The Design And Implementation Of The Real-Time Worm Detection System Based On Bloom Filter

Following the application of network technology used widely, more and more network attacking activities will be appeared. In future, the network worms will be the most destructive attack in all of the security events. In fact, the number of worms being created has been increasing. Once a worm takes control of a victim host, it can almost do anything the worm want. In one word, worms have been a serious security problem. But the realities tell us that, at least now, we cannot make sure that these vulnerabilities will never happen and be utilized by those worm-makers. The anti-virus software at present can kill known worms using Signature-specific scanner which is effective to the known normal viruses, but they can do little to the unknown worms.The key questions of Worm Detection include that analyse worm's work flow, behavior characteristic and dissemination pattern. The spreading process and the dissemination pattern of worms' have certain rules to be followed. If we know about these, we can take the effective measures to the worm attack. We have a deep research at worm's dissemination pattern and the function structural model in this thesis, and then design a real-time worm detection system.In this thesis, the main achievements and innovations are included.(1)We have a deep research at Bloom Filter especially discuss the hash function, the computation and examination of Bloom Filter false positive. After have had a deep research at the high inquiry ability, a zero false negative probability and a quantifiable false positive probability, then we point out that Bloom Filter can be used to the worm signature detection.(2)Then we bring forward the plan of the real-time worm detection-Worm Detection System. The system is based on content connection analysis method, and carried on the thorough analysis to its core examination hardware accelerator card's design. At last, be tied in wedlock at present internal FPGA resource condition, we analyzed Bloom Filter which the WDHA network card might use to realize the plan thoroughly. And we carried on the appraisal to its false positive probability.The results of research at using Bloom Filter to the worm signature detection, and the defense of the unknown worms have a certain reference value.