| As a kind of distributed network communication technology with high performance and high extensibility, P2P has been widely used in the fields of file sharing, instant communication, network television, network telephone, etc. All nodes inside P2P network can directly share, retrieve and access all kinds of resource between each other. However, with the convenient platform P2P provided for exchanges, it contributes to the fast propagation of worms at the same time.In this paper, a detection method for P2P worm based on network is discussed, which mainly includes:the study of the definition of P2P worm and its propagation characteristics; analysis of network packets capture based on Libpcap; design of filtration method for P2P packets. Taking BT protocol as an example, the filtration method for BT packets is described, and signature matching for worms is realized. By comparison of several substring matching algorithms, suffix array algorithm stands out for its simple structure, high-efficiency and low time complexity. The recombination mechanism of P2P data makes it possible that the signature is divided into different blocks, yet the method of signature recombination is able to detect such worms. This paper also involves the design of detection rules for unknown P2P worms and the updating of the worm signature library for future detection.Firstly, research background and significance are introduced, and then related theories and technologies adopted. Secondly, the design and realization of this system are discussed, including packet capture, filtration of P2P data, signature matching, recombination and detection of unknown P2P worms. Thirdly, its feasibility and the character of being real-time are proved through system test. Finally, direction and method of study for the future worm are presented. |
PDF Full Text Request