Research On The Key Technologies Of Worm Detection Based On Network Behavior

The rapid development of Internet can improve the work efficiency of the people and enrich their lives, at the same time, it also makes the people depend more and more on the network.The more and more rich system software, application software and the network services make the people enjoy more convenience and face more network security threats. At present, the network security issues have become the focus of attention and they have done more and more harm. The computer worms, because of its fast propogation speed, many variants and great harm, have become one of the most serious network security threats.For the time being, network behavior based worm detection techniques are effective for worm detection, and they can also deal with threats brought by polymorphic worms and fast worms, but they have some shortcomings too: 1) these techniques are big in detection granularity, thus they will have more cost and the detection result will also be influenced. 2) they are easy to have false negatives because of P2P worm-like traffic. 3) they can't work well for slow or variable speed worms. 4). they have not explored the worm behavior enough. 5) they can't locate the worm process accurately.To address these shortcomings and achieve the fast, fine-grained and effective worm detection, this paper carrys out the worm detection research which focuses on the network behaviors. The main contributions and work include the following five parts:(1)An automated P2P worm-like traffic signature generation algorithm (AWTSG-Automated Worm-like Traffic Signature Generation) is presented, and its prototype system is designed and implemented. P2P traffic has become the most popular traffic in the Internet, but it has worm-like traffic behavior. To eliminate this worm-like traffic, this paper compared the similarities between worm traffic and P2P traffic, defined the worm-like traffic and then presented a simple P2P worm-like traffic signature format. Base on this work, this paper presents an automated signature generation algorithm and then design and implement it. Through the experiments using the popular P2P applications, AWTSG get the signautures for these P2P applications successfully, and at the same time, these experiments also verify the validity of AWTSG by reducing the false negatives effectively.(2)A hierarchical user network access habitual behavior model is presented. In view of the imperfection of modeling the user network access habitual behavior by previous work, a new user network access habitual behavior model based on the three levels: user representation level, use representation level and network representation level is presented, and its notation and implementation are also introduced.(3)A host packet behavior ranking based worm detection algorithm (HPBR-Host Packet Behavior Ranking) is presented. To accelerate the worm detection process and improve the detection ability for slow worms, based on user network access habitual behavior and the ranking of host packet, an algorithm (HPBR) working for fast and slow worms is presented. The experiments result show that HPBR works well for fast worms,variable speed worms and slow worms with low false negatives and false positives.(4)A process traffic behavior based worm detection algorithm (PTBBWD-Process Traffic Behavior Based Worm Detection) is presented. Based on the descriptions of three new worm behaviors-the overhigh frequency of complete new source port changing, the overmany total amount of complete new souce ports and the overproportion of worm-like traffic, a process traffic behavior based worm detection algorithm is presented, and a prototype system based on PTBBWD detection framework is also designed and implemented. The results of experiments using the worm applications and normal network applications in the wild show that PTBBWD can detect fast worms quickly and has low false positives and false negatives.(5)A process traffic simplicity and temporal consistency based worm detection algorithm (PTSTCBWD- Process Traffic simplicity and Temporal Consistency Based Worm Detection) is presented. In view of the influence of initial detection time on PTBBWD and based on the definitions and determination methods of process traffic simplicity and temporal consistency, a process traffic simplicity and temporal consistency based worm detection algorithm (PTSTCBWD) is presented. The results of experiments show that PTSTCBWD can detect worms quickly, is not sensitive to initial detection time and has low false positives and false negatives.The research results of this paper contribute a lot to the network behavior based worm detection technology both in theory and practice, and they also have an impor tant reference value for defending worm attacks effectively.