Research On Key Techniques Of Network Worms Attack Signature Automatically Generation

With the development of technology, computers and the Internet has been extendedto almost every corner, everywhere. Computer network is playing more and moreimportant role in people’s lives, as it gives us the irreplaceable convenience in our lives.However, with the development of network, the attack events are increasing. Networkattacks can cause hundreds of millions of economic losses each year, and make the lossescaused more and more by year to year.Network worms are the primary means of network attacks. They can exploit theoperating system or software vulnerabilities, reduplicate and automatically transmitthemselves through the network. As techniques developing, network worms have thefollowing features:(1) the vulnerabilities which can be exploited become more and more.(2) the speed of worms’ spreading becomes faster and faster.(3) the time interval ofworms’ attack becomes shorter and shorter.(4) the technique of worms’ production isincreasingly sophisticated.(5) the harm of worms’ outbreak becomes greater and greater.Such make worm detection and defense technology face an increasingly tough challenge.Attack Signature Automatically Generation (ASAG) technology is one of the keytechnologies, this paper focuses on the ASAG technology for research, its main jobsinclude:1）Analyzed the research status of ASAG technology from the overall, described itsdesign goals and evaluation criteria, and the current approaches’ limitations is given.2） After deeply researching and analyzing a various of ASAG systems, a basicframework for the network ASAG system is presented, and the detailed analysis of themain function of the components in the framework is also presented.3）An attack capture model based on distributed honey-pots system (DHACM) ispresented. This mode integrates the anomaly detection which based on the mode ofdubiety score in the honey-pots, can do a second filter for the samples in honey-pots, andimprove the purity of the samples captured.4） A simple noise-resilience ASAG algorithm is presented, which used thebehavioral characteristics of the worm outbreak to generate efficient signatures ofsamples in the suspicious dataset, which contains large amounts of noisy data, under the complex environment. The experiment shows that this algorithm can generate usablesignatures in the suspicious dataset which contained90%noisy data.This research has been applied to the project of National High Technology Researchand Development Program (863Program) of China.