Research And Implementation Of Distributed Worm Detection And Active Defense System

The diverse propagation way and complex application conditions bring worm eruption in frequency, latency and overcast, therefore the worm does very serious crisis to the network. The fact shows that, the traditional anti-virus technique can not satisfy network worm preventing and controlling. Constructing the security system in view of the worm attack characteristic is becoming one of the most important research objects.Aiming to improve the real-time of detection and defense, this dissertation focuses on the technique of worm detection and active defense. The necessary of network worm security defense system to adopt adaptive strategy is expatiated. The method that resolves the adaptation of security system using distributed object and honeynet technique is described.1) The Aegis model is provided in this dissertation. Analysis results show that, this model is platform independent, adaptive, extensive supporting multilayer data analysis and active defense.2) An anomaly detection method based on DSC algorithm is studied in this dissertation, and worm infection and probe characteristic are fused to detect infected host. A misuse detection method based on Snort to the Aegis model is studied, the simulation experiment results that the model is extensible and compatible to integrate other mature network security software.3) Active defense technique of worm is also discussed in this dissertation. Based on the character of worm, the vulnerability evaluating for easy infected host to prevent worm attack, inner firewall technique for worm traffic to restrain the worm propagation, and the worm anti worm technique for infected host to control worm are imported.4) Honeynet technique is studied in this dissertation. The increase data mining algorithm and sequence mining are introduced to mine unknown worm behavior profiles which are composed of association rules and sequence patterns from Sebek data and audit records. It improves Self-Adaptation of the worm detection system.Simulation experiments are used to verify the validity of Aegis. Experimentalresults show that the providing system is self-adaptive and open in architecture. Since the worm detection and active defense is combined efficiently in this system, it can achieve a high detection rate and very low false positive rate in worm detection, and can prompt effective guard against worm crisis actively.