| Research in this paper is supported by National Natural Science Foundation project "Network Camouflaging Cooperative Security Model Research" of China that the grant number is 60503008.With the extensive application and popularization of internet,network security has become the focus of the public.Especially,internet worms have come to be one of the hottest topics in the network security because of their widely propagation and grievous defameation.With the induced of many metamorphic techniques of polymorphic worm,the extraction and presentation of the polymorphic worm signatures are different from the traditional methods,which is a new challenge to the worm detection system(e.g.,IDS) that based signature in false positive and false negative.So how to generate the signature of polymorphic worms speedily and effectively is very important in the research area of the signature generation in IDS.In this paper,firstly,an automatic signature generation model is built through attack behavior analysis on polymorphic worms.Secondly,automatic signature generation algorithm for polymorphic worms is discussed.And,the presentation of the signature and the detection algorithm are expounded.Thirdly,a prototype system based on the automatic signature generation model and algorithm is designed and implemented.Finally,the effectiveness of the automatic signature generation model and algorithm is tested and evaluated by several experiments.The main work and contributions of this paper include following issues:(1) The signature generated by the Smith Waterman algorithm in this paper is based on pattern and represented in two vector styles(frequency and probability),which is the longest common subsequence generated by sequence comparison of several suspicious polymorphic worm flows.(2) To classify the new incoming polymorphic worm flows by the signature vector and detection method of the Similarity Metric.Through this method,the signature generated in this paper does not have to match completely,but the detection accurate rate is increasing while the sample space is decreasing.(3) To generate the attack signature of polymorphic worm by the Normalized Local Alignment algorithm,which could increase the detection accurate rate further and decrease the sample space further.The signature generated by the Normalized Local Alignment algorithm is the common subsequence with maximum degree of similarity generated by sequence comparison of several polymorphic worm flows.(4) A prototype system based on the automatic signature generation model and algorithm is implemented in this paper.To evaluate the effect of the signature generation algorithm and the feasibility of the detection method of the Similarity Metric in false positive and false negative,and to verify the superiority of the Normalized Local Alignment algorithm over the Smith Waterman algorithm. |
PDF Full Text Request