Research And Implementation Of Anomaly Traffic Based Worm Detection System

With the recent popularity of Internet, worms have been exerting increasing severe threat to the computer system and network. Traditional signature based detection method is not suitable for detecting unknown worms since it requires worm signatures in advance. Behavior based detection method can detect unknown worms. However, there is a trade off between the detection time and false positive. Therefore, it becomes a pressing task to detect unknown worms quickly and accurately.In the phase of worm eruption, the number of infected hosts sharp increases. It produces a lot of network traffic. So, an anomaly traffic based worm detection system is presented. It detects worms depending on the traffic fluctuation. It can detect unknown worms effectively and warn early in the epidemic phase.The system collects traffic by NetFlow. It does not care the contents of data packet, but directly gets flow information. Consequently it reduces the demand for system resources and enhances the efficiency. Then, the system detects worms using the detection algorithm based on dynamic traffic baseline. This algorithm monitors several destination ports and confirms anomaly traffic by the baseline of normal traffic. Then, using the TOP N data of NetFlow, infected hosts are probed. In order to reduce false positive, the detection algorithm updates traffic baseline dynamically according to the practical traffic. Then, even if the network reaches a peak and results in the sudden increase of normal traffic, it will not exceed the above critical value. In addition, the traffic records are stored in an adaptive hash bucket. Records of different ports are put into different linked list and arranged by the decreasing order of traffic value. As a result, each thread only needs to manage its own linked list and the efficiency of detection algorithm is improved. After worms are detected, the system sends out alarming information of different levels, and adopts active defending measures which are firewall linkage and router ACL to alleviate the ongoing worm attacks. Thus, it can restrain the large scale spread of network worms.Finally, the system is tested in a simulative environment. The results show that it can detect unknown worms accurately and in time.