Abnormal User Behavior-based Worm Detection And Signature Automatic Extraction Technique

The computer worm which originated in the 80s of last century is seen as the biggest challenge in the computer network security area at present. Because of the worm's imperceptibility, fast infection and enormous damage, the worm research becomes more and more important. At present stage, the Misuse-based technology and Anomaly-based technology are still the main methods of worm detection meet a bottleneck. On the other hand, the hysteresis of manual worm signature generation may bring some negative effects on worm detection and restraint. The auto-signature generation technology which in the development stage may show its weakness when meets the polymorphic worm or the anti-auto-signature generation technology. Therefore, it is important to propose a new worm detection method and a new worm auto-signature generation method.This thesis surveys the principles, key techniques and detection approaches of worm detection and the worm signature generation approaches. Then we propose a new worm detection method and a new worm auto-signature generation method to cover the shortage of former technology.We have the following three contributions:1. We describe the principles, worm detection approaches and the worm signature generation approaches. Then we analyze the advantage and the weakness of current worm detection approaches and the worm signature generation approaches. At last, we propose a forecast about the trend of development of worm detection and worm signature generation technologies.2. The existing worm detection technology is based on the Misuse-based technology and Anomaly-based technology. The Anomaly-based technology detect the worm often by analyze the multiple false-connections which generate by the worm in its scan stage, but not by the user's behaviors. To create some new work, combining with the advantages of existing technology, we propose an anomaly-based technology based on the abnormal user-behavior which can avoid the similar worm behaviors disturbance and enhance the accuracy rate of worm detection. 3. This thesis proposes a self-immune signature generation technology to solve the deficiencies of methods of manual-signature generation and the former auto-signature generation. It makes up the hysteresis of manual worm signature generation and the weak ability to resist the anti-auto-signature generation technology. This work is an initial attempt for worm signature generation technology.