Research Of Automatically Generating Worm's Attack Signatures Based On Honeypots

Internet worms bring great damage continuously with the quick and various propagation modes and the wide coverage. The popular Internet worms' intrusion detection systems base on misuse detection technology, whose detection capability depends on the number and quality of attack signatures. While the traditional way of extracting worm's signatures manually is far beyond defending new worms, therefore, it is very valuable to research the technology of automatically extracting signatures. A honeypot is a closely monitored network decoy with several special characters:the traffic observed at a honeypot is much less than a gateway, most of it is malicious, and the negligible amount of normal traffic can be separated easily from the malicious traffic. Furthermore the Bayes method to distinguish the worms' traffic in honeypots is presented. In this method , all traffic that is seen on a honeypot is calculated by 5 observing parameters: visited times,visited max frequency,visited range,port risk and average payload. By classifying attacking the resort of worm into 4 types: network scan, flash scan, buffer overflow and backdoor, this method first concludes these 4 types' statistical forms of parameters. Then every connection's Bayes score is calculated, what of worm's traffic should exceed threshold, by compare with these formats. Through combining of these 2 technologies, interference from noise to system is decreased to bring more precision to the extracted characteristic segment.The available extracting algorithm is limited, hence, sequential analysis from bioinformatics Needleman-Wunsch algorithm is proposed. Needleman-Wunsch algorithm, based on dynamic programming algorithms, search the closely related sequence between 2 sequential objects or chains of elements. The defect that the algorithm is prone to produce segment is overcame by adding excitation function which maintains long characteristic segment so as to satisfy the request of worm characteristic extraction. While utilizing disturbed sequence abandonment of multi-sequence alignment to guarantee the convergence speed, wildcard is also introduced to maintain the characteristic of network worm to keep a favorable applied cost. By application of worm detective technology and characteristic extraction, a real time characteristic extracting system is designed and developed. To test the practical capacity, three known loopholes are used to simulate worm attack and sample data are employed to carry sample test. Meanwhile the existing problem is analyzed and further research is prospected.