| As the internet is becoming more and more popular, network worms threat the security of computer system and network much more seriously. Particularly, the diversification of the worm transmission and the complex application environments surges the outbreak frequency of network worms. Moreover, with the development of computer technology, worms cooperate much more with Trojan horses and virus, which makes the worm more latent, more difficult to kill and resulting in more loss of wealth. So, it is an urgent task to confront the threat of network worms.A lot of research institutions in the world have done a lot of research on the detection and prevention ways of worms, and made some important progress. But at present the most effective way for worm detection is signature match; this way has a certain time lag and depends much on manual work, so it is time-consuming and labor wasting. Which force people in the network security field to focus much more attention on how to extract worm signatures automatically and then to pre-found and pre-block network worms from destroying the network.On the basis of a lot of analysis and validation work on current worm detection technologies, we got the most important features of network worms. They are: network scan, self-reproduction, distribution on the network, and large size breakout. On this basis, we proposed a new mechanism called multi-dimensional feature extraction mechanism to extract worm features. As we know, BP neural network can learn and train itself automatically, and then we use the classical BP neural network modeling to design an intelligent system so that to identify unknown worm automatically, and detect known worms effectively.First of all, with the support of virtual honeypot technology, we designed a virtual honeypot system which supports both a client-side honeypot and a server-side honeypot. Then we build a distributed virtual network environment by using virtualization technologies. Then using the following worm feature extraction technologies to extract worm features, these technologies are: extract scanning feature based on time-domain and frequency domain, extract self-preproduction feature based on similarity matching, extract network behaviors based on anglicizing network byte streams, as well as the large-scale breakout feature based on distribution of layered overlay model. Finally, in order to ensure safety and effectiveness of system data communication between modules, by modifying the open source SSL protocol to our own way to achieve a secure and confidential system communication mechanism.At the end of this thesis, we made an assessment on the system's performance and its functionality.And summarized the lack of study on this topic and also did some periscopic work. |
PDF Full Text Request