Research On Worm Defence Technology Based On High-interaction Honeynet

Nowadays, with the rapid development of computer technology, the whole worldis stepping into the comprehensive network information age. The applications ofcomputer network, which continuously penetrate all fields of daily life and production,gradually occupy an important position in homan society on politics, economics,national defense, light and heavy industry and so on. However, while enjoying theconvenience computer network brings into our lives, we have to be burdened with thepotential threats arising from network security problems at the same time, which mayexist at any time. With the endless appearances of all kinds of network services andthe development of hacker technology, those threats are becoming more and moresevere on both frequency and strength, furthermore, lead to a more immeasurable losswith the importance of network applications improving. Underlied by the advantagesof self-propagation with no human intervention and large destructive dimension,worm-related study attracts more and more focus as a research hotspot on networksecurity defense field.The traditional detection methods and defensive strategies of worm attack areusually based on passive defense. for those unknown and fast-propagating maliciousworms, before passive defense modes begin to take effect and eliminate them, a greatloss may have been inevitable. Therefore, the honeypot technology, which is used totraps and learns worm attacks in advance and consumes attack resources to protectordinary hosts outside the honeynet, is introduced into the worm defense field toreverse the passive situation. Depending on its high camouflage and attack freedomdegrees, High-interaction honeynet becomes research focus on applying honeypottechnology to worm defense. At present, there exist some difficulties anddisadvantages in the research of applying high-interaction honeynet to worm detectionand defense, for example, the development of data analysis and other keytechnologies of high-interaction honeynet aiming at worm defense are still not mature;common existing worm propagation model can not accurately describe worm propagation status under the participation of high-interaction honeynet; and variousdefense products are more like mutual fragmented pieces, rather than an organicwhole which can closely integrate worm intrusion trap, worm intrusion detection andworm attack response into a logically holistic mechanism.Grounded on existing research results, the paper firstly presents an improvedk-means algorithm based on DBSCAN initial clusters (dk-means) in allusion tocharacters of high-interaction honeynet data, trying to improve clustering accuracy,speed and fitness; then to solve the problem that current worm propagation modelscan not accurately describe worm propagation status under the participation ofhigh-interaction honeynet, on the basis of the two-factor worm propagation model, thepaper proposes and constructs a two-stage worm propagation model based onhigh-interaction honeynet, named H-SIR model; finally, an overall defense system——worm capture and control mechanism based on high-interaction honeynet ispresented, which basically lies on the trap and analysis of high-interaction honeynetcombined with IDS and worm attack response mechanism. Subsequently acomparative simulation analysis is performed with the H-SIR model, and the analysisresults show the proposed worm capture and control mechanism based onhigh-interaction honeynet is more applicable to guarantee the protected hosts saferand learn new-style worm virus with high efficiency.