| With the rapid growth of networks, worm attack in networks has become a serious problem. In the presence of the faster diffusion speed of the worm and the huger damage caused by it, the early detection of the worm has become the precondition and key technology challenge of the worm defending. As traditional intrusion detection system can't detect and defend the worm, it is very necessary to study worm's early-stage characteristics, so as to explore efficient methods for diffusion detection and control of worms. This thesis focuses on early-stage detection and defending algorithms of worms, in order to defend against worms as early as quickly, and decrease the damage caused by it.Aiming at the fact that there always are a large number of ICMP-T3 and RESET packages caused by the worm diffusion, by analyzing the two kinds of packages, this thesis proposes an efficient early-stage worm detection method. This method only needs to detect and analyze RESET and ICMP-T3 packages, avoiding analyzing all data flow, improving analyzing efficiency and reducing response time; at the same time, the thesis can obtain the host address affected by worms accurately through analyzing worm diffusion process that will expose DS transform characteristic compared to factitious scan.Secondly, based on existing various worm attacking methods, this thesis proposes a host protection model depending on resource operation field. This model start from the system resource, based on the control of procedure behavior, build a minimum aggregate of awarded visit system resource procedure and operation method. As a result, the defending of the worm is much more active and more effective to unknown worm's attacking.Based on the aforementioned theory analysis, a LEDW system was built to detect worms as early as possible. The system adopted distributed structure and run in Linux OS. It was developed in C++ by Libpcap and the gathered data was stored and managed by Mysql. By detecting the Worm Mocbot.A in real network, the system was showed to have good effect and can be used in real time application.Finally, this thesis points out work to be improved and potential future researches. |
PDF Full Text Request