based on flow analysis
CN111294342A (en) Method and system for detecting DDos attack in software defined network
CN109194608A (en) Event detecting method is gathered around in a kind of ddos attack based on stream and sudden strain of a muscle
CN113783880A (en) Network security detection system and network security detection method thereof
CN102104606B (en) Worm detection method of intranet host
CN115766235A (en) Network security early warning system and early warning method
CN113660267B (en) Botnet detection system, method and storage medium for IoT environment
CN114363080A (en) Monitoring analysis method, device, equipment and storage medium of network terminal
CN104079452A (en) Data monitoring technology and network traffic abnormality classifying method
CN117395076A (en) Network perception abnormality detection system and method based on big data

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120104

Termination date: 20140427