The Detection Of Malicious Code Based On Flow Feature

With the rapid development of Internet technology, network equipment and computer have been penetrated into the government offices deeply, business and families. At the same time, many computer users even network administrators are weak in security, and can not protect their host and network effectively. What is more, the threats to network are becoming more and more serious. How to ensure the security of computer networks is a challenging task.Botnet, virus and worm are malicious code in the current network. The traditional method which is based on application layer Payload can not detect the encryption Payload, can not discover new emerging malicious code, can not detecte in Gbit/s level and can not preserve historical data for long time, etc. It often requires significant priori knowledge of malicious code, in today's fast update case of malicious code, the method has obvious lag. In this paper, we propose the detection of malicious code based on flow feature, which can make up those deficiencies, and as a standard (RFC 3917), it has been supported by a number of network equipment vendors. This method can be experimented in a real environment.The data NetFlow used in this paper is collected from the router of campus network core. By analyzing the data, we find ten more kinds of network vulnerability, three kinds of worms, and one kind of botnet, and other abnormal flow features that we can not ensure. In addition, we achieve the flow feature of graphical statistics, including the distribution of commonly used protocol, the host two-way traffic TOP N, the host external SYN connection to TOP N, campus network TCP_flag bit statistics, and campus real-time traffic and so on. From the result, we can find out when exception occurred in the campus network, and can further analyze the flow data to determine what kind of abnormal traffic.In this paper, the real-environment experiments show that the detection of malicious code based on flow feature is feasible and can effectively compensate for deficiencies of Payload detection method based on application layer.