朱禹,沈海斌,周喜川

DOI: https://doi.org/10.3969/j.issn.1005-9490.2008.06.060

2008-01-01

Abstract:Comparing to the common anti-virus tools,we propose a new host-based approach for detecting unknown computer worms based on the measurement of computer behaviors,rather than recognizing specific instances of worms.We collected 323 features in order to reflect the computer behaviors and used a new feature selection method to reduce classified features.In the experiment,Bayesian Network theorem was applied on the several feature subsets to deduce the rule.We performed several experiments to evaluate the detection system,focusing on computer worms being injected in the computer while running several programs in order to simulate different background statuses.The average accuracy we achieved was above 80% for unknown worms sample and for known worms even above 99%.

P Wang,BX Fang,XC Yun

DOI: https://doi.org/10.1109/pdcat.2005.25

2005-01-01

Abstract:Worms have seriously harmed computer and network systems due to their rapid spread rate. Therefore, it is necessary to research automatic worm detection systems in large networks. In this paper, data stream based anomaly detection is used to screen out anomalous network data flow, subsequently, the signature is extracted. After analyzed, the signature is updated to the misuse detection pattern. Based on an automatic worm defense, a system could discover an epidemic situation effectively and detect an unknown worm.

WANG Wei,LU Dongming,DONG Yabo,CHEN Yufeng

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.17.072

2006-01-01

Abstract:With the rapid development of computer technology,Internet applications are used more and more widely,computer networks are exposed to various threats,especially network worms.This paper introduces the definition and principle of network worms,and based on the mechanism of network worms,it proposes and implements a network worm detection system for Internal network,which is proved to be able to detect the network worm accurately.

Haibin Shen

2008-01-01

Abstract:In order to prevent the huge damage caused by computer worms,an innovative approach using support vector machine(SVM) classifier for detecting unknown computer worm based on the measurement of computer performance was proposed to alarm Internet users.In the experiment,system features were monitored from window performance counters with different applications running on and bayesian network theorem was applied on selecting features from which the judging rule is deduced by SVM.As proved by the result from testing experiment,the system can detect the presence of an unknown worm by reaching high accuracy,so that it can be well known that the model using SVM active learning the less prior knowledge has a good performance on detecting unknown computer worms.

向郑涛,陈宇峰,董亚波,鲁东明

DOI: https://doi.org/10.16208/j.issn1000-7024.2009.05.037

2009-01-01

Abstract:The worm detection technologies are discussed. Anomaly detection will be a promising development because of the ability to detect unknown worms. For passive detection, the HoneyPot system designed deliberately with vulnerabilities is used to attract atta- ckers, collect attack information and process analysis. Active detection methods can process the mixed traffics of benign hosts and worm hosts, including the payload-based and behavior-based worm detection methods. The characters and applicability of each method are discussed. The viewpoint that more effective worm detection indices are needed for detection methods is proposed. Based on the diffe- rences of traffic self-similarity between benign hosts and worm hosts, the idea on how to select real-time detection indices is interpreted.

Yufeng Chen,Zhengtao Xiang,Yabo Dong,Dongming Lu

DOI: https://doi.org/10.1109/ical.2008.4636301

2008-01-01

Abstract:Worms not only infect vulnerable hosts, but also occupy a large amount of network bandwidth, which affects the normal operation of the network seriously. To achieve the worm detection and automatic quarantine in real time, a cooperation system of worm detection and quarantine is designed and implemented. The worm detection subsystem is implemented based on Bro and can detect worms in real time with our algorithm, which based on the failure probability of FCC and of heavy-tailed property. The worm quarantine subsystem can quarantine worm hosts automatically with ARP-spoofing. The cooperation between detection subsystem, quarantine subsystem and manager is achieved based on SNMP protocol. The system can be deployed easily with little effect on LAN. Experimental results show that the system can detect and quarantine worm hosts effectively.

LI Zhi-dong,YUN Xiao-Chun,YANG Wu,XIN Yi

2005-01-01

Journal of Computer Applications

Abstract:Serving as the bridge that links detection and containment, automatic signature extraction has played an important role in anti-worm. Traditional Internet worm signature extraction algorithms were introduced. Based on the analysis of their mechanisms and major defections, an extraction algorithm based on common feature set was presented. It supported low complexity extraction and optimization, as well as the tradeoff between sensitivity and specialization, and had remarkable superiority in dealing with background noise and cross infection.

Lu Guang,Yu Fei,Guangxue Yue,Miaoliang Zhu

DOI: https://doi.org/10.1109/imsccs.2006.287

2006-01-01

Abstract:The research community is interested in finding effective methods to detect network traffic anomalies such as the propagation of a new worm, and to raise alarm in time. In this paper we research the principle that the number of network traffic can affect self-similarity of network traffics, and analyze the variety of self-similarity caused by abnormal network traffic. We propose a network traffic model on normal behaviors of users. An approach, which is applied to determine whether or not abnormal network traffic exists by comparing Hurst parameter with predefined threshold, is also presented. At last, implementation of network worm detecting agent in NP is described. Results of evaluation show that detecting agent performs very well in test-bed.

XIN Yi,FANG Bin-xing,HE Long-tao,YUN Xiao-chun,LI Zhi-dong

DOI: https://doi.org/10.3321/j.issn:1000-436x.2007.12.001

2007-01-01

Abstract:Worm detection and signature extraction was presented based on analysis of similar communication character-istics,which identifies the distinct communication pattern of worm spread,and evaluates the similarity metric of commu-nication characteristic sets,and detects worms by detecting their infectivity with higher detection precision,generality and adaptability.Based on this,a heuristic detection framework is designed,which eliminates non-worm traffic from protocol,sequence,and content in three levels via blind,intent and lock track,then filters out worm packets and extracts signatures.The technique reduces data collection volume and analysis cost dramatically,and can detection worm and ex-tract signature quickly in the environment with high strength background noise.

Hao Tu,Zhitang Li,Bin Liu,Yejiang Zhang

DOI: https://doi.org/10.1080/15501320802508543

2009-01-01

Abstract:The fast spread of a worm is a great challenge to Internet security. Most current defense systems use a signature matching approach while most signatures are developed manually. It is difficult to catch a variety of new worms promptly. An efficient worm defense system is designed and implemented to provide early warning at the moment the worms start to spread in the network and to contain or slow down the spread of the worm by automatically extracting a signature that could be used by firewalls or Intrusion Prevention Systems. Several recent efforts to automatically extract worm signatures from Internet traffic have been done, but the efficiency is an unsolved problem especially in real high-speed network. In this paper, we proposed an efficient worm defense system based signature extraction. The input of the system is all traffic crossing an edge network and its output is a database of worm signatures which can be used by content-based defense. There are three main stages to extract signatures from network traffic. First, a clustering stage uses multidimensional traffic mining based IP header to identify significant traffic volume. We propose a binary clustering algorithm and this leaves a preferred policy to improve the front traffic filter, which can reduce the traffic to be processed and enhance its purity. After clustering, nonsignificant traffic volume is stored in an innocuous packet pool and significant traffic volume is further classified using address dispersion as suspicious or innocuous. After this stage, only a small portion of the packets captured from the edge network are analyzed in third stage, signature extraction. A position-aware signature generation method based bloom filter is proposed to extract more accurate signatures with less CPU time and memory consumption. To minimize false positives, the signatures will be verified based on the innocuous packet pool. Both trace data and tcpdump data are used to test the prototype system. Experiment results show that the system can efficiently filter through suspicious traffic with high purity and extract more accurate signature, which can well support popular content-based defense system such as Snort.

Hui He,Mingyi Hu,Weizhe Zhang,Hongli Zhang

DOI: https://doi.org/10.1007/11739685_70

2006-01-01

Abstract:Internet worms constitute a major threat to the security of today’s networks. They work by exploiting vulnerabilities in operating systems and application software that run on end systems. In this paper, an effective algorithm for fast detection of worms is proposed. It integrates the worms’ behavior attributes with their traffic distribution and detects abnormal behavior by their similarity distribution and changes in some of their attributes. The process of fast detection based on similarity is discussed in detail including threshold selection, similarity detection algorithm and fine analysis. Simulation experiments show that the detection algorithm can locate the worm infection prior to it spreading over the large-scale network.

Yi Xin,Bin-Xing Fang,Xiao-Chun Yun,Hai-Yong Chen

DOI: https://doi.org/10.1109/PDCAT.2005.255

2005-01-01

Abstract:Nowadays, worms have been one of the leading threats to information security and service availability. Current operational practices have not been able to manage the threat effectively. So it is very important to make early warning of the burst of worm in large scale network. In this paper we analyze the real network traffic in large scale network. Based on long time statistic, we construct a network traffic model which concern two parameters: the traffic volume and curve of traffic function. And then we propose a method to computer the function curve of normal traffic function in ideal condition. We deployed them in our campus network (more than 20000 computers, 400M/s bandwidth to internet).It is shown that the worms are detected automatically and efficiently.

Hao Tu,Zhitang Li,Bin Liu

DOI: https://doi.org/10.1109/fskd.2008.434

2008-01-01

Abstract:Recent worm increasingly threaten the availability of Internet. It is difficult to catch variety of 0day worms promptly with current signature matching approach because most signatures are developed manually. Several recent efforts to automatically extract worm signatures from Internet traffic have been done, but the efficiency is an unsolved problem especially in real high-speed network. We propose a binary clustering algorithm and a leaves preferred policy to improve the front traffic filter, which can reduce the traffic to be processed and enhance its purity. A position-aware signature generation method based bloom filter is proposed to bring better performance and more accurate signature for content-based defense. Both trace data and tcp dump data are used to test the prototype system and experiment results show the system can efficiently filter through suspicious traffic with high purity, which is no more than 25% of entire traffic, and extract more accurate signature, which can well support popular defense system such as Snort.

Yufeng Chen,Yabo Dong,Dongming Lu,Zhengtao Xiang

DOI: https://doi.org/10.1007/978-3-540-25952-7_47

2004-01-01

Abstract:Worm is becoming a more and more serious issue because worm attacks can cause huge loss in short time due to the fast-spreading character. When breaking out, worms induce abnormal traffic unlike the normal traffic, which gives us a clue of worm detecting by analyzing the abnormal characteristics of traffic involving worms, i.e. lumped traffic. Worm detection based on analyzing abnormal traffic characteristics has the advantage that it can detect novel worms without understanding the nature of the worms. And worm detection at network level is one possible detecting path, especially for Network Intrusion Detection Systems(NIDS). In this poster, we present the diversity of traffic characteristics between the normal traffic and worm traffic from the self-similarity point of view, which can be a preparation for the further investigation of the diversity of traffic characteristics between the normal traffic and lumped traffic.

涂浩,李之棠,柳斌

2009-01-01

Abstract:The fast spread of worm is a great challenge to Internet security.An effective worm detection and defense system is designed and implemented.A binary cluster algorithm is proposed to improve the front traffic filter,which reduce the traffic and enhance its purity.A method of position-aware signature generation based Bloom Filter is proposed to bring better performance and more accurate signature.Experiments show the system can effective detect worm traffic and generate accurate signature for content-based automatic defense.

唐勇,诸葛建伟,陈曙晖,卢锡城

DOI: https://doi.org/10.3969/j.issn.1000-436x.2013.03.018

2013-01-01

Abstract:A practical worm regular expression of automatic extraction method was presented, which involves four steps:sample collection from worm propagation, signature tree generation, removal of high false-positive signatures, and sig-nature merging. The advantage of this method is that it can directly output expression signature with the rich syntax of“.*”,“.{k}”,“|”,“(c){k}”. Based on the honeypot system Honeybow deployed in Internet, the method was implemented and evaluated by several in-wild worms under real Internet environment. The experiment results show that the method can generate accurate regular expression signatures for real worms and is promising for the applications of automatic analysis of worms and malwares.

Chen Bo,Bin Xing Fang,Xiao Chun Yun

DOI: https://doi.org/10.1007/11760146_16

2006-01-01

Abstract:After many Internet-scale worm incidents in recent years, it is clear that a simple self-propagation worm can quickly spread across the Internet. And every worm incidents can cause severe damage to our society. So it is necessary to build a system that can detect the presence of worm as quickly as possible. This paper first analyzes the worm’s framework and its propagation model. Then, we describe a new algorithm for detecting worms. Our algorithm first monitors the computers on network and gets the number of abnormal computers. Then based on the monitoring result, we detect an unknown worm by using recursive least squares estimation. The experiments result proves that our approach is effective to detect unknown worm.

YF Chen,YB Dong,DM Lu,YH Pan,ZT Xiang

DOI: https://doi.org/10.1109/icnsc.2005.1461215

2005-01-01

Abstract:Worm detection system must detect worms efficiently and effectively. Current detection methods are mainly based on the property of low successful connections rate of worms. However, they may neglect worms if worms insert successful connections deliberately. Because the size in packets or bytes of normal TCP connections is heavy-tailed, we present a detection method by combining detection criteria of failed connections and heavy-tailed distribution of connection size for a given local host. It is more difficult for worms to evade. The method can decrease false negative and positive rates. The experiments show that our method can detect scanning worms with high efficiency and effectiveness.

Hui He,Ming-Zeng Hu,Wei-Zhe Zhang,Hong-Li Zhang

2005-01-01

Abstract:Internet worms are becoming a major threat to the security of today's large-scale networks. The fast spreading nature of worms calls for a worm monitoring and early detection system. In this paper, an effective algorithm for early detection of the active worms and the corresponding detection system are proposed. The detection engine is the key components to the system, and the early detection algorithm based on multi-similarity is discussed in detail, which is the core of the engine, that integrates the worms' behavior attributes with their traffic distribution and detects abnormal behavior by their similarity distribution change of some attributes. Our simulation experiments show that the system can detect the presence worms intrusion when attacks don't arouse the sharp changes of the network traffic. It can detect the worm attack ahead of its overspreading on the large-scale network.

Ping Ren,Wu Liu,Ke Liu,Donghong Sun

DOI: https://doi.org/10.1109/IWCDM.2011.36

2011-01-01

Abstract:As the flooding of malicious codes such as worms, how to analyze large number of malicious samples quickly and effectively becomes a great issue for researchers in network security. This paper proposed an analysis algorithm for worm network behavior based on event sequence, which uses the data flow recombination and compression methods to process the pure malicious data. With this algorithm, one can quickly extract the network behavior profile and the signature of the worm. The application of this algorithm will greatly improve the efficiency of analyzing the worm network behavior, which will be significant for the deployment of firewalls and network invasion detection systems.