| With the popularization of the Internet, the threat of rapid spread of Internet worms against network security becomes increasingly serious. Fast-propagating network worms usually use network scanning module to probe information of a remote or local host, so network scanning is a prerequisite for worms' rapid spread. The traditional immune algorithm is not perfect in its application to intrusion detection, such as its inefficient and high computation complexity, and therefore, this paper introduces a new immune model-Danger Theory, and combines characteristics of worm scanning, to give a systematic research of worm scanning. The main contents are as follows:This paper analyzes principle and technologies of network scanning, summarizes strategies and characteristics of worm scanning, and analyzes worm detection methods and problems. This paper summarizes three models of artificial immune system, and researches problems of the traditional model of artificial immune system application in intrusion detection, and concludes the andvantages of Danger Theory.On the basis of Dendritic Cell algorithm of Danger Theory and characteristics of worm scanning, this paper proposes a model of worm detection based on Dendritic Cell algorithm. The experimental result shows the model can detect known worms and unknown worms real-time, with high efficiency, low load and low false positive rate.On the basis of Toll-like receptor algorithm of Danger Theory, characteristics of worm scanning and payload of worm's packets, this paper proposes a model of worm detection based on Toll-like receptor algorithm. This model uses artificial neural networks to anomaly detect worms by worm's scanning behaviors, and furthermore, we use Toll-like receptor algorithm to misuse detect worms by payload of worm's packets. The model combines characteristics of worm's scanning behaviors and payload of worm's packets to detect worms effectively. |
PDF Full Text Request