CN102185869A - Worm detecting method for BT download network - Google Patents
Worm detecting method for BT download network Download PDFInfo
- Publication number
- CN102185869A CN102185869A CN2011101352998A CN201110135299A CN102185869A CN 102185869 A CN102185869 A CN 102185869A CN 2011101352998 A CN2011101352998 A CN 2011101352998A CN 201110135299 A CN201110135299 A CN 201110135299A CN 102185869 A CN102185869 A CN 102185869A
- Authority
- CN
- China
- Prior art keywords
- alert message
- supervising device
- client node
- network
- worm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title abstract description 11
- 238000012544 monitoring process Methods 0.000 claims abstract description 9
- 238000001514 detection method Methods 0.000 claims description 29
- 238000012806 monitoring device Methods 0.000 claims description 9
- 238000012952 Resampling Methods 0.000 claims description 6
- 238000005070 sampling Methods 0.000 claims description 3
- 230000007812 deficiency Effects 0.000 abstract description 2
- 241000243686 Eisenia fetida Species 0.000 description 1
- 238000013142 basic testing Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 230000035772 mutation Effects 0.000 description 1
- 208000014837 parasitic helminthiasis infectious disease Diseases 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a worm detecting method for a BT download network. In the method, neighbor node cache monitors are arranged at all client-side nodes of the BT network, and each neighbor node cache monitor searches adjacent neighbor node cache monitors by utilizing a neighbor node cache so as to form a monitor network based on the BT network. When monitoring that the node is communicated with an adjacent node, the monitor at the node sends an existed or generated warning message to the monitor of the adjacent node, wherein the warning message comprises a counter and a timer, and the counters are accumulated and the timers are reset when the warning message is sent. When receiving the warning message, each monitor checks whether the number of the counters of the warning message exceeds a normal threshold, if yes, the BT network is considered to appear worm activities, if not, the warning message is discarded when the timer returns to zero. The worm detecting method for the BT download network, disclosed by the invention, overcomes the deficiency that the traditional network worm detecting method is not suitable for being used for detecting worms of the BT network, and can effectively detect worm outbreak of the BT network.
Description
Technical field
The present invention relates to a kind of Worm detection method, belong to the computer security technical field towards the BT download network.
Background technology
But network worm is a kind of rogue program of independent operating, and it finds to exist the computer system or the application service of system vulnerability by scan for networks, infects this computer, and obtains the control of this computer system, propagates; Network worm infection on a large scale can cause information leakage, resource for computer system to cross serious consequences such as consumption, network congestion.Famous Code Red worm, Slammer worm are all at the massive losses that directly causes in a short time after the outburst more than 1,000,000,000 dollars.Network worm has become a present big factors that influences network security.
BT is a P2P host-host protocol emerging on a kind of the Internet, and full name is " BitTorrent ", and Chinese full name: " bit stream " is a kind of open host-host protocol.According to the BitTorrent agreement, file distribution person can generate according to the file that will issue .torrent file, i.e. a seed file are provided.Download person wants the file in download content, need obtain corresponding .torrent file earlier, uses the BT client software to download then.
Prevent that the key that worm is spread unchecked is to find early infected worm main frame, by taking precautions against device the worm main frame is taked counter-measure then, as removing worm file, isolate main frame, filtering worm packet etc.Therefore, detecting worm is the committed step that suppresses worm propagation.Research worm detection technique has become the assurance security of network environment, safeguards pressing for of society and individual interest.
Present detection method and the unusual detection method Network Based two big classes that comprise for the detection of network worm based on condition code.
Detection method based on condition code is more traditional method, and this method is at first analyzed the condition code that the worm sample of catching obtains this worm; In network traffics or Hosts file, carry out characteristic matching according to condition code then, thereby realize that worm detects.This detection method has the good detection result to known worm, but has shortcoming, one of shortcoming: can't obtain the condition code of new worm or mutation worm the very first time, thus bigger to the detection delay that worm newly occurs, do not have forewarning function; Two of shortcoming: can't detect the polymorphic worm of dynamic change code, such worm does not have fixing condition code, can evade the detection method based on condition code.Has higher rate of failing to report.Such detection method can't be prevented outburst BT network worm very fast.
Unusual detection method Network Based is the developing direction of worm detection technique, and this method monitoring particular network index detects the outburst of worm unusually according to index.Method commonly used as: by the statistics linking number, judge whether connect aggregate-value surpasses the threshold value that is provided with and detects worm; Unusually detect the generation of worm by statistics ICMP message; By calculating the failure connection and successfully being connected ratio, judge whether to surpass predetermined threshold value and detect worm etc.This method can detect unknown worm, but also has shortcoming: the present detection method of the feature Network Based that occurs or because amount of calculation is big, it is poor to detect real-time; Perhaps, there is higher rate of false alarm because the detection index is simple.And such detection method is lower to the verification and measurement ratio of BT network worm.
Summary of the invention
The objective of the invention is to overcome the deficiency that prior art is unsuitable for detecting the BT network worm, a kind of Worm detection method towards the BT download network is provided.
Step towards the Worm detection method of BT download network is as follows:
1) at all BT client nodes supervising device is installed, supervising device reads the neighbors cache information of place BT client node, seek adjacent BT client node and connect with supervising device in this BT client node, the adjacent supervising device with all of supervising device connects, each supervising device is initially sampled to the flow number that place BT client node and adjacent BT client node are exchanged, time period m is set, and with m average out to p section, supervising device is monitored the network traffics number that the adjacent BT client node with all of BT client node is exchanged in every m/p time, and this flow number is recorded in the traffic monitoring table of this supervising device, and its distribution of match, each supervising device is set up the alert message collection according to the quantity of adjacent BT client node, and normality threshold α is set;
2) supervising device monitoring place BT client node, wait is from the alert message of adjacent monitoring device, if the alert message of supervising device is concentrated the value that exists alert message then to reduce timer in the alert message according to passage of time, and when making zero, timer abandons this alert message, if this BT client node takes place to continue to communicate by letter with adjacent BT client node, then enter step 3),, then enter step 4) if receive alert message from certain adjacent monitoring device;
3) if do not have alert message in the supervising device, then generate an alert message, the value of count initialized device is 1, the value of timer is t, if there has been alert message, with the counter increase by 1 of alert message, the value of timer resets to t, to generate then or amended alert message sends to supervising device on the BT client node of communicating by letter, enter step 2);
4) check counter in the alert message of receiving, send to the decision center device, if counter is lower than normality threshold α, the alert message that this alert message is stored in supervising device is concentrated, if alert message is concentrated the alert message that has had same source, then only preserve the alert message that has big counter, enter step 2), if counter surpasses normality threshold α, then this supervising device carries out resampling to the flow number that place BT client node and adjacent BT client node are exchanged, and the flow number that obtains sent to the decision center device, the traffic statistics number that traffic statistics number that the decision center device obtains initial sampling and resampling obtain compares, if the flow that twice statistics obtains does not belong to same distribution, then think worm activity to occur in the BT network, send worm and report to the police.
The present invention has overcome existing network worm detection technique can not fast detecting BT internet worm eruption, and there is the shortcoming of higher rate of failing to report in testing result, can detect the worm of breaking out in the BT network accurately, efficiently and in real time.
Description of drawings
Fig. 1 is the general plan figure towards the Worm detection method of BT download network;
Fig. 2 is the basic testing process figure of the Worm detection method of BT download network;
Fig. 3 is the deployment examples figure that is used for the Chord network according to the Worm detection method of BT download network of the present invention;
Fig. 4 is according to routing table monitoring device and the decision center device realization figure that is used for the Chord network of the present invention.
Embodiment
The present invention is based on following theoretical foundation:
(1) in network, the BT client when carrying out download activity, and this network in other clients carry out communication, meet the condition of worm propagation.
(2) the BT client under normal circumstances, the alert message of its supervising device in the unit interval meets specific distribution, and alert message is near certain normal value, under the invermination situation, the access times of its alert message in the unit interval are inevitable to be increased suddenly, obviously surpasses normal value.
Shown in Fig. 1~2, as follows towards the step of the Worm detection method of BT download network:
1) at all BT client nodes supervising device is installed, supervising device reads the neighbors cache information of place BT client node, seek adjacent BT client node and connect with supervising device in this BT client node, the adjacent supervising device with all of supervising device connects, each supervising device is initially sampled to the flow number that place BT client node and adjacent BT client node are exchanged, time period m is set, and with m average out to p section, supervising device is monitored the network traffics number that the adjacent BT client node with all of BT client node is exchanged in every m/p time, and this flow number is recorded in the traffic monitoring table of this supervising device, and its distribution of match, each supervising device is set up the alert message collection according to the quantity of adjacent BT client node, and normality threshold α is set;
2) supervising device monitoring place BT client node, wait is from the alert message of adjacent monitoring device, if the alert message of supervising device is concentrated the value that exists alert message then to reduce timer in the alert message according to passage of time, and when making zero, timer abandons this alert message, if this BT client node takes place to continue to communicate by letter with adjacent BT client node, then enter step 3),, then enter step 4) if receive alert message from certain adjacent monitoring device;
3) if do not have alert message in the supervising device, then generate an alert message, the value of count initialized device is 1, the value of timer is t, if there has been alert message, with the counter increase by 1 of alert message, the value of timer resets to t, to generate then or amended alert message sends to supervising device on the BT client node of communicating by letter, enter step 2);
4) check counter in the alert message of receiving, send to the decision center device, if counter is lower than normality threshold α, the alert message that this alert message is stored in supervising device is concentrated, if alert message is concentrated the alert message that has had same source, then only preserve the alert message that has big counter, enter step 2), if counter surpasses normality threshold α, then this supervising device carries out resampling to the flow number that place BT client node and adjacent BT client node are exchanged, and the flow number that obtains sent to the decision center device, the traffic statistics number that traffic statistics number that the decision center device obtains initial sampling and resampling obtain compares, if the flow that twice statistics obtains does not belong to same distribution, then think worm activity to occur in the BT network, send worm and report to the police.
Embodiment
As shown in Figure 3, dispose BT client and supervising device according to the Worm detection method of BT download network of the present invention, the network that is detected is a kind of P2P network of Chord by name.In this network, dispose the BT download client and can form the BT download network.About 10000 of wherein common Chord network node, about 50 of BT client, supervising device adds the Chord network.
As shown in Figure 4, BT client and the supervising device of implementing according to the Worm detection method of BT download network of the present invention.Supervising device reads the neighbors cache information of place BT client node, seek adjacent BT client node and connect with supervising device in this BT client node, the adjacent supervising device with all of supervising device connects, and each supervising device is set up the alert message collection according to the quantity of adjacent BT client node.Supervising device monitoring place BT client node, wait is from the alert message of adjacent monitoring device, if the alert message of supervising device is concentrated the value that exists alert message then to reduce timer in the alert message according to passage of time, and when making zero, timer abandons this alert message, receive alert message from certain adjacent monitoring device, check the counter in the alert message of receiving, send to the decision center device.If counter surpasses normality threshold α, then think worm activity to occur in the BT network, send worm and report to the police.
This detection method is effectively monitored the unusual of BT download network, the realization cost is low, can detect the worm outburst in the BT download network in real time, and send the worm outburst and report to the police, this warning message can be used in time getting rid of network failure for the network management personnel, or take the precautionary measures, thus realize the detection that BT downloads, detect the outburst that BT downloads worm accurately, efficiently and in real time.
Claims (1)
1. Worm detection method towards the BT download network is characterized in that its step is as follows:
1) at all BT client nodes supervising device is installed, supervising device reads the neighbors cache information of place BT client node, seek adjacent BT client node and connect with supervising device in this BT client node, the adjacent supervising device with all of supervising device connects, each supervising device is initially sampled to the flow number that place BT client node and adjacent BT client node are exchanged, time period m is set, and with m average out to p section, supervising device is monitored the network traffics number that the adjacent BT client node with all of BT client node is exchanged in every m/p time, and this flow number is recorded in the traffic monitoring table of this supervising device, and its distribution of match, each supervising device is set up the alert message collection according to the quantity of adjacent BT client node, and normality threshold α is set;
2) supervising device monitoring place BT client node, wait is from the alert message of adjacent monitoring device, if the alert message of supervising device is concentrated the value that exists alert message then to reduce timer in the alert message according to passage of time, and when making zero, timer abandons this alert message, if this BT client node takes place to continue to communicate by letter with adjacent BT client node, then enter step 3),, then enter step 4) if receive alert message from certain adjacent monitoring device;
3) if do not have alert message in the supervising device, then generate an alert message, the value of count initialized device is 1, the value of timer is t, if there has been alert message, with the counter increase by 1 of alert message, the value of timer resets to t, to generate then or amended alert message sends to supervising device on the BT client node of communicating by letter, enter step 2);
4) check counter in the alert message of receiving, send to the decision center device, if counter is lower than normality threshold α, the alert message that this alert message is stored in supervising device is concentrated, if alert message is concentrated the alert message that has had same source, then only preserve the alert message that has big counter, enter step 2), if counter surpasses normality threshold α, then this supervising device carries out resampling to the flow number that place BT client node and adjacent BT client node are exchanged, and the flow number that obtains sent to the decision center device, the traffic statistics number that traffic statistics number that the decision center device obtains initial sampling and resampling obtain compares, if the flow that twice statistics obtains does not belong to same distribution, then think worm activity to occur in the BT network, send worm and report to the police.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011101352998A CN102185869A (en) | 2011-05-24 | 2011-05-24 | Worm detecting method for BT download network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011101352998A CN102185869A (en) | 2011-05-24 | 2011-05-24 | Worm detecting method for BT download network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102185869A true CN102185869A (en) | 2011-09-14 |
Family
ID=44571939
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011101352998A Pending CN102185869A (en) | 2011-05-24 | 2011-05-24 | Worm detecting method for BT download network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102185869A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103095529A (en) * | 2013-01-09 | 2013-05-08 | 华为技术有限公司 | Method and device for detecting engine device, firewall and network transmission file |
-
2011
- 2011-05-24 CN CN2011101352998A patent/CN102185869A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103095529A (en) * | 2013-01-09 | 2013-05-08 | 华为技术有限公司 | Method and device for detecting engine device, firewall and network transmission file |
| CN103095529B (en) * | 2013-01-09 | 2016-06-29 | 华为技术有限公司 | The method of detecting and alarm device, fire wall, detection network transmission file and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3577872B1 (en) | Method and attack detection function for detection of a distributed attack in a wireless network | |
| US8001601B2 (en) | Method and apparatus for large-scale automated distributed denial of service attack detection | |
| CN109962903B (en) | Home gateway security monitoring method, device, system and medium | |
| KR100561628B1 (en) | Method for detecting abnormal traffic in network level using statistical analysis | |
| CN100531219C (en) | A network worm detection method and its system | |
| KR100748246B1 (en) | Multi-step integrated security monitoring system and method using intrusion detection system log collection engine and traffic statistic generation engine | |
| CN104506385B (en) | A kind of software defined network safety situation evaluation method | |
| CN111049843A (en) | Intelligent substation network abnormal flow analysis method | |
| CN104202336A (en) | DDoS attack detection method based on information entropy | |
| WO2010093674A2 (en) | Multi-tiered scalable network monitoring | |
| CN101980506A (en) | Flow characteristic analysis-based distributed intrusion detection method | |
| CN117395076B (en) | Network perception abnormality detection system and method based on big data | |
| Neu et al. | Lightweight IPS for port scan in OpenFlow SDN networks | |
| CN102104606B (en) | Worm detection method of intranet host | |
| CN106685962A (en) | System and method for defense of reflective DDOS attack flow | |
| CN113783880A (en) | Network security detection system and network security detection method thereof | |
| Lu et al. | Detecting network anomalies using CUSUM and EM clustering | |
| CN102185869A (en) | Worm detecting method for BT download network | |
| Dalati et al. | NGS: mitigating DDoS attacks using SDN-based network gate shield | |
| CN101815076B (en) | Method for detecting worm host computer in local area network | |
| Wu et al. | Network Traffic Monitoring and Real-time Risk Warning based on Static Baseline Algorithm | |
| CN101820369B (en) | Communication traffic-based intranet worm detection method | |
| CN104038372A (en) | Power wide area network (WAN) flow monitoring method | |
| Xia et al. | Cids: Adapting legacy intrusion detection systems to the cloud with hybrid sampling | |
| Praneeth et al. | Remote Packet Monitoring: Real-Time Network Analysis from Anywhere |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20110914 |