Research On Containment Strategy Of Polymorphic Worms Based On NIDS

Internet worms have become one of the major threats to the network security. In recent years, the emergence of polymorphic worm and its mass propagation have brought more serious challenges to the network security. Through the technique of various deformations, polymorphic worms change the byte sequences of the new instances when they realize self-replicating and produce new instances. New instances present a variety of different forms in the process of propagation and attack. As a consequence, polymorphic worms are able to avoid the detection of the intrusion detection system based on a single or abnormal features. How to effectively restrain the propagation of polymorphic worms has become a big question in the network security area.In order to effectively contain the propagation of polymorphic worm, we need to study its transmission mechanism and analyze its characteristics of propagation. Through the abstract extraction of propagation characteristics of polymorphic worm, this thesis establishes a propagation model of polymorphic worm to analyze its transmission characteristics. According to the variant characteristics of polymorphic worm, the SIV immune model of polymorphic worm is presented in this thesis, which is used to analyze its characteristics.Intrusion detection system (IDS) is an effective measure for detecting the worm and restraining its propagation. The intrusion detection system based on hosts needs to deploy on the whole network, while the characteristics of polymorphic worm are complex. So the intrusion detection system based on hosts costs too much for restraining the propagation of polymorphic worm. This thesis chooses the intrusion detection system (NIDS) based on network to detect polymorphic worms. Through the analysis of network flow, NIDS extract the useful information and its speed is faster, According to the NIDS, we put forward the misuse detection technology and establish the SIQV worm propagation model with constant quarantine strategy. Misuse detection can effectively detect the existing attack, it has high detection rate and low false alarm rate, but it can't detect the unknown attack, namely the missing report rate. On the other hand, anomaly detection can effectively detect the unknown attacks and variations of the known worms, but it has high false alarm rate. In order to make full use of advantages of both misuse detection and anomaly detection, and make up their inadequacy, we establish the SIQV worm propagation model with pulse quarantine strategy. Through the analysis, we find the pulse quarantine strategy is better than the constant quarantine strategy.This thesis takes theoretical analysis for these three established propagation models of polymorphic worm, analyzes the stability of the systems, deduces the stable condition of the systems remaining stable and analyzes the various factors affecting the stability of systems. Through numerical analysis, we make valid certification for the theoretical analysis; analyze effectiveness of the restraining strategies from different aspects. Through the discrete time simulation experiments, we simulate the propagation process of polymorphic worm in the real network. By the data analysis of simulations, we fully demonstrate that the established propagation models of polymorphic worm in this thesis can effectively reflect the propagation behavior of polymorphic worm. And the relevant containment strategies have positive impact to restrain the propagation of polymorphic worm.