The Research Of Worm Detection Technology Based On Network Behavior

With the development of computer technology and the deepening of network application, the increasingly serious network security is threatened; especially the flood of the malicious code (such as computer viruses, Trojans, network worms) causes great damage to network applications. Of these malicious codes, the worm without human intervention has a large scope of attack and explosion speed which has caused the most harm. Its propagation may occupy a large amount of system resources of infected hosts, affecting the normal use of the target system, and it may cause the entire network jam by occupying the network bandwidth. How to detect network worms effectively became an important topic in the field of computer network security.Firstly, this paper reviews the emergence and development of network worms, then expounds the definition of network worms and function structure, analyses the transmission mechanism of internet worms and summarizes the research status of worm and worm detection based on network behavior. It reveals the necessity of Internet worm. Although the existing research results is possible to detect worms, there are still some lack as the following:(1) There are many false positives, especially some caused by P2P traffic and a specific operation of some normal process;(2) They can’t work well for slow or variable speed worms.(3) They have not explored the worm behavior enough, and so it is difficult to effectively reduce the false positive rate and false negative rate.The scanning of worm will result in some typical network actions such as blocking of network, too fast speed of new connections, too large number of first fail contact connections. In this paper, through the research and analysis of these typical network behaviors, we quote the concept of FCC (First Contact Connection), and divide FCC into four cases. In order to reduce the false negative rate and the false positive rate, we use FCC failed connection probability and FCC connection speed these two detection indicators as basis for detecting, then we put forward two kinds of worm detection method through the research and analysis of the typical network behavior of the worm.(1)Worm detection method based on fuzzy pattern recognition to network behaviors, the algorithm studies the network behaviors of normal and abnormal computer separately, it establishes standard fuzzy subsets of classification and judges if the observation computer infects worms by utilizing fuzzy pattern recognition method.(2)Worm detection method based on Fisher-support vector comprehensive classifier abbreviation FSVC to network behaviors, this algorithm studies the network behaviors of normal and abnormal computer respectively by using FSVC. Then, the observation computers are classified by utilizing trained classifier, then realizing automatic detection while worms attack. The two above kinds of worm detection technology are validated by experiments and analysis, by collecting data in real network environment and establishing a sample data set. The results show that these two kinds of detection technology have good effect on detecting unknown scanning worms, and less prone to false alarms on the P2P programs. In addition, this paper also compares the advantages and disadvantages of the two worm detection algorithms and the two detection algorithm with reference to the worm detection algorithm are analyzed.Finally, we have summarized the research work. The two kinds of worm detection algorithm proposed in this paper have high effectiveness, low false negative rate and false alarm rate. It deserves to deep research in theory about these two methods, and those two methods have great value in engineering application. We also analyze the problem existing in these two kinds of detection algorithm.