CN1997017A - A network worm detection method and its system - Google Patents
A network worm detection method and its system Download PDFInfo
- Publication number
- CN1997017A CN1997017A CN 200610155323 CN200610155323A CN1997017A CN 1997017 A CN1997017 A CN 1997017A CN 200610155323 CN200610155323 CN 200610155323 CN 200610155323 A CN200610155323 A CN 200610155323A CN 1997017 A CN1997017 A CN 1997017A
- Authority
- CN
- China
- Prior art keywords
- worm
- network
- main frame
- entropy
- destination address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
This invention discloses one network worm test method, which comprises the following steps: recording tested host on each aim address to send out connection number and computing host machine aim address key value according to connection number; pre-setting network worm alarm valve and response valve value and comparing the key value with pre-set valve value; if smaller, then regarding the host machine as susceptive host and giving alarm; if larger, then triggering response mechanism; if equal, then going one and waiting for next start and re-comparing.
Description
Technical field
The present invention relates to the computer security technical field, relate in particular to a kind of network worm detection system and method.
Background technology
But network worm is a kind of program of independent operating, and it finds to exist the computer system of system vulnerability by the scanning to network, obtains the control of this computer system, and propagates; The propagation of network worm can cause the leakage of information, the resource consumption of computer system, the serious consequence such as congested of network.Because there is above-mentioned harm in network worm, therefore become a present big factors that influences network security.
Prevent that by analyzing the course of work and the behavioural characteristic of worm, can knowing key that worm is spread unchecked is discovery worm early, takes corresponding measure to infected computer system, then as removing virus document, isolation etc.Therefore the detection to worm becomes the first step that prevents worm propagation, and the research of worm detection technique is become the assurance security of network environment, safeguards pressing for of society and individual interest.
Detection for network worm mainly still is by traditional detection based on condition code at present, at first analyze the worm sample of catching, obtain the condition code of this worm, upgrade worm and detect the Characteristic of Software storehouse, the worm trace routine is carried out characteristic matching according to these new condition codes in network traffics or Hosts file then, thereby realizes that worm detects.The shortcoming of this detection method is if there is new worm to occur, need be through just making feature database obtain upgrading after a while.Just can not accomplish timely discovery for the mutation of emerging worm or worm like this.
The main flow direction of Worm detection method research at present is by the analysis to the network off-note that causes in the worm propagation process, detects the outburst of worm.Method commonly used has by the accumulative total to linking number, judges that whether aggregate-value surpasses the threshold value that is provided with, and detects worm; Generation by the unusual statistics of ICMP message being detected worm etc.But method in the past only with the feature of number of connection aspect as detecting index, and all do not relate to the key feature of worm, lack modeling to the worm propagation characteristic, it is simple to detect strategy, causes the rate of false alarm and the rate of failing to report that detect higher.
Application number is that the application for a patent for invention of 03149742.X discloses a kind of intrusion detection method, intruding detection system is detected by each incident of protecting wire net network or main frame according to detecting rule in this application to visit, obtain and detect the employed inbreak detection rule of current event, according to the definite leak that will attack of the corresponding relation that sets in advance between inbreak detection rule and the leak, retrieval is subjected to protecting wire net network or main frame whether to have determined leak; And carry out the intrusion event risk and assess.
Application number is that 03137094.2 application for a patent for invention discloses a kind of level intruding detection system based on the correlated characteristic cluster, the crucial part of its innovation is the correlated characteristic analysis of having set up in its event analysis module initialization data stream, constitutes a kind of new level intruding detection system.
Application number is internet worm and the malicious code recognition methods that 200310106551.8 application for a patent for invention discloses a kind of layered cooperative, this technical scheme is judged the risk factor of script to be detected by statistical analysis keyword word frequency, angle based on registry operations " oneself's collection " comes the analysis and judgement registration table to write the abnormal behaviour in list item path, has realized monitoring and management to internet worm in individual system and the whole subnet and malicious code abnormal behaviour.
Application number is that 200410070933.4 application for a patent for invention discloses a kind of system and method from worm-type virus to the network diffusion that take precautions against, comprises secure distribution server, is used to dispose the worm-type virus feature and sends the worm-type virus feature to the Security Authentication Service device; The terminal proxy module, be used for collection terminal with the corresponding end message of worm-type virus feature, and send this end message to the Security Authentication Service device; The Security Authentication Service device is used for according to the worm-type virus feature end message being authenticated, and authentication is not passed through message by sending terminal authentication by message to network access equipment otherwise send terminal authentication; Network access server passes through the access authority that message/terminal authentication does not pass through message opening/closing terminal according to terminal authentication.
Application number is that 200510086681.9 application for a patent for invention discloses a kind of based on the high speed block detecting method that the state packet filter engine is arranged, one of router deploy is based on the high-speed packet detection components that the state packet filter engine is arranged in network, this assembly can high speed detection arrives the grouping of router, identification contains the grouping of the malicious code (worm, virus) in the rule base.This module utilizes Fast Lookup Table and prefix register heap to preserve the matching status of substring; Hardware is parallel searches filter and prefix register heap, thereby reaches the purpose of high speed detection grouping.
Application number is that 03817429.4 application for a patent for invention discloses a kind of method and apparatus that is used for determining automatically the potential worm sample behavior of program, comprise the required data handling system resource of this program of analysis, if resource requirement is not represented this program and is had worm sample feature, then in controlled non-network environment, move this program, monitor and register visit simultaneously, thereby determine the behavior of this program in non-network environment system resource.Analyze the log record of observed behavior, determine the behavior, whether representation program had worm sample feature.This non-network environment can be to the presentation of procedure simulation network, but the not operation of artificial network.
Technique scheme still is rule-based detection method in itself, need to rely on the precision and the density of the detection rule that sets in advance, and the setting that detects rule always just can obtain upgrading after intrusion event takes place, so have very high rate of failing to report for emerging attack.
Application number is that 03131057.5 application for a patent for invention discloses and a kind ofly detects worm-type virus and delay the method that virus is propagated, the virus checker that utilization is arranged in the network detects the computer of arbitrary and net connection and the number of connection of other Net-connected computer, and threshold values is set limits its number of connection, to abandon by force the connection that surpasses threshold values, and send warning to intruding detection system IDS.
Technique scheme is by judging whether number of connection surpasses threshold value and determine can produce higher rate of false alarm and rate of failing to report by worm.Mainly be that the detection index is too simple, can not significantly give prominence to the characteristic of the high failure rate of worm connection.In addition, this method need be installed a virus checker on each computer in network when implementing, be used to monitor the connection that is initiated to other computer from this computer.This embodiment has strengthened the cost input, and actual deployment also can be met difficulty.
Application number is the data fusion mechanism that 03137444.1 application for a patent for invention discloses a kind of large-scale distributed intruding detection system, in extensive express network, the distributed frame of intruding detection system employing layering disposes a plurality of intruding detection systems in catenet and some are as other safety components such as fire compartment walls; These safety component collaborative works, the fusion by to alarm produces the alarm under the extensive environment, improves the verification and measurement ratio of single intrusion detection simultaneously.
Application number is that 03116970.8 application for a patent for invention discloses a kind of high performance network intruding detection system and detection method, its detection system detects engine by a transponder, at least one switch and Duo Tai and connects to form by information transmission line, and separate system is installed in transponder.Intruding detection system and detection method are carried out data distribution, improved the detection performance.
Application number is the early warning method that 200410009089.4 application for a patent for invention discloses a kind of Internet Worm virus.Internet Worm virus detection information can be between the system of a plurality of nodes, shared, thereby the purpose of early warning and quick blocking worm propagation can be reached.
Application number is that 200510012126.1 application for a patent for invention discloses a kind of P2P worm defending system, peer host contains the peers include both interactive software by installation and operation, multi-node collaborative rapid file transmitting software and virus scanning software erect a P2P network worm defect network at interior reciprocity interactive software, realization is to the security scan and the virus monitor of local host, realize the efficient information sharing of the P2P network worm defect network of self-organizing, be implemented in the quick issue early warning information when finding worm-type virus, and realize that by the multi-node collaborative data transmission mechanism peer host is being subjected to obtaining patch file fast when worm-type virus is attacked.
Technique scheme has been considered the problem of Distributed Detection, but its for Intrusion Detection Technique itself method for updating is not proposed, not have the bigger improvement of do aspect the accuracy rate of single intrusion detection improving.
Application number is detection and the method for supervising that 200510110267.7 application for a patent for invention discloses a kind of gusty abnormal network flow, The Realization of Simulation by worm attack under the NS-2 network simulation applicator platform and DDoS distributed denial of service attack, adopt network traffics to analyze agreement Net Flow network traffic information is carried out collection analysis, judge the behavioural characteristic of anomaly source, take corresponding control measures to interrupt this type of attack at last.This technical scheme adopts hidden Markov chain, and amount of calculation is excessive.
Jaeyeon Jung etc. has proposed a kind of TRW detection technique of utilizing continuous hypothesis testing to detect scanning (Jaeyeon Jung, Vern Paxson, Arthur W.Berger, and Hari Balakrishnan.Fast portscan detection using sequential hypothesis testing.In Proceedings ofthe IEEE Symposium on Security and Privacy, 2004.).Worm in communication process, the connection that the worm main frame is initiated connections of failing often, and that normal main frame is initiated the possibility that connection can successfully set up is bigger.The state of each connection of every main frame in the detected network of this technology for detection, adopt the method for continuous hypothesis testing that the number of times that failure connects is compared with the number of times that successfully is connected, if the number of times that failure connects compares the number of times that successfully connects appointment often, it is unusual to judge that then this main frame exists.Be to connect number of times and successfully be connected number of times and judge whether main frame exists unusually on this technical spirit by failure relatively.But in the certain hour section, normal main frame may also can produce more failure and connect, so this technology can produce higher rate of false alarm.
When propagating, can send a large amount of scan-data bags based on the network worm of random scan, whether start shooting to judge this address of host to random address, and whether can be infected.Yet on the internet, under the general client computer normal behaviour, the possibility of removing to connect a large amount of main frames in a period of time is very low.Therefore the destination address of the connection of being initiated by the main frame that infects worm is relatively disperseed, therefore the linking objective address distributes on this feature, there is difference clearly in the access to netwoks behavior of the scanning behavior of network worm and normal main frame, therefore can utilize this feature as the foundation that detects random scan type worm.
, need scan in order to be implemented in the propagation in the whole the Internet scope based on the network worm of random scan, so the worm main frame that exists in the intranet also will inevitably be initiated the scanning behavior to the network of enterprise outside entire I P address section.Based on this principle, need only the exit that the worm machines is deployed in intranet, just can detect intranet and whether have network worm.
Summary of the invention
The invention provides a kind of network worm detection method, overcome existing network worm detection technique and can not detect unknown worm and worm-type virus mutation accurately and efficiently, testing result exists the higher rate of false alarm and the shortcoming of rate of failing to report, can detect unknown worm and worm-type virus mutation accurately and efficiently.
A kind of network worm detection method writes down detected main frame each destination address is initiated linking number, according to initiating the distribution of linking number in destination host, calculates the destination address entropy of this main frame; Preestablish network worm alarm threshold value and response lag, will calculate gained entropy and pre-set threshold and compare, if entropy greater than the network worm alarm threshold value and be less than or equal to response lag, thinks that then this main frame is suspicious main frame, provides warning; If entropy is greater than response lag, triggered response mechanism then; If entropy is less than or equal to the worm alarm threshold value, then continue to detect, wait for that the connection next time of main frame is initiated, recomputate entropy and make comparisons.
The testing process of above-mentioned network worm detection method specifically may further comprise the steps:
A) parameter is set, comprises the alarm threshold value and the response lag of network worm, and the list item number of the destination address classification chart of the time interval that regularly empties and separate unit main frame;
B) from the real time data bag of network acquisition, obtain the source address Src of a connection, destination address Dst;
C) check that source address Src whether in the tabulation of worm host address, if exist, illustrates that this address of host has infected worm, then do not further process, forward b to); If do not exist, then forward d to);
D) check that source address Src is whether in detected host address tabulation SList, if do not exist, then distribute a fixed size to destination address tabulation DList[Src that should source address], and initialization, source address Src is joined among the detected host address tabulation SList, and the list item that adds points to the destination address tabulation DList[Src of this source address]; If exist, then forward e to);
E) the Hash functional value hash value of calculating destination address Dst is designated as i;
F) according to the Hash functional value hash value of the destination address Dst that calculates, the respective items that is provided with in the destination address tabulation adds 1, i.e. DList[Src] [i]=DList[Src] [i]+1; Total destination address number is set adds 1, be i.e. N=N+1.
G) calculate the entropy of main frame source address Src this moment, judge the entropy that calculates, if entropy greater than the network worm alarm threshold value of setting and be less than or equal to response lag, then produces alarm logging; If entropy is greater than response lag, triggered response mechanism then; If stop to be masked as very, then the detection of end process; Otherwise if the time interval that regularly empty this moment expires, then the destination address tabulation with every main frame correspondence in the detected host address tabulation empties; Forward b at last to), continue to investigate next the connection.
Wherein the computing formula of the destination address entropy e of main frame is:
M is the intermediate quantity that is used for iteration
n
iThe value of i item in the expression destination address classification chart, promptly the hash value of destination address is the quantity of the connection of i;
K is a destination address classification chart list item sum, is a fixed value;
The summation that connects numerical value in the N presentation class tabulation in all list items, i.e. the sum of destination address before a time sliding window expires, promptly
P
i=n
i/ N, in the tabulation in the i item linking number account for the ratio of total linking number.
Above-mentioned formula table was understood in a time interval, was in all connections of source address with a certain host address, the distribution situation of destination address.If the entropy of calculating gained is greater than the network worm alarm threshold value and be less than or equal to response lag, think that then this main frame is suspicious main frame, provides warning; If entropy is greater than response lag, triggered response mechanism then.
Be used for the calculating of the intermediate quantity M of iteration, when detected main frame each destination host is initiated that linking number calculates the first time after time window expires zero clearing or algorithm when calculating the first time when beginning, formula is:
When carrying out iteration, the intermediate quantity M ' after obtaining new data that connect and upgrading the destination address classification chart is derived by this M, and formula is:
M′=M-n
jlogn
j+(n
j+1)log(n
j+1)
Wherein K is a destination address classification chart list item sum, is a fixed value;
n
iThe value of i item in the presentation class tabulation, promptly hash value is the number of the destination address of i;
n
jThe value of j item in the presentation class tabulation, promptly hash value is the number of the destination address of j, and the destination address correspondence hash value of this connection of increase when calculating M value relatively when calculating M ' value is j.
The present invention also provides the system that adopts above-mentioned detection method.
A kind of system that adopts above-mentioned detection method, form by machines and the unit worm trace routine on it, described machines connects the mirror port of network egress switch or router, be used to monitor the network packet of network exit, and operation worm trace routine, carry out the local strategy that detects, from network, catch packet, initiate the distribution of number of connection in destination host according to main frame in the network, calculate the destination address entropy of this main frame, judge whether to exist the main frame that infects worm, generate alarm logging or triggered response mechanism; Described unit worm trace routine is made of network worm detection module, network traffics analysis module, network traffics acquisition module and configuration and alarm indication interface module, the network traffics analysis module obtains flow analysis from the network traffics acquisition module, obtain link information, and send to the network worm detection module and detect, configuration is carried out communication with the alarm indication interface module with network worm detection module and network traffics analysis module, mainly module parameter is configured, and display alarm information.
The key data structure of described network worm detection module comprises worm Host List, the tabulation of detected host address, destination address tabulation.
Beneficial effect of the present invention is: infect main frame during owing to the worm outburst and can connect a large amount of main frames at short notice, cause the connection of its initiation in the time interval to have and the different distribution character of normal connection.Here we are at its characteristic, consider to use the distribution of destination address as statistical indicator, specifically the detection to worm is by the distribution of entropy method according to the linking objective address, and relatively this value judges that with the relation between the setting threshold this source address that is connected is normal main frame or worm.
In order to reduce rate of false alarm and rate of failing to report, adopt the two-stage threshold value simultaneously, the first order is an alarm threshold value, and the value of setting is lower, has reduced rate of failing to report, report suspicious connection as much as possible; The second level is response lag, and the value of setting is higher, has reduced rate of false alarm, and comparatively severe responsive measures is taked in the higher connection of few dubiety to trying one's best; For the suspicious connection between the two-stage threshold value, its response is comparatively loose, mainly provides warning message, and personnel accept or reject by external management.Worm detection method of the present invention be not simply to sometime the section in a linking number add up, not only considered current worm behavior, also consider the influence of historic state, thereby improved worm detection efficiency and precision current detection; Worm detection method of the present invention has been investigated the general process of network worm attack, at be in the worm propagation process continuously and the total characteristic of random scan behavior, so can realize detection more all sidedly to the unknown network worm; Utilize the present invention can accurately detect the worm main frame, the wrong report record of generation still less.
The present invention distributes as the benchmark of worm behavior criterion with the destination address in the time window, takes all factors into consideration algorithm accuracy and efficient, adopts the comentropy formula to carry out the detection of network worm as decision making algorithm.In worm detects, need to consider the history of its behavior, whether be that worm or normal main frame are judged to it promptly by a series of behavior of main frame.Adopt the comentropy formula as decision making algorithm, can guarantee to take into full account the influence of historical data in detection, make testing result more accurate, and it has the mature theory basis, computing is simple, can guarantee good real-time.
Description of drawings
Fig. 1 is the control flow block diagram of detection method of the present invention;
Fig. 2 is the deployment architecture schematic diagram of detection system of the present invention;
Fig. 3 is the inner bay composition of detection system of the present invention;
Fig. 4 is the inter-process flow chart of network worm detection module in the detection system of the present invention.
Embodiment
As shown in Figure 1, a kind of network worm detection method writes down detected main frame each destination address is initiated linking number, according to initiating the distribution of linking number in destination host, calculates the destination address entropy of this main frame; Preestablish network worm alarm threshold value and response lag, will calculate gained entropy and pre-set threshold and compare, if entropy greater than the network worm alarm threshold value and be less than or equal to response lag, thinks that then this main frame is suspicious main frame, provides warning; If entropy is greater than response lag, triggered response mechanism then; If entropy is less than or equal to the worm alarm threshold value, then continue to detect, wait for that the connection next time of main frame is initiated, recomputate entropy and make comparisons.
Its concrete steps are as follows:
A) parameter is set, comprises the alarm threshold value and the response lag of network worm, and the list item number of the destination address classification chart of the time interval that regularly empties and separate unit main frame;
B) from the real time data bag of network acquisition, obtain the source address Src of a connection, destination address Dst;
C) check that source address Src whether in the tabulation of worm host address, if exist, illustrates that this address of host has infected worm, then do not further process, forward b to); If do not exist, then forward d to);
D) check that source address Src is whether in detected host address tabulation SList, if do not exist, then distribute a fixed size to destination address tabulation DList[Src that should source address], and initialization, source address Src is joined among the detected host address tabulation SList, and the list item that adds points to the destination address tabulation DList[Src of this source address]; If exist, then forward e to);
E) the Hash functional value hash value of calculating destination address Dst is designated as i;
F) according to the Hash functional value hash value of the destination address Dst that calculates, the respective items that is provided with in the destination address tabulation adds 1, i.e. DList[Src] [i]=DList[Src] [i]+1; Total destination address number is set adds 1, be i.e. N=N+1.
G) calculate the entropy of main frame source address Src this moment, judge the entropy that calculates, if entropy greater than the network worm alarm threshold value of setting and be less than or equal to response lag, then produces alarm logging; If entropy is greater than response lag, triggered response mechanism then; If stop to be masked as very, then the detection of end process; Otherwise if the time interval that regularly empty this moment expires, then the destination address tabulation with every main frame correspondence in the detected host address tabulation empties; Forward b at last to), continue to investigate next the connection.
As shown in Figure 2, adopt the worm unit detection system of above-mentioned detection method, by machines and on worm test side program constitute, machines is installed a network interface card, the mirror port that connects network egress switch or router, be used to monitor the network packet of network exit, and operation worm trace routine, carry out the local strategy that detects, from network, catch packet, initiate the distribution of number of connection in destination host, calculate the destination address entropy of this main frame according to main frame in the network, judge whether to exist the main frame that infects worm, generate alarm logging or triggered response mechanism.
As shown in Figure 3, unit worm trace routine is made of network worm detection module, network traffics analysis module, network traffics acquisition module and configuration and alarm indication interface module, the network traffics analysis module is by the packet on the network interface monitoring network, carry out packet reorganization, overtime detection, data analysis, therefrom extract TCP and connect state, the flow information of communicating by letter with UDP, and real-time update, what pass to the worm detection module is the link information of preserving with certain format.
As shown in Figure 4, the key data structure of network worm detection module comprises worm Host List, the tabulation of detected host address, destination address tabulation.The network worm detection module utilizes the comentropy detection algorithm that the link information that the network traffics analysis module produces is analyzed, and judges whether have network worm in the in-house network, if existence then by warning interface display warning message or take responsive measures.Configuration is carried out communication with the alarm indication interface module with network worm detection module and network traffics analysis module, can be configured worm detection module and flow analysis module, all kinds of parameters that worm detects are set, and the traffic filtering condition of target flow analysis module is to detect targetedly.
According to the analysis of historical data, alarm threshold value and response lag that network worm in the detection system of the present invention is set are respectively 1.0 and 2.0, consider the average duration that network connects, and it is 10 seconds that the time interval that regularly empties is set.
Investigate the connection situation of initiating by some main frames when unit worm trace routine.The tabulation that at first distributes a 4K size is used to preserve the address sort of this main frame; When investigation is the connection of source address with this main frame, the hash value of destination address in should connecting by the Hash function calculation earlier, be designated as i, value with the list items of this hash value correspondence adds 1 then, utilize the entropy computing formula to calculate the destination address entropy of this main frame, compare with predefined entropy then, take corresponding actions according to the result.When the time interval reaches 10 seconds that set in advance, with all destination host hash list items zero clearings of all source hosts, the calculating of beginning next round.
Be the performance of the checking worm detection technique that the present invention studied, gathered the network traffics data in a dormitory building exit from campus network.Because the TRW algorithm also based on link information, adopts the art of this patent and TRW detection technique to carry out the worm detection below, and testing result is analyzed, provided the warning under the different technologies efficient (effectively alarm logging/record sum).
Comprise with the detection technique of comparison of the present invention:
1, detection technique one: promptly adopt the TRW algorithm of prior art seven, P is set
D=0.99, P
F=0.01, θ
1=0.15, θ
0=0.8;
2, the technology of the present invention uses two threshold values to test respectively.Response lag entropy is set
1=2.0, alarm threshold value entropy
2=1.0, the destination address classification chart fixed size K=4096 of separate unit main frame is spaced apart 10 seconds update time;
Test result is as shown in table 1:
Table 1 worm testing result relatively
| The record sum | Effective alarm logging | The wrong report record | It is efficient to report to the police | ||||
| The P2P shareware | Attacked to produce and replied | Recreation and bitcom | Other | ||||
| Response lag | 50 | 43 | 5 | 1 | 0 | 1 | 86.0% |
| Alarm threshold value | 87 | 46 | 18 | 3 | 1 | 19 | 52.9% |
| Detection technique one | 93 | 46 | 16 | 13 | 4 | 14 | 49.5% |
Experimental result shows that the wrong report record that Worm detection method of the present invention produces all lacks than TRW under two kinds of threshold conditions.By using the two-stage threshold value, alarm threshold value can as far as possible comprehensively detect the abnormal behaviour in the flow, effectively reduces the rate of failing to report of warning, reduces rate of false alarm by artificial judgment again; And response lag can be provided with effective high characteristics of rate of failing to report of eliminating on the basis of alarm threshold value, and obtains lower rate of false alarm.The detection of this algorithm is efficient only 49.5% to evade the detection of TRW algorithm in the detection technique one though worm is difficult, and therefore wrong report does not too much have practicality yet.
Worm detection system of the present invention only need be deployed in the exit of Intranet, just can realize the worm of whole internal network is detected, and has saved the expense of resource and product up-gradation, maintenance like this.
Claims (4)
1. a network worm detection method is characterized in that: write down detected main frame each destination address is initiated linking number, according to initiating the distribution of linking number in destination host, calculate the destination address entropy of this main frame; Preestablish network worm alarm threshold value and response lag, will calculate gained entropy and pre-set threshold and compare, if entropy greater than the network worm alarm threshold value and be less than or equal to response lag, thinks that then this main frame is suspicious main frame, provides warning; If entropy is greater than response lag, triggered response mechanism then; If entropy is less than or equal to the worm alarm threshold value, then continue to detect, wait for that the connection next time of main frame is initiated, recomputate entropy and make comparisons.
2. network worm detection method as claimed in claim 1 is characterized in that: the process that network worm detects specifically may further comprise the steps:
A) parameter is set, comprises the alarm threshold value and the response lag of network worm, regularly the list item number of the destination address classification chart of the time interval that empties and separate unit main frame;
B) from the real time data bag of network acquisition, obtain the source address and the destination address of a connection;
C) check that source address whether in the tabulation of worm host address, if exist, illustrates that this address of host has infected worm, then do not further process, forward b to); If do not exist, then forward d to);
D) check that source address is whether in detected host address tabulation, if do not exist, then distribute a fixed size to destination address tabulation that should source address, and initialization, source address is joined in the detected host address tabulation, and the list item that adds points to the destination address tabulation of this source address; If exist, then forward e to);
E) Hash functional value of calculating destination address is designated as i;
F) according to the Hash functional value of the destination address that calculates, the respective items that is provided with in the destination address tabulation adds 1, total destination address number is set adds 1;
G) calculate the entropy of main frame source address this moment, judge the entropy that calculates, if entropy greater than the network worm alarm threshold value of setting and be less than or equal to response lag, then produces alarm logging; If entropy is greater than response lag, triggered response mechanism then; If stop to be masked as very, then the detection of end process; Otherwise if the time interval that regularly empty this moment expires, then the destination address tabulation with every main frame correspondence in the detected host address tabulation empties; Forward b at last to), continue to investigate next the connection.
3. one kind is adopted the network worm unit detection system of method as claimed in claim 1 or 2, it is characterized in that: form by machines and the unit worm trace routine on it, described machines connects the mirror port of network egress switch or router, be used to monitor the network packet of network exit, and operation worm trace routine, carry out the local strategy that detects, from network, catch packet, initiate the distribution of number of connection in destination host according to main frame in the network, calculate the destination address entropy of this main frame, judge whether to exist the main frame that infects worm, generate alarm logging or triggered response mechanism; Described unit worm trace routine is made of network worm detection module, network traffics analysis module, network traffics acquisition module and configuration and alarm indication interface module, the network traffics analysis module obtains flow analysis from the network traffics acquisition module, obtain link information, and send to the network worm detection module and detect, configuration is carried out communication with the alarm indication interface module with network worm detection module and network traffics analysis module, mainly module parameter is configured, and display alarm information.
4. network worm unit detection system as claimed in claim 3 is characterized in that: the key data structure of described network worm detection module comprises worm Host List, the tabulation of detected host address, destination address tabulation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006101553233A CN100531219C (en) | 2006-12-20 | 2006-12-20 | A network worm detection method and its system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006101553233A CN100531219C (en) | 2006-12-20 | 2006-12-20 | A network worm detection method and its system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1997017A true CN1997017A (en) | 2007-07-11 |
| CN100531219C CN100531219C (en) | 2009-08-19 |
Family
ID=38251943
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2006101553233A Expired - Fee Related CN100531219C (en) | 2006-12-20 | 2006-12-20 | A network worm detection method and its system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100531219C (en) |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101257416B (en) * | 2008-03-11 | 2010-08-18 | 南京邮电大学 | Networking type abnormal flow defense method based on combining network with host computer |
| CN101505219B (en) * | 2009-03-18 | 2011-03-16 | 杭州华三通信技术有限公司 | Method and protecting apparatus for defending denial of service attack |
| WO2011063729A1 (en) * | 2009-11-26 | 2011-06-03 | 成都市华为赛门铁克科技有限公司 | Method, equipment and system for early warning about unknown malicious codes |
| CN102104606A (en) * | 2011-03-02 | 2011-06-22 | 浙江大学 | Worm detection method of intranet host |
| CN102111302A (en) * | 2009-12-28 | 2011-06-29 | 北京安码科技有限公司 | Worm detection method |
| CN101707539B (en) * | 2009-11-26 | 2012-01-04 | 成都市华为赛门铁克科技有限公司 | Method and device for detecting worm virus and gateway equipment |
| CN101764838B (en) * | 2009-12-30 | 2012-08-22 | 重庆枫美信息技术股份有限公司 | Method for detecting Email worm |
| CN101815076B (en) * | 2010-02-05 | 2012-09-19 | 浙江大学 | Method for detecting worm host computer in local area network |
| CN102708313A (en) * | 2012-03-08 | 2012-10-03 | 珠海市君天电子科技有限公司 | Virus detection system and method for large files |
| CN102710627A (en) * | 2012-05-25 | 2012-10-03 | 北京神州绿盟信息安全科技股份有限公司 | Worm detection method and device |
| CN105978852A (en) * | 2016-04-14 | 2016-09-28 | 北京北信源软件股份有限公司 | Network equipment access history information determination method, equipment and switch |
| CN107948138A (en) * | 2017-11-02 | 2018-04-20 | 东软集团股份有限公司 | It route detection method, device, readable storage medium storing program for executing and the electronic equipment of connection |
| US10027693B2 (en) | 2009-11-26 | 2018-07-17 | Huawei Digital Technologies (Cheng Du) Co., Limited | Method, device and system for alerting against unknown malicious codes within a network environment |
| CN111224997A (en) * | 2020-01-17 | 2020-06-02 | 杭州迪普科技股份有限公司 | Method and device for inhibiting virus from spreading in local area network |
| CN112965970A (en) * | 2021-03-22 | 2021-06-15 | 湖南大学 | Abnormal flow parallel detection method and system based on Hash algorithm |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI744545B (en) * | 2018-08-01 | 2021-11-01 | 崑山科技大學 | Decentralized network flow analysis approach and system for malicious behavior detection |
-
2006
- 2006-12-20 CN CNB2006101553233A patent/CN100531219C/en not_active Expired - Fee Related
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101257416B (en) * | 2008-03-11 | 2010-08-18 | 南京邮电大学 | Networking type abnormal flow defense method based on combining network with host computer |
| CN101505219B (en) * | 2009-03-18 | 2011-03-16 | 杭州华三通信技术有限公司 | Method and protecting apparatus for defending denial of service attack |
| WO2011063729A1 (en) * | 2009-11-26 | 2011-06-03 | 成都市华为赛门铁克科技有限公司 | Method, equipment and system for early warning about unknown malicious codes |
| US10027693B2 (en) | 2009-11-26 | 2018-07-17 | Huawei Digital Technologies (Cheng Du) Co., Limited | Method, device and system for alerting against unknown malicious codes within a network environment |
| CN101707539B (en) * | 2009-11-26 | 2012-01-04 | 成都市华为赛门铁克科技有限公司 | Method and device for detecting worm virus and gateway equipment |
| US9674206B2 (en) | 2009-11-26 | 2017-06-06 | Chengdu Huawei Symantec Technologies Co., Ltd. | Method, device and system for alerting against unknown malicious codes |
| CN102111302A (en) * | 2009-12-28 | 2011-06-29 | 北京安码科技有限公司 | Worm detection method |
| CN102111302B (en) * | 2009-12-28 | 2013-10-02 | 北京安码科技有限公司 | Worm detection method |
| CN101764838B (en) * | 2009-12-30 | 2012-08-22 | 重庆枫美信息技术股份有限公司 | Method for detecting Email worm |
| CN101815076B (en) * | 2010-02-05 | 2012-09-19 | 浙江大学 | Method for detecting worm host computer in local area network |
| CN102104606B (en) * | 2011-03-02 | 2013-09-18 | 浙江大学 | Worm detection method of intranet host |
| CN102104606A (en) * | 2011-03-02 | 2011-06-22 | 浙江大学 | Worm detection method of intranet host |
| CN102708313B (en) * | 2012-03-08 | 2015-04-22 | 珠海市君天电子科技有限公司 | Virus detection system and method for large files |
| CN102708313A (en) * | 2012-03-08 | 2012-10-03 | 珠海市君天电子科技有限公司 | Virus detection system and method for large files |
| CN102710627A (en) * | 2012-05-25 | 2012-10-03 | 北京神州绿盟信息安全科技股份有限公司 | Worm detection method and device |
| CN105978852A (en) * | 2016-04-14 | 2016-09-28 | 北京北信源软件股份有限公司 | Network equipment access history information determination method, equipment and switch |
| CN107948138A (en) * | 2017-11-02 | 2018-04-20 | 东软集团股份有限公司 | It route detection method, device, readable storage medium storing program for executing and the electronic equipment of connection |
| CN107948138B (en) * | 2017-11-02 | 2020-12-11 | 东软集团股份有限公司 | Detection method and device for route connection, readable storage medium and electronic equipment |
| CN111224997A (en) * | 2020-01-17 | 2020-06-02 | 杭州迪普科技股份有限公司 | Method and device for inhibiting virus from spreading in local area network |
| US11736514B2 (en) | 2020-01-17 | 2023-08-22 | Hangzhou Dptech Technologies Co., Ltd. | Suppressing virus propagation in a local area network |
| CN112965970A (en) * | 2021-03-22 | 2021-06-15 | 湖南大学 | Abnormal flow parallel detection method and system based on Hash algorithm |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100531219C (en) | 2009-08-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100531219C (en) | A network worm detection method and its system | |
| US7594270B2 (en) | Threat scoring system and method for intrusion detection security networks | |
| EP1995929B1 (en) | Distributed system for the detection of eThreats | |
| CN1946077B (en) | System and method for detecting abnormal traffic based on early notification | |
| US7493659B1 (en) | Network intrusion detection and analysis system and method | |
| CN104836702A (en) | Host network abnormal behavior detection and classification method under large flow environment | |
| CN106357673A (en) | DDoS attack detecting method and DDoS attack detecting system of multi-tenant cloud computing system | |
| Fu et al. | On recognizing virtual honeypots and countermeasures | |
| CN101895521A (en) | Network worm detection and characteristic automatic extraction method and system | |
| Gómez et al. | Design of a snort-based hybrid intrusion detection system | |
| CN114006723B (en) | Network security prediction method, device and system based on threat information | |
| CN109922048A (en) | One kind serially dispersing concealed threat Network Intrusion detection method and system | |
| Zhu | Attack pattern discovery in forensic investigation of network attacks | |
| CN103281336A (en) | Network intrusion detection method | |
| CN100379201C (en) | Distributed hacker tracking system in controllable computer network | |
| Ibrahim et al. | Performance comparison of intrusion detection system using three different machine learning algorithms | |
| Dressler et al. | Flow-based worm detection using correlated honeypot logs | |
| CN108040075B (en) | APT attack detection system | |
| CN100372296C (en) | Network invading detection system with two-level decision structure and its alarm optimization method | |
| JP4159814B2 (en) | Interactive network intrusion detection system and interactive intrusion detection program | |
| Kumar et al. | Statistical based intrusion detection framework using six sigma technique | |
| CN101815076B (en) | Method for detecting worm host computer in local area network | |
| Rinaldi et al. | Softwarization of SCADA: lightweight statistical SDN-agents for anomaly detection | |
| Abudalfa et al. | Evaluating performance of supervised learning techniques for developing real-time intrusion detection system | |
| Chu et al. | Data stream mining architecture for network intrusion detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090819 Termination date: 20121220 |