Research On The Key Technologies For Malicious Code Detection In Large-scale Network

With the increasing openness of the internet and the enhanced information sharing, itbecame a main way to distribute malicious code through the internet. Meanwhile, maliciouscode writers with higher level gradually increase the fraudulence and imperceptibility of themalicious code.The research on network-based detection of malicious code is becoming a hot topic inthe field. The traditional data-based detection method uses several detection rules to describethe features of each malicious code. This leads to the emergency of a large number ofredundant signatures, thereby affects the efficiency of detection. Therefore, the essence ofmalicious code detection skill of network level should be content-oriented analysis, and thecore of the detection rules should be the signatures of content.Each kind of malicious code has its own features when spreading in the network, withdifferent forms and methods. Most of the network attacks using malicious code are notindependent or haphazard. They work in different periods of the attack, of which the laterstages depend on the earlier stages. If the detection depends only on the features of a singlepacket-based content, it leads to the failure of recognizing the malicious code from normalflow, and increases the matching processes of a large number of data packets in normalnetwork applications per unit time. This also leads to the failure of describing the attack phase.In this paper, we proposed a malicious code detection method based on connective signatures.By studying of attack models of malicious code spreading in network, and based on the theorythat attack models exist cause and effect, our method extracts connective signatures from thepackets in the data streams as the content of the featured library, at the space cost asO ( n qm), to match and filter the data of intranet host machine with these member signatureshaving logical associations. Detecting the malicious code using this theory can significantlyreduces the false detection rate from the normal network traffic and the alarm rate of the falsedetection. It can also detect the state of the attack, and it’s suitable for the traditionalsignatures matching algorithm.This paper has described the connective signature detecting algorithm, and theimplementation of detection system based on this algorithm. It validated the algorithmthrough simulating attacks to the detection system in real scenarios, and analyzed theexperimental results. The experiment results showed the accuracy, validity and practicality ofthe proposed method.