计算机工程与应用 ›› 2008, Vol. 44 ›› Issue (36): 106-108.DOI: 10.3778/j.issn.1002-8331.2008.36.029

• 网络、通信、安全 • 上一篇    下一篇

Polymorphic蠕虫特征自动提取算法及检测技术研究

赵 旭,何聚厚   

  1. 陕西师范大学 计算机科学学院,西安 710062
  • 收稿日期:2008-07-24 修回日期:2008-10-17 出版日期:2008-12-21 发布日期:2008-12-21
  • 通讯作者: 赵 旭

Automatic signature generation algorithm and detection technology for Polymorphic worm

ZHAO Xu,HE Ju-hou   

  1. Department of Computer Science,Shaanxi Normal University,Xi’an 710062,China
  • Received:2008-07-24 Revised:2008-10-17 Online:2008-12-21 Published:2008-12-21
  • Contact: ZHAO Xu

摘要: 入侵检测系统检测蠕虫攻击的关键在于蠕虫特征是否准确,随着蠕虫Polymorphic技术的不断发展,如何快速有效地提取Polymorphic蠕虫特征,是入侵检测中特征提取领域的一个重要的研究方向。采用基于模式的特征提取算法,通过对多个可疑Polymorphic蠕虫流量进行序列比对,自动提取它们的最长公共子序列,结果用两种形式的向量表示;并采用相似度度量的检测方法,利用已提取的特征向量,判别新到来的Polymorphic蠕虫流量所属的类别,从误报率和漏报率方面验证了特征提取算法的有效性以及相似度度量检测方法的有效性。

Abstract: The crucial factor of the IDS (Intrusion Detection System) is whether the attack signature is accurate.With the unceasing development of the technology of polymorphic worm,how to generate the signature of polymorphic worm speedily and effectively is very important in the research area of the signature generation in IDS.This paper presents a signature generation algorithm based on pattern.The signature is the longest common subsequence generated by sequence comparison of several suspicious polymorphic worm flows,and represented in two vector styles.The new incoming polymorphic worm flows is detected by the signature vector and similarity metric.From the similarity metric in false positive and false negative,the experimental results show that this method can achieve high detection performance.