【作者】 王杰；

【导师】 李胜利；

【作者基本信息】 华中科技大学 ， 计算机软件与理论， 2006， 硕士

【摘要】 近年来,随着互联网应用的深入,网络蠕虫对计算机系统安全和网络安全的威胁日益严重,蠕虫的传播速度越来越快,造成的损失也越来越大。传统的基于特征码的蠕虫检测方法受限于蠕虫特征的获取,无法检测未知的蠕虫;现有基于行为的蠕虫检测方法虽然能够检测未知的蠕虫,但是在检测时间和误警率之间有一个平衡。在蠕虫控制方面,对于可疑的蠕虫流量,一般采取直接阻断的方法,但是这会给正常流量带来不利的影响。针对上述问题,局域网蠕虫检测和控制系统基于网络蠕虫在不同传播阶段表现出的行为特征,对局域网各个网段的出口流量进行检测和控制。基于扫描行为特征的检测通过计算主机向外发起新连接的频率及时发现网段中具有扫描行为的主机;基于内容的检测对具有扫描行为的主机流量进行分析,在可疑主机发起的TCP流中寻找重复的数据包内容进行进一步检测,进而发现被蠕虫感染的主机。对于具有不同行为特征的主机,系统采取不同的控制策略,对于具有扫描行为的主机,采用限速机制对可疑的连接请求进行延迟,有效的抑制了蠕虫传播,同时避免了对正常的流量的负面影响。对于已被蠕虫感染的主机,采用阻断的方法丢弃含有蠕虫特征的数据包,彻底地阻碍蠕虫的传播。基于扫描行为特征的检测技术、基于限速和阻断的蠕虫控制技术是基于Linux 2.4.x内核的Netfilter防火墙架构实现,通过在内核层加载钩子函数截获数据包,根据不同的控制策略对可疑的数据包进行不同力度的控制;基于内容的检测技术在网络链路层使用Libpcap监听可疑主机的数据包,通过分析TCP状态建立TCP连接表对数据包进行流重组,使用后缀树在多个数据流中寻找最长公共子串的方法提取蠕虫特征码。实验测试表明,局域网蠕虫检测和控制技术不仅能够实现对网络蠕虫的及时检测,还能够有效的阻碍蠕虫由局域网向外的传播,而且对正常用户流量影响很小。更多还原

【Abstract】 With the recent popularity of Internet, worms have been exerting increasing severe threat to the computer system and network. Traditional signature based detection method is not suitable for detecting fast spreading worms since it requires worm signatures in advance. Behavior based detection method could detect unknown worms, however, there is a trade off between the detection time and false positive. On the other hand, the commonly used block-when-detect method of worm containment would have a negative effect on the normal traffic.To deal with the problem mentioned above, we proposed a step by step worm detection and controlling scheme to contain worms in Local Area Network. The scheme uses different detection methods to identify distinct features of different stages during worm propagation, employs various control strategies to prevent the worms from going out of Local Area Network. The scan based detection method implements in time detection of worms by identifying their scanning features in the early stage; the content based detection method accomplishes the deeper inspection of packets’content to identify the repeated packet. To hosts with worm scanning behavior, the rate limiting based control method can effectively control worms’spreading and exerts little negative influence on the normal traffic, to hosts infected by worms, the block based control method can totally impede the worms by dropping packets containing worm signature.Scan based detection and controlling method is implemented based on the Netfilter in Linux 2.4.x kernel, using different strategies to control the suspicious packets by loading its own hook functions. Content based detection method employs Libpcap to sniffer the suspicious traffic from the scanning hosts, reassembles the TCP streams and extracts longest common substrings from those streams using suffix tree algorism. Tests demonstrate that the step by step worm detection and controlling scheme can detect worms at the early stage and prevent worm from spreading efficiently without affecting the normal traffic.更多还原