Research On Worm Detection Method Based On Similarity Of Traffic Feature Distribution

With the development of computer technologies and applications of the Internet, malicious codes, such as virus and network worms, have become a common problem for all computer users. Network worms can not only exhaust system resources of infected hosts and damage them, but also occupy network bandwidth and thus jam network, ever disrupt whole network. Because of the huge damage of network worm epidemics, how to detect and response network worms has become an important task in computer network security field.In this paper, work mechanism of the network worm is researched in-depth, status in quo of the network abnormity detection and the spread model of the worm are analyzed, and the worm detection method based on network traffic feature of distribution similarity is expatiate. Based on the characteristic which worm attack always bring abnormal distribution of network traffic, a new method for worm detection based on network traffic feature of distribution similarity is proposed. By utilizing characteristic of the abnormal distribution, we choose three characteristics (source address, destination address, and destination port) and calculate its' attribute distribution, build characteristic set, and then calculate the similarity degree between the current network data and the characteristic set with Mahalanobis distance formula. When the similarity degree get from calculation is lower than the threshold value set in advance, a worm attack alarm will be given out.According to the detection method of the characteristic distribution similarity, a network worm detection prototype system has been developed. This system has mainly included the network condition information acquisition subsystem, the network condition information statistics and the analysis subsystem, the data output and the demonstration subsystem and the worm attack warning subsystem. The test carrying in local area net show that this prototype system can detect the several popularized network worm in time, such as Slammer,Nimda and panda burning incense, etal.