Research Of Intranet Protection-oriented Worm Detection And Real-time Response System

Under the environment of Internet, the variety of the propagation ways and the complexity of the application environment result in worm with much higher frequency of outbreak, much deeper latency and wider coverage. The threat of Internet worms against network security become increasingly serious. It is an important way to build an operatively worm detection and real-time response System for finding worm in Intranet and controlling its infection timely.This paper reviewed the development of the network worm and the damage caused by it. The paper introduced Internet worm from aspect of the definition, the characteristics, and the distinction with virus. Then the research of worm detection and response techniques was summarized.There is a huge impact on Intranet bandwidth while worm promulgating. After researching integration strategy of worm detection and response technology, an Intranet protection-oriented worm detection and real-time response model was proposed. The model includes detector, management and decision-making center, isolator, and database. The detector monitors Intranet flow, and reports the abnormal data to the center. The center integrated analyzes the abnormal data and decides how to deal with it. The isolator is an effective response system, and it isolates the infected host from the LAN.After presenting the master plan of the worm detection and real-time response model, this paper expounded the model's architecture and components logic function, and also illuminated the model work mechanism and deployment strategy. Because the generalizing ability of support vector machine (SVM) is still good when the sample size is small, a SVM-based decision algorithm was raised in this paper. And experimental results proved its effectiveness.On the basis of the model, this paper described the design and interactive process of communication protocol between various modules; the paper expounded design and system architecture of management and decision-making center, and thenhighlighted explained its main sub-modules design and realization; the paper also described the design of the database.A real network testing environment was built, and worm detection and real-time response system was tested. The test results verified the correctness, real-time and availability of the system.Finally, the research work was summarized and the existing problems were analyzed. Furthermore, future work was proposed as well.