| With the further application of internet, the threat of internet worm on the security of computer system and internet is increasing day by day. Internet worm has been the most obvious problem of computer users. Its spreading does not only infect the majority of system resources of the computer, but also occupy the internet traffic, causing serious block and paralysis of the target system. At present, internet worm mostly attack by means of software vulnerability. Meanwhile, the popularity of hacker's technology and the reduction of difficulty in developing worms have shortened the period from finding vulnerability to arising of exploit and finally bursting in large range, while the time for controlling and cleaning is getting longer. How to detect, predict and handle the internet worm has become an important subject in computer and network security research.The present thesis begins with introducing of some notorious internet worms, defining them according to their behavior and distinguishing them from the traditional computer virus. The next step is to explain the internet worms'work flow, function structure, behavior characteristics, and developing tendency, and to point out a kind of classification according to the spreading means of worms. What's more, the research field concerned with internet worms will be summarized. Afterwards, the spreading strategy, characteristics, means and attacking methods of worms spreading by means of vulnerability are analyzed, functioning as the basis for the detection of worms.Traditional worm detection uses mainly pattern-matching, which needs update signature database continuously. But new worm may intrude user's system before updating their signature. Reducing the period is obvious. The Anti-virus software venture create signature for worm using anomaly detection. However they all require heavy resources that network environment owned by small organization unable to offer.In this dissertation we discussed technology of honey-pot based light-weight worm detection. It can utilize small amount of resources to detect worm within network traffic by recognizing similarity during worm propagation and create signature for pattern-matching engine. In addition we proposed detection for new worm by counting TCP SYN packets and UDP packets.Based on the methods mentioned above, a set of detection system is designed and implemented suitable for small-scale network. It consists of three sub-system: signature detection sub-system, honeypot sub-system and anomaly sub-system.This system has been tested and confirmed.In the end, there is a summary on the present work and the prospect is put forward. |
PDF Full Text Request