| With the growing size of computer networks, the worms which spread quickly have brought great network security challenges. Existing prevention tools are based on misuse detection techniques, such as intrusion detection systems, which detect and defense worms by matching the packets signatures. Their protective capacity depend largely on the quantity and quality of signatures.The methods that relied on network security experts manually study network traces to generate signatures after a new worm has been outbreak, can not effectively stop worms which within a few hours spreading worldwide and causing huge losses. Therefore, automating the generation of worm signatures has a very important study value.Worm has its unique characteristics, including the characteristics of the behavior and flow characteristics, after analysing the relevant technology of the automatically generate worm signature, for existing worm signature generate system have little preprocessing and signatures which it generate are not enough accuracy, an new automatic signature generation model based sequence alignment is proposed in this paper.As the data honeypot captured is very high purity, this paper proposed a cluster-based network traffic pretreatment with honeypot, dividing the network traffic into significant traffic flow and non-significant ones, then using the flow characteristics of the worm, that is the source, destination IP address and source, destination port randomness, to detect suspected worm flows in the significant traffic using random testing technique.And uses T-Coffee multiple sequence alignment algorithms which in bioinformatics has the most accurate alignment results for signature generation of the worm.Using the SLA algorithm constructor T-Coffee's primary database, and through modifing its guide tree generation process that it can more precise guide follow-up of the progressive alignment process, to extract more accurate worm signature. And experimental data showed that the model is effective. |
PDF Full Text Request