Zero-day Attacks Polymorphic Worm Detection Model

The biggest feature of Internet worms is to use a variety of vulnerabilities to automatically propagate. Internet worms, compared with ordinary viruses, spread faster, more destructive,and more difficult to be deleted. Therefore, Internet worm has become one of the greatest threat to Internet security. Because Zero-day polymorphic worm can use metamorphic techniques and regard Zero-day vulnerabilities as its attack targets, it can evade the detection of the existing IDSes In short time. How to detect Zero-day polymorphic worm in a quick and effective way, and generate its signature is an important research direction of network security.This thesis,which based on the studies of attack behavior of Zero-day polymorphic worm, analysed strengths and weaknesses of existing Intrusion Detection System(IDS). At last, it presented detection model of Zero-day polymorphic worm, this model took three steps to deal with suspicious traffic. firstly, it used Argos system to capture suspicious traffic. Secondly, it used Bayes method to filter these suspicious traffic.Finally, it designed a system to generate attack signatures. In the end of the paper, automatic signature generation algorithm for Zero-day polymorphic worm was discussed, meanwhile, whose prototype system was implemented. And the validity of the model was verified in the experiments.The main work of this paper include following issues:(1) This paper's research include some technology of Internet worm, Zero-day vulnerability, Zero-day attack principle, code obfuscation techniques, polymorphic shellcode techniques and so on, analysed strengths and weaknesses of existing Intrusion Detection System(IDS).(2) The proposed model is based on the simulation of the implementation of automatic detection system. Detected by Dynamic Taint Analysis ideas, used by the method of Bayes to filter suspicious traffic that Argos has captured, reducing the system false alarm rate.(3) This paper implemented a prototype system. This system have combined the method based on implementation of dynamic simulation to the method based on static signature generate. It can generate Zero-day polymorphic worm's signature, and it also can test and verify the false negative rate and the false alarm rate.(4) The feasibility and effectiveness of the model is verified by experiments.