Research On Malware Detection Method For Buffer Overflow Vulnerability In Network Traffic

With the rapid development of the economy,the Internet is playing an important role in our lives and is closely related to our lives,bringing great convenience to our lives.But at the same time,the scale of the network is increasing,and the threats facing the network are increasing year by year.There are many vulnerabilities in the network.Attackers use these vulnerabilities to launch attacks,causing great economic losses and serious harm to users.In turn,people are increasingly demanding for network security detection.Based on this,many researchers have strengthened the research on the security of network traffic,such as proposing to classify network traffic and then identify the traffic containing malwares,but some of the methods currently proposed are difficult to accurately identify the existence of network traffic malware.At the same time,the relevant data shows that in the attackers use network vulnerabilities to write malwares to carry out network attacks,the buffer overflow vulnerability is used by attackers to write malwares for a large number of attacks.However,there is still little research on the detection of malwares for buffer overflow in network traffic,and the existing methods are insufficient in accuracy and false alarm rate.Therefore,this paper selects the malware detection for buffer overflow vulnerabilities in network traffic as a research topic.In order to solve the above problems,this paper first proposes the OFSVM(Optimized Facile SVM)algorithm,which improves on the classic SVM(Support Vector Machines)algorithm,to classify network traffic,and combines feature extraction and feature dimensionality reduction methods.Then realize the identification of malwares in network traffic.Then,for the situation that traditional K-MEANS is sensitive to noise and abnormal points,and it is difficult to select K value,this study proposes an improved NIKClustering(New Improved K-MEANS Clustering)clustering analysis algorithm,combined with similarity method to detect malwares in network traffic that are oriented to buffer overflow vulnerabilities.At the same time,a comparative experiment was carried out on the algorithm proposed above,and a malware detection system MD-BOV(Malware Detection for Buffer Overflow Vulnerability)was designed and implemented,and the proposed method was verified.The main work of this paper is as follows:1.The NTMI(Network Traffic Malware Identification)algorithm is proposed to identify malwares in network traffic.First,the Netflow collector is used to collect the traffic data in the network traffic,and the collected traffic data is sampled and standardized.Get a better quality data set,and then use ReliefF analysis technology for feature extraction.The extracted feature set needs further processing.Because there are complex high-dimensional feature space problems in these feature sets,some redundant features will not only increase the learning complexity of the classification algorithm,but also cause over-fitting and local optimization problems.The feature set of the obtained traffic is used for feature dimensionality reduction.Perform secondary feature extraction through the wrapper method,and calculate the correlation of feature attributes,then need to be normalized,and then use the OFSVM algorithm to classify and identify network traffic,and finally use the NTMI algorithm to complete the identification of malwares in network traffic.The proposed method has been tested on real network traffic,and finally through experimental comparison,the NTMI algorithm performs better in accuracy and false alarm rate,and has better results in identifying malwares.2.This paper proposes a malware detection algorithm named RSS-IKClustering(Reliable Self-similarity with Improved K-MEANS Clustering)based on improved clustering and self-similarity,then determining the K number of clusters,the optimization of the initial clustering center,and the optimization of the attribution of the object improve the traditional clustering method,and obtain the NIKClustering algorithm,which is used to perform clustering analysis on the malwares in the extracted network traffic,the U2R(Unauthorized Access from a Remote Machine to a Local Machine)type of the malware is separated from the malware of network traffic,and then the self-similarity method is used to detect the malware for buffer overflow vulnerability,and the final experimental data shows that The RSS-IKClustering proposed in this paper is feasible,and can realize the detection of malwares for buffer overflow vulnerabilities in the malware collection of network traffic,and the detection accuracy and false positive rate are greatly improved.The feasibility and effectiveness of the method are shown.3.The malware detection system MD-BOV is designed and implemented in this paper.First introduced the system architecture of the prototype system and the execution flow chart of the system,and then showed the main interface of the system,and elaborated each module in the system in detail.After testing and verification,the detection results of the system are consistent with the data of our experimental stage,and the system also has the characteristics of easy operation and automation.