The Network Worm Detection Technology And Systems To Achieve

With the rapid development of Internet technology, the rate of network transfers increase fast and network applications become more complicated which make the network worm be an important threat to the network system security.From the first network worm Morris in 1988 to the ANI worm which spreads crazily recently, CERT has made a statistics which reports that the Internet security affairs increase by exponent every year expecially in recent years.The main reason for the damages that the worm makes to the network is that worm spreads paroxysmally.Usually, it has three phases: slow-beginning, fast-spreading and slow-ending,which means the worm spreads very slowly at the beginning of the infection time,then spreads faster and faster as time goes by,finally the spreading rate becomes slow when the victim hosts decrease in number,thus it can be seen we can stop and control worm spreading effectly only in the pahse of slow-beginning.How to discover and go to the right place to stop and control the spreading of the worm becomes an difficulty and challenging studying task.。This paper focuses on the early warning methods studying in slow-beginning spreading phase.First of all, it summarizes the current research about the worm studying in and abroad, and specifies the necessity of studying the worm.Secondly, it analyses the worm activities including the worm's definition,behavior model and attacking process,and also analyses the current worm hidden technology deeply.It then summarizes the current technology of worm detection and response.According to the research,it describes a new signature-generation system, which is different from traditional methods based syntactic or semantic.It focuses on vulnerability signatures that don't change in worm attack. It adapts the virtual execution technology and will be a new research task in the future.According to the research before, we propose a whole solution of the worm fast detection and response,design and implement a network worm early-warning system.This system combines the misuse technology and anomaly technology,and adapts DSC algorithm which counts the total number of TCP RESET packets in order to detect worm in early spreading phase.We also adapt the signature match technology which is based on protocols to detect the known worm.As it can differentiate the anomaly sanning behavior from the nomal ones, it leads to better worm detection results.Meanwhile,considering the early-warning system's security,our system adapts SSL communication method and register itself as a window's service which assures it can detect the worm when rebooting the computer or before logging into the computer. This paper introduces the implemention processes of communication module, detection module and response module in details.Finally,we use a free software of Symantec-Worm Simulator to simulate the worm's breaking-out behaviors to test the early-warning system under our lab environment and complete a function testing report and a performance testing report.As the reports say, network worm early-warning system can detect the worm's early behaviors effectively in local area network. It proves the system's performance has increased to a certain extent and it's valuable in application.In the end, there is a summary on the present work and the prospect is put forward.