| The fast spread of worm is a great challenge to Internet security. Most current defense systems such as Intrusion Detection Systems use signature matching approach while most signatures are developed manually from worm packets and code samples. It often requires a long period from worm released to signature extracted. Such defense mechanisms can prevent early virus which spread slowly, but it can not promptly prevent network worms which spread worldwide in a few days or even a few hours. When the signature of a new worm is extracted, the worm has caused huge losses. As a result, defense, analysis, detection, response became separated from each other and has not been able to effectively deal with the endless variety of new worms. So there is an urgent need to study new methods of worm defense.Various studies have shown that common worms, as the automatic attack features, communications data of worm is different from most normal applications, with the similar acts and data among the infected nodes, which makes worm signature extraction to become possible. Automatic defense based worm signature extraction has also become a new hot spot, but the method is still not perfect and limit the quality of feature extraction and effect of automatic defense. In order to achieve better automatic worm defense, some key issues have been studied:A statistical payload content partition method is proposed to extraction signature of worm that there exists invariant attack payload across worm connections. Using sliding-window based variant-length partition method to reduce high negative false cause by fix-length partition method and presenting a multiple breakmark variant-length partition method to avoid generating very short or very long content blocks. By adding position information to blocks, a position aware signature extraction method is proposed to enhance the quality of the extracted features. The results show that this method can effectively extract the worm signature, reduce consumption of system resources and produce more accurate signature for the latter defense system.To avoid detection, polymorphic worm vary their payload on every infection attempt, in which the position of fix bytes change in the larger, using normal worm signature extraction method is difficult to obtain good results. In response to the emergence of polymorphic worms, a polymorphic worm signature extraction method based incremental Bayesian approach is proposed. A GST algorithm is used to extract substring from packets and Bayesian method is used to construct polymorphic worm signature, and a incremental Bayesian approach is proposed to improve the quality. Experiments have proved that the method is effective to extract signatures to detect the polymorphic worm variant.Several recent efforts to automatically extract worm signatures from Internet traffic have been done, but the efficiency is an unsolved problem especially in real high-speed network. A binary clustering algorithm and a leaves preferred policy is proposed to improve the front traffic filter, which can reduce the traffic to be processed and enhance its purity. A worm detection method based randomness test is also proposed for further detecting suspected worm traffic data. The results show that the method can remove 75% of the flow and filtering out the suspected so that the latter signature extraction system can be more efficient and accurate.According to the global spread of the worm, a DHT-based collaborative approach is designed for large-scale worm defense, and a distributed aggregation tree is also researched. The results show that the approach can enhance probability of detection unknown worm in the early spread stage and the accuracy of the extracted signature.Based on the mentioned method above, a worm defense system prototype based signature extraction is designed and the main modules of it are presented.
|
PDF Full Text Request