CN104468601A - P2P worm detecting system and method - Google Patents
P2P worm detecting system and method Download PDFInfo
- Publication number
- CN104468601A CN104468601A CN201410798351.1A CN201410798351A CN104468601A CN 104468601 A CN104468601 A CN 104468601A CN 201410798351 A CN201410798351 A CN 201410798351A CN 104468601 A CN104468601 A CN 104468601A
- Authority
- CN
- China
- Prior art keywords
- worm
- data
- feature
- module
- packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 28
- 238000001914 filtration Methods 0.000 claims abstract description 35
- 230000006798 recombination Effects 0.000 claims abstract description 15
- 238000005215 recombination Methods 0.000 claims abstract description 15
- 238000001514 detection method Methods 0.000 claims description 54
- 230000005856 abnormality Effects 0.000 claims description 8
- 239000000284 extract Substances 0.000 claims description 8
- 101000911390 Homo sapiens Coagulation factor VIII Proteins 0.000 claims description 3
- 102000057593 human F8 Human genes 0.000 claims description 3
- 230000013011 mating Effects 0.000 claims description 3
- 229940047431 recombinate Drugs 0.000 claims description 3
- 238000004458 analytical method Methods 0.000 abstract description 5
- 230000006399 behavior Effects 0.000 description 12
- 230000005540 biological transmission Effects 0.000 description 8
- 230000008569 process Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 6
- 238000012790 confirmation Methods 0.000 description 5
- 238000000605 extraction Methods 0.000 description 5
- 230000007246 mechanism Effects 0.000 description 5
- 238000012544 monitoring process Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 238000012423 maintenance Methods 0.000 description 4
- 230000002596 correlated effect Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000007812 deficiency Effects 0.000 description 3
- 238000005259 measurement Methods 0.000 description 3
- 239000000203 mixture Substances 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 108091034117 Oligonucleotide Proteins 0.000 description 2
- 238000012512 characterization method Methods 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000009792 diffusion process Methods 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 239000011159 matrix material Substances 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000000644 propagated effect Effects 0.000 description 1
- 230000001902 propagating effect Effects 0.000 description 1
- 238000010845 search algorithm Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/104—Peer-to-peer [P2P] networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention discloses a P2P worm detecting system and method. The system comprises the steps that a data package capturing module, a P2P data filtering module, a P2P worm feature matching module, a feature string recombination module and an unknown worm detecting module. The data package capturing module is used for capturing data packages from a network and carrying out analysis on a captured data package structure, and data information is obtained. The P2P data filtering module is used for filtering out non-P2P data according to the features of a P2P protocol, and P2P data are obtained. The P2P worm feature matching module is used for matching of the P2P data filtered through the P2P data filtering module and the feature string in a P2P worm feature base. The feature string recombination module is used for carrying out recombination on a P2P data package when the P2P worm feature matching module is not matched with the whole worm feature string in the P2P data. The unknown worm detecting module is used for carrying out unknown P2P detecting on surplus P2P data. If abnormity is found, the data package is subjected to feature extracting, and the feature string is added into the P2P worm feature base. The missing report rate and the false report rate are effectively lowered, and the whole detecting rate and the accuracy are improved.
Description
Technical field
The present invention relates to networking technology area, especially relate to a kind of P2P Worm Detecting System and method.
Background technology
In recent years, P2P technology is applied to the fields such as file-sharing, Distributed Calculation, resource searching more and more as a kind of popular network technology.The advantages such as P2P system is high with its Sharing degree, node disjoint, self adaptation have attracted increasing user, meanwhile also for the propagation of worm provides condition.Because the ability of node defence worm each in P2P network is different, as long as there is a node to infect worm, just by intra-sharing and communication mechanism, worm-type virus can be diffused into contiguous node, network congestion can be caused at short notice even to paralyse, share information dropout, confidential information is stolen, even can control whole network completely, and its serious harmfulness causes shows great attention to.Because the P2P software that current the Internet uses lacks same specification, randomness, diversity are strong, and the system cannot preserving these softwares and these softwares of operation does not exist security breaches in program and on managing.P2P worm excavates system application leak, and utilizing the interactive quality of peer-to-peer network from main diffusion, is the important threat of vast the Internet and P2P user.
Internet worm is need not the computer user intervention stand-alone program that can run, and it is propagated by ceaselessly obtaining in network the part or all of control existed on the computer of leak, defines huge threat to network security.P2P worm is the one of network worm, has the general features of common worm, but as the worm of propagating in P2P network, it has again oneself feature.The domestic research to P2P Worm detection method is at present little, and great majority are all the propagation models research P2P worm, and make some progress.Because P2P worm has the general features of ordinary Internet worm, therefore the detection to P2P worm is applied to equally to the detection of common worm, but these detection methods there is the shortcoming of oneself:
(1) some systems monitoring computer enliven behavior, generally include check account index and the system journal of operating system.Monitoring main frame can obtain the important information of worm detecting, but if main frame is easily infected, then these data are likely insecure.Such as EarlyBird is exactly Host Based Unknown Worm real-time detecting system.
(2) some detection systems assert that all behaviors deviating from normal behaviour are all attacks, but they are difficult to provide the accurate definition of normal behaviour in network, and only have the improper behavior of part to be only to have aggressive, therefore there is very high rate of false alarm in this system.The LAWS that such as ason C.Hung et al proposes is exactly the Worm Detecting System based on this behavior.
(3) defence of worm can just be carried out after in most cases, only having the harm of worm attack generation.Moore et al have studied the efficiency of network worm defect technology, proposes to come into force within short a few minutes as these systems, and will block nearly all network path and successfully could defend worm.Williamson proposes the network stack that amendment is present, and it is limited for making the connection speed on specific purposes ground.Subject matter is that this method comes into force and must to upgrade new network stack by the most main frames in network.
Because P2P worm has the general features of ordinary Internet worm, therefore the detection to P2P worm is applied to equally to the detection of common worm, but these detection methods there is the shortcoming of oneself:
(1) some systems monitoring computer enliven behavior, generally include check account index and the system journal of operating system.Monitoring main frame can obtain the important information of worm detecting, but if main frame is easily infected, then these data are likely insecure.Such as EarlyBird is exactly Host Based Unknown Worm real-time detecting system.
(2) some detection systems assert that all behaviors deviating from normal behaviour are all attacks, but they are difficult to provide the accurate definition of normal behaviour in network, and only have the improper behavior of part to be only to have aggressive, therefore there is very high rate of false alarm in this system.The LAWS that such as ason C.Hung et al proposes is exactly the Worm Detecting System based on this behavior.
(3) defence of worm can just be carried out after in most cases, only having the harm of worm attack generation.Moore et al have studied the efficiency of network worm defect technology, proposes to come into force within short a few minutes as these systems, and will block nearly all network path and successfully could defend worm.Williamson proposes the network stack that amendment is present, and it is limited for making the connection speed on specific purposes ground.Subject matter is that this method comes into force and must to upgrade new network stack by the most main frames in network.
Summary of the invention
The object of the invention is to overcome the deficiencies in the prior art, the invention provides a kind of P2P Worm Detecting System and method, effectively reduce rate of failing to report and rate of false alarm, improve overall verification and measurement ratio and accuracy.
In order to solve the problem, the present invention proposes a kind of P2P Worm Detecting System, described system comprises:
Packet capture module, for capture-data bag from network, and analyzes the packet structure captured, and obtains data message;
P2P data filtering module, falls non-P2P data filtering for the feature according to P2P agreement, obtains P2P data;
P2P worm characteristic matching module, for mating the P2P data after described P2P data filtering modular filtration with the feature string in P2P worm feature database;
Feature string recombination module, for when described P2P worm characteristic matching module does not match complete worm feature string in P2P data, recombinates to P2P packet;
Unknown Worm detection module, for carrying out the detection of unknown P2P worm to remaining P2P data, if note abnormalities, extracts feature to packet, and feature string is added to P2P worm feature database.
Preferably, described data message comprises: MAC Address, IP address, protocol type and port numbers.
Preferably, described feature string recombination module also for when the head of described P2P worm characteristic matching module in P2P data or tail portion match afterbody or the head of worm feature string, is recombinated to P2P packet.
Preferably, described Unknown Worm detection module is also for carrying out the detection of unknown P2P worm to it according to P2P worm detecting rule to remaining P2P data.
Correspondingly, the embodiment of the present invention also provides a kind of P2P Worm detection method, and described method comprises:
Packet capture module is capture-data bag from network, and analyzes the packet structure captured, and obtains data message;
Non-P2P data filtering falls according to the feature of P2P agreement by P2P data filtering module, obtains P2P data;
P2P data after described P2P data filtering modular filtration are mated with the feature string in P2P worm feature database by P2P worm characteristic matching module;
When described P2P worm characteristic matching module does not match complete worm feature string in P2P data, feature string recombination module is recombinated to P2P packet;
Unknown Worm detection module carries out the detection of unknown P2P worm to remaining P2P data, if note abnormalities, extracts feature, and feature string is added to P2P worm feature database to packet.
Preferably, described data message comprises: MAC Address, IP address, protocol type and port numbers.
Preferably, it is described when described P2P worm characteristic matching module does not match complete worm feature string in P2P data, feature string recombination module comprises the step that P2P packet is recombinated: when the head of described P2P worm characteristic matching module in P2P data or tail portion match afterbody or the head of worm feature string, recombinate to P2P packet.
Preferably, the step that described Unknown Worm detection module carries out the detection of unknown P2P worm to remaining P2P data comprises: the detection remaining P2P data being carried out to unknown P2P worm according to P2P worm detecting rule to it.
In embodiments of the present invention, utilize packet capture mechanism capture-data bag from network, the correlated characteristic of application P2P agreement filters P2P flow, caught P2P packet is carried out to the detection of known P2P worm and unknown P2P worm, Misuse detection and combining of abnormality detection effectively reduce rate of failing to report and rate of false alarm, improve overall verification and measurement ratio and accuracy; In addition, automatically can also extract the feature of Unknown Worm, upgrade in time feature database, ensure that the last state of feature, compensate for the deficiency of feature detection.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the structure composition schematic diagram of the P2P Worm Detecting System of the embodiment of the present invention;
Fig. 2 is the schematic flow sheet of the P2P Worm detection method of the embodiment of the present invention;
Fig. 3 is the acquisition procedure schematic diagram of packet in embodiments of the present invention;
Fig. 4 is the filter process schematic diagram of P2P packet in embodiments of the present invention;
Fig. 5, Fig. 6 are the process schematic of feature string coupling in embodiments of the present invention;
Fig. 7 is the process schematic of feature string restructuring in embodiments of the present invention;
Fig. 8 is the process schematic of the detection carrying out unknown P2P worm in embodiments of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
In embodiments of the present invention, utilize packet capture mechanism capture-data bag from network, the correlated characteristic of application P2P agreement filters P2P flow, then caught P2P packet is carried out to the detection of known P2P worm and unknown P2P worm, if find to there is P2P worm attack, to User Alarms in network.
Fig. 1 is the structure composition schematic diagram of the P2P Worm Detecting System of the embodiment of the present invention, and as shown in Figure 1, this system comprises:
Packet capture module 1, for capture-data bag from network, and analyzes the packet structure captured, and obtains data message;
P2P data filtering module 2, falls non-P2P data filtering for the feature according to P2P agreement, obtains P2P data;
P2P worm characteristic matching module 3, for mating the P2P data after P2P data filtering module 2 is filtered with the feature string in P2P worm feature database;
Feature string recombination module 4, for when P2P worm characteristic matching module 3 does not match complete worm feature string in P2P data, recombinates to P2P packet;
Unknown Worm detection module 5, for carrying out the detection of unknown P2P worm to remaining P2P data, if note abnormalities, extracts feature to packet, and feature string is added to P2P worm feature database.
Wherein, this data message comprises: MAC Address, IP address, protocol type and port numbers.
In addition, when the match is successful for P2P worm characteristic matching module 3, then illustrate in network have P2P worm propagation known in feature database, system sends the warning message of P2P worm attack immediately to user; When the head of P2P worm characteristic matching module 3 in P2P data or tail portion match afterbody or the head of worm feature string, P2P packet is recombinated.
State Unknown Worm detection module 5 also for carrying out the detection of unknown P2P worm to it according to P2P worm detecting rule to remaining P2P data.
In addition, the embodiment of the present invention also provides a kind of P2P Worm detection method, and as shown in Figure 2, the method comprises:
S201, packet capture module is capture-data bag from network, and analyzes the packet structure captured, and obtains data message;
Non-P2P data filtering falls according to the feature of P2P agreement by S202, P2P data filtering module, obtains P2P data;
P2P data after P2P data filtering modular filtration are mated with the feature string in P2P worm feature database by S203, P2P worm characteristic matching module;
S204, when P2P worm characteristic matching module does not match complete worm feature string in P2P data, feature string recombination module is recombinated to P2P packet;
S205, Unknown Worm detection module carries out the detection of unknown P2P worm to remaining P2P data, if note abnormalities, extracts feature, and feature string is added to P2P worm feature database to packet.
Wherein, this data message comprises: MAC Address, IP address, protocol type and port numbers.
In concrete enforcement, S204 comprises: when the head of P2P worm characteristic matching module in P2P data or tail portion match afterbody or the head of worm feature string, recombinate to P2P packet.
S205 comprises: the detection remaining P2P data being carried out to unknown P2P worm according to P2P worm detecting rule to it.
In embodiments of the present invention, Packet capturing mechanism realizes based on Libpcap function library, Libpcap has supplied many kinds of function to realize the function of catching network packet, and key step has: find available Network Interface Unit, open network excuse equipment, compile filtering rule, arrange filtering rule, releasing network interface equipment and packet capturing etc.; And P2P agreement is transmitted according to Transmission Control Protocol, therefore P2P data must be encapsulated in tcp data bag, therefore can carry out preliminary Packet Filtering in this module, TCP is arranged to filtering rule, thus only catch tcp data bag, packet capturing efficiency can be improved.Often catch a packet all will call call back function and carry out the follow-up analyzing and processing of packet, until mistake produces or user's terminator.Its specific implementation flow process as shown in Figure 3.
P2P data filtering module is divided into two parts: the determination being first P2P application program IP address and port, is then only the identification of control data bag and general data bag, only general data bag is carried out to the coupling of feature string.The filtration of packet is with BT data instance, according to the analysis to BT agreement, the handshake phase that BT client is connecting, the data beginning of packet carries feature string " 19BitTorrent Protocol ", as long as match this feature string, just assert that being about to set up BT connects, and IP address now and the port numbers IP address that to be exactly BT carry out transmitting and port, later every be all BT packet from this IP address and port numbers transmission.To the identification of general data bag by filtering out control data bag to realize, control data handbag draws together two kinds: the packet that the maintenance of a kind of to be data length be O connects, and another kind is just the non-communication data packet keeping connection.In order to the convenience realized, must define the structure of packet, the stem form of packet comprises IP stem and TCP stem, and its structure is defined as follows.
IP stem:
By the definition of structure, the filtration of P2P packet can be realized.First defining the source IP address srcaddr of global variable, source port number srcport, object IP address destaddr and destination interface address destport is 0, when matching feature string " the 19BitTorrent Protocol " of BT handshake phase just by this wrap source IP address and object IP address, source port and destination interface assignment to analog value, all can be defined as BT data by the data of these addresses and port transmission later.It is worth mentioning that be not match " 19BitTorrent Protocol " such feature string just regard as be have BT data transmission, because BT data are transmitted based on Transmission Control Protocol, and Transmission Control Protocol is transmitting, the confirmation that must obtain the other side after the request of sending connects could be done the best connection.When connecting between BT client a side send request and the other side does not confirm, still can not connect, so must obtain just connecting with the confirmation of feature string " 19BitTorrent Protocol " accordingly after sending the request with feature string " 19BitTorrent Protocol ".Sequence and Acknowledgment Number in TCP stem sets up reliable connection use, the confirmation number only having the sequence number in follow-up packet to equal previous bag is only correct transmission, therefore can. to define a confirmation seq, be initialized as O, when first matches feature string " 19BitTorrent Protocol ", just by confirmation assignment now to seq, if the packet carrying feature string " 19BitTorrent Protocol " having sequence number to equal seq occurs later, these two BT clients just really establish connection.Then be the identification of control data bag, data length is the packet that the packet of the maintenance connection of 0 is connected with non-maintenance.The idiographic flow of this module as shown in Figure 4.
String matching module mainly contains two parts composition: Suffix array clustering sort algorithm and binary search algorithm.
Embody multiplication thought in Suffix array clustering set of algorithms: the first size of each character in compare string string, obtain 1-Suffix array clustering SA
1with 1-ranking array RANK
1, then compare the size of two continuation characters, the size of character string is the size of more each character successively, due to oneself size through drawing each character, according to SA
1and RANK
1obtain the size of two continuation characters, and obtain SA
2and RANK
2, in like manner can obtain SA
4and RANK
4, SA
8and RANK
8..., finally can obtain Suffix array clustering SA and the ranking array RANK of whole character string.The main process of Suffix array clustering generating algorithm is:
L () calculates SA
1and RANK
1algorithm
According to first letter female to suffix sequence, adopt quick sorting algorithm to generate Suffix array clustering SA
1, calculate ranking array RANK
1.
(2) based on SA
kand RANK
k2k-prefix Suffix (i) and the size of Suffix (j) compare
2k-Suffix (i)=2k-Suffix (j) is equivalent to:
Rank
k[SA [i]]=Rank
k[SA [j]] and Rank
k[SA [i+k]]=Rank
k[SA [j+k]]
2k-Suffix (i) < 2k-Suffix (j) is equivalent to:
Rank
k[SA [i]]=Rank
k[SA [j]] and Rank
k[SA [i+k]] < Rank
k[SA [j+k]] or
Rank
k[SA[i]]<Rank
k[SA[j]]
Suffix array clustering algorithm is a sort algorithm, and string matching must need to coordinate binary chop algorithm to use.As shown in Figure 5, the flow chart of binary chop algorithm as shown in Figure 6 for the program flow diagram of the sort algorithm of Suffix array clustering algorithm realization.
The restructuring of feature string recombination module is divided into two kinds of situations: feature string divides in two continuous print data blocks and feature string divides in the different pieces of information bag of same data block.If the afterbody of worm feature string appears at the beginning of data block, or the beginning of worm feature string appears at the ending of data block, then characterization string may be in two different data blocks.If instead the afterbody of worm feature string appears at the beginning of data block intermediate data bag, or the beginning of worm feature string appears at the ending of data block intermediate data bag, then characterization string may be in the different pieces of information bag of same data block.As can be seen here, key issue is beginning and the end data packet of identification data block.If the identification that data block starts is that in connecting according to non-maintenance, value is 7, then illustrate that it is a new data block, the namely beginning of data block, and starting the length information including data block in packet, it is the continuous print packet of this block after starting packet, as long as calculate the length of each packet, if the length that its summation equals data block just illustrates that last packet is exactly the ending of data block.First the Partial Feature string of discovery will preserve by the merging of feature string, if preserved by whole packet, not only occupies space but also loses time to re-start Suffix array clustering algorithmic match.Native system adopts two kinds of methods to preserve for two kinds of situations above: if feature string may divide in continuous print two packets, then define the global variable Array of a character type array, the feature string that the ending of packet matches is saved in several bytes that Array starts, again the feature string that continuous print packet beginning matches is kept in Array, if match worm feature string in Array now, then illustrating has worm to transmit in a network, otherwise illustrates that there is not oneself in network knows worm.If feature string is in two continuous print data blocks, then definition structure body variable is as follows.
If the stem of data block or afterbody match part worm feature string, be then deposited in head and end array, and then searched the coupling that adjacent data blocks carries out worm feature string.The functional flow diagram of feature string recombination module as shown in Figure 7.
P2P worm does not need scanning, and only utilizes peer-to-peer network namely to realize efficient propagation to the particular port transmission worm body of multiple P2P node.Can obtain detecting rule accordingly to it based on these features: if certain main frame sends the similar packet of content to multiple host at short notice, and use agreement, destination interface basically identical, and destination host majority runs P2P application, then think that such source host is being attempted to carry out P2P worm propagation.On the other hand, need to obtain worm feature while detecting P2P worm propagation node, add worm feature database, directly can detect by characteristic matching the propagation that oneself knows worm in flow monitoring afterwards, improve detection efficiency.
Unknown Worm detection module carries out the testing process of unknown P2P worm as shown in Figure 8 to remaining P2P data, and the work that will complete in characteristic extraction procedure comprises three parts: data storage, feature extraction and feature database upgrade.
L () data store: the doubtful data under above-mentioned detection rule stored, use in order to subsequent analysis.
(2) feature extraction: the feature extracting P2P worm, and carry out comprehensive assessment and analysis.Use LCS (Longest Common Substring) algorithm to find out Longest Common Substring from the stream of data content of recombinating, be this unknown P2P worm feature string.
(3) feature database upgrades: the P2P worm feature that (2) step analysis obtains joined in original P2P worm feature database, upgrade feature database.The similarity system design of data and feature extraction algorithm HSG are based on LCSeq algorithm realization.The method that can realize LCSeq is a lot, relatively can be realized by the method building similar matrix two character strings.The basis of feature extraction algorithm is for compare two character strings herein, may relate to the comparison of plural character string in the process, so Lcseq algorithm adopts the method for generalized suffix tree (GST) to realize.LCseq algorithm based on GST is the most effective method asking the common subsequence of two or more son symbol strings.
All suffix of given N number of source string are built up one tree, and this tree has following features:
(1) each node set is a character string, and tree root is null character string " ".
(2) any one suffix character string can by a path expression from root (be stitched together the node on this paths and just can obtain this suffix) successively.
(3) any one substring can regard the prefix of some suffix as, and the every paths of root track from root node can obtain any one substring.
(4) search common subsequence to realize, each node also needs the information of the source string arranging its institute's subordinate.So, on this GST tree, finding the node being subordinated to all source strings from big to small according to the degree of depth, just obtaining common subsequence being stitched together from root to all node character strings on the path of these nodes.
The realization of Lcseq algorithm comprises building GST tree and searching GST sets the algorithm obtaining longest common subsequence, and key step is:
The node of (l) definition generalized suffix tree:
(2) generalized suffix tree is built according to one group of character string of comparing:
public static SuffixTreeNode buildSuffixTree(string ss[]){
SuffixTreeNode SuffixTree=new SuffixTreeNode (-1, " ", 0, ht)/* generation root node */
For ()/* to each symbol string * compared/
For ()/* to each suffix * of this character string/
SuffixTree.insert (index, str, 0, ht); / * insertion suffix node */
}
}
}
(3) longest common subsequence is searched.Depth-first traversal walks generated Suffixtree, obtain according to the degree of depth public substring being subordinated to each character string from big to small successively, obtain common subsequence.
findLCSSubstring(SuffixTreeNode suffixtree,int count){
……………………………………………………
}
In embodiments of the present invention, utilize packet capture mechanism capture-data bag from network, the correlated characteristic of application P2P agreement filters P2P flow, caught P2P packet is carried out to the detection of known P2P worm and unknown P2P worm, Misuse detection and combining of abnormality detection effectively reduce rate of failing to report and rate of false alarm, improve overall verification and measurement ratio and accuracy; In addition, automatically can also extract the feature of Unknown Worm, upgrade in time feature database, ensure that the last state of feature, compensate for the deficiency of feature detection.
One of ordinary skill in the art will appreciate that all or part of step in the various methods of above-described embodiment is that the hardware that can carry out instruction relevant by program has come, this program can be stored in a computer-readable recording medium, storage medium can comprise: read-only memory (ROM, Read OnlyMemory), random access memory (RAM, Random Access Memory), disk or CD etc.
In addition, the P2P Worm Detecting System provided the embodiment of the present invention above and method are described in detail, apply specific case herein to set forth principle of the present invention and execution mode, the explanation of above embodiment just understands method of the present invention and core concept thereof for helping; Meanwhile, for one of ordinary skill in the art, according to thought of the present invention, all will change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.
Claims (8)
1. a P2P Worm Detecting System, is characterized in that, described system comprises:
Packet capture module, for capture-data bag from network, and analyzes the packet structure captured, and obtains data message;
P2P data filtering module, falls non-P2P data filtering for the feature according to P2P agreement, obtains P2P data;
P2P worm characteristic matching module, for mating the P2P data after described P2P data filtering modular filtration with the feature string in P2P worm feature database;
Feature string recombination module, for when described P2P worm characteristic matching module does not match complete worm feature string in P2P data, recombinates to P2P packet;
Unknown Worm detection module, for carrying out the detection of unknown P2P worm to remaining P2P data, if note abnormalities, extracts feature to packet, and feature string is added to P2P worm feature database.
2. P2P Worm Detecting System as claimed in claim 1, it is characterized in that, described data message comprises: MAC Address, IP address, protocol type and port numbers.
3. P2P Worm Detecting System as claimed in claim 1, it is characterized in that, described feature string recombination module also for when the head of described P2P worm characteristic matching module in P2P data or tail portion match afterbody or the head of worm feature string, is recombinated to P2P packet.
4. P2P Worm Detecting System as claimed in claim 1, it is characterized in that, described Unknown Worm detection module is also for carrying out the detection of unknown P2P worm to it according to P2P worm detecting rule to remaining P2P data.
5. a P2P Worm detection method, is characterized in that, described method comprises:
Packet capture module is capture-data bag from network, and analyzes the packet structure captured, and obtains data message;
Non-P2P data filtering falls according to the feature of P2P agreement by P2P data filtering module, obtains P2P data;
P2P data after described P2P data filtering modular filtration are mated with the feature string in P2P worm feature database by P2P worm characteristic matching module;
When described P2P worm characteristic matching module does not match complete worm feature string in P2P data, feature string recombination module is recombinated to P2P packet;
Unknown Worm detection module carries out the detection of unknown P2P worm to remaining P2P data, if note abnormalities, extracts feature, and feature string is added to P2P worm feature database to packet.
6. P2P Worm detection method as claimed in claim 5, it is characterized in that, described data message comprises: MAC Address, IP address, protocol type and port numbers.
7. P2P Worm detection method as claimed in claim 5, it is characterized in that, it is described when described P2P worm characteristic matching module does not match complete worm feature string in P2P data, feature string recombination module comprises the step that P2P packet is recombinated: when the head of described P2P worm characteristic matching module in P2P data or tail portion match afterbody or the head of worm feature string, recombinate to P2P packet.
8. P2P Worm detection method as claimed in claim 5, it is characterized in that, described Unknown Worm detection module carries out the detection of unknown P2P worm step to remaining P2P data comprises: the detection remaining P2P data being carried out to unknown P2P worm according to P2P worm detecting rule to it.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410798351.1A CN104468601A (en) | 2014-12-17 | 2014-12-17 | P2P worm detecting system and method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410798351.1A CN104468601A (en) | 2014-12-17 | 2014-12-17 | P2P worm detecting system and method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN104468601A true CN104468601A (en) | 2015-03-25 |
Family
ID=52913973
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410798351.1A Pending CN104468601A (en) | 2014-12-17 | 2014-12-17 | P2P worm detecting system and method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104468601A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105450640A (en) * | 2015-11-12 | 2016-03-30 | 国家电网公司 | Electronic evidence collection method |
CN106302436A (en) * | 2016-08-11 | 2017-01-04 | 广州华多网络科技有限公司 | The method that independently finds, device and the equipment of a kind of attack message characteristics |
CN110191126A (en) * | 2019-05-30 | 2019-08-30 | 重庆理工大学 | A kind of nonlinear kinetics P2P Network Worm Propagation prediction technique |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102387151A (en) * | 2011-11-01 | 2012-03-21 | 天津大学 | Block-based virus detection method in P2P (peer-to-peer) network |
WO2012103846A2 (en) * | 2012-04-05 | 2012-08-09 | 华为技术有限公司 | Network security processing method, system, and network card |
-
2014
- 2014-12-17 CN CN201410798351.1A patent/CN104468601A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102387151A (en) * | 2011-11-01 | 2012-03-21 | 天津大学 | Block-based virus detection method in P2P (peer-to-peer) network |
WO2012103846A2 (en) * | 2012-04-05 | 2012-08-09 | 华为技术有限公司 | Network security processing method, system, and network card |
Non-Patent Citations (1)
Title |
---|
艾松玲: "《基于网络的P2P蠕虫检测系统的研究与实现》", 《万方数据企业知识服务平台》 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105450640A (en) * | 2015-11-12 | 2016-03-30 | 国家电网公司 | Electronic evidence collection method |
CN106302436A (en) * | 2016-08-11 | 2017-01-04 | 广州华多网络科技有限公司 | The method that independently finds, device and the equipment of a kind of attack message characteristics |
CN106302436B (en) * | 2016-08-11 | 2019-11-19 | 广州华多网络科技有限公司 | A kind of autonomous discovery method, apparatus and equipment of attack message characteristics |
CN110191126A (en) * | 2019-05-30 | 2019-08-30 | 重庆理工大学 | A kind of nonlinear kinetics P2P Network Worm Propagation prediction technique |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Lashkari et al. | Towards a network-based framework for android malware detection and characterization | |
US8065722B2 (en) | Semantically-aware network intrusion signature generator | |
US10721244B2 (en) | Traffic feature information extraction method, traffic feature information extraction device, and traffic feature information extraction program | |
US10862923B2 (en) | System and method for detecting a compromised computing system | |
CN103297433B (en) | The HTTP Botnet detection method of data flow Network Based and system | |
CN107733851A (en) | DNS tunnels Trojan detecting method based on communication behavior analysis | |
US10440035B2 (en) | Identifying malicious communication channels in network traffic by generating data based on adaptive sampling | |
CN105681250A (en) | Botnet distributed real-time detection method and system | |
Aiello et al. | Basic classifiers for DNS tunneling detection | |
Kheir et al. | Botsuer: Suing stealthy p2p bots in network traffic through netflow analysis | |
CN109474485A (en) | Method, system and storage medium based on network traffic information detection Botnet | |
CN105635170A (en) | Method and device for identifying network data packet based on rules | |
Wu et al. | Detecting remote access trojans through external control at area network borders | |
Kebande et al. | Functional requirements for adding digital forensic readiness as a security component in IoT environments | |
CN104468601A (en) | P2P worm detecting system and method | |
Hsu et al. | Detecting Web‐Based Botnets Using Bot Communication Traffic Features | |
Boukhtouta et al. | Towards fingerprinting malicious traffic | |
Stergiopoulos et al. | Using side channel TCP features for real-time detection of malware connections | |
He et al. | PeerSorter: classifying generic P2P traffic in real-time | |
Li et al. | The aggregation and stability analysis of network traffic for structured-P2P-based botnet detection | |
Chunyue et al. | A pattern matching based network intrusion detection system | |
TWI666568B (en) | Method of Netflow-Based Session Detection for P2P Botnet | |
Kheir et al. | Peerviewer: Behavioral tracking and classification of P2P malware | |
Kim et al. | HAS-Analyzer: Detecting HTTP-based C&C based on the Analysis of HTTP Activity Sets | |
Sanjeetha et al. | Botnet Forensic Analysis in Software Defined Networks using Ensemble Based Classifier |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150325 |
|
RJ01 | Rejection of invention patent application after publication |