Network worm is an automatice invasive process, which is going to achieve large-scale dissemination through scanning and systematic vulnerabilyties in node hosts. Now, network worm has become a serious threat to network. Therefor, the development of highly-efficient and practical detection technology is becoming the academic research point.According to the typical worm's invasion and spread model, the worm outbreak by a series related security incidents. That is ,if the result of last attack step is the premise conditions of next successful attack, then these two attacks are related and two steps of the same attacks. In this paper, the writer creates a worm detection method which was based on the sequence-heuristic correlation technology, and gave the general detection rules of typical network worms by analysising the network worm invasion formal process.OSSIM, which is famous open-source system, is a centralized security incidents management platform. It provides correlation engine to detect different types incidents by correlation rules. Association rules can be constructed by XML files. This paper has done lots of researches on OSSIM architecture and correlation analysis technology, and presented general rules of worm detection based on sequence-heuristic correlation technic. Author has done experinents about DCOM worm. And the test result shows that detection results would be more accurate and reliable by using correlation rules on OSSIM. |