| With the increasingly enlarging of the networking degree of network, Internet has been greatly developed and become the principal means of information communication. At the same time, the security of network and information has becoming more and more serious. Among all kinds of network attacks, the network worm docs more and more harm to the security and efficiency of the network, and the trend of new worm's emergence is still going on. Regarding the words above as the issue background, this article introduces one method of worm detection based on the model of attack tree .The key points in the method can be summarized in the follows:1. Model of network communication. This model map the network communication on the Internet to a weighted and oriented graph, called as network-link graph .Computers on the network are mapped to nodes in the graph, and network-links arc mapped to oriented edges in the graph, different kinds of attributes of one network-link are mapped to weight on the oriented edge, such as source/destination nodc> source/destination port, protocol type and so on .By the map from network communication to network-link map, the model of network communication can reflect all the communication information on the network and the correlation between them. We can analyze all kinds of behaviors on the network based on the network communication model due to the reason said above.2. Attack-tree model of worm. Based on the network communication model and the characters of the worm's propagation, this article gives the attack-tree model of worm. The attack-tree model map the propagation tracks of worm to a weighted and oriented tree, which called as propagation-track graph of worm. It's a weighted and oriented tree, known as one sub-graph in the network-link graph. The model of attack-tree is a particular case of the network communication model on the concrete question of worm attack, and the model describes the essential characters of worm attack accurately.3. Carrying the detection on worm attack out by the attack-tree model. The attack-tree model maps the propagation track graph of worm to a weighted and oriented tree. We can find the weighted and oriented tree in the network-link graph when worm attack bursts on the network, which conforms to the characters of the attack-tree model. The method of detection to worm-attack, based on the attack tree model, converts the question of detection to worm attack to another question, which can be described as: look for the weighted and oriented trees thatconformed to the characters of the attack-tree model in the network-link graph. The question later can be resolved by DFS crgodc of the network-link graph.The method mentioned in this article has the merits such as: high efficiency of analysis, low rate of false alarm, tracing back to the source node. This method is an important addition to the methods of detection to worm attack having been existed nowadays. It also has some helpful effect to the detection work to other network attack.
|
PDF Full Text Request