【作者】 陈浩文；

【导师】 林亚平；

【作者基本信息】 湖南大学 ， 计算机应用技术， 2007， 硕士

【摘要】 随着计算机网络规模的迅速扩大,网络蠕虫攻击成为目前影响网络安全的一个重要问题。新一代蠕虫的传播速度越来越快,其破坏性也越来越大,实现蠕虫早期检测是蠕虫防御的前提和技术难点。传统的基于特征值匹配入侵检测系统已经不能适应蠕虫的检测和防御,需要从网络蠕虫传播的特性入手,研究检测和抑止蠕虫传播的有效方法。本文研究网络蠕虫的早期检测和防护算法,以尽早地防范网络蠕虫,降低网络蠕虫对网络的损害。本文首先针对目前大部分蠕虫在扫描和传播的过程中会导致网络充满大量的ICMP-T3和RESET包这一问题,通过对网络中上述两类数据包的分析,提出一种高效的蠕虫早期检测算法。该算法只探测和分析RESET和ICMP-T3这两种网络数据包,避免了分析网络中的全部流量,从而提高了分析效率和实时响应性;同时通过分析蠕虫的传播过程,发现在蠕虫的传播过程中具有DS转换特征,而其他的人为扫描则没有这个特征,从而可以进一步比较精确地得到感染蠕虫的主机地址。然后,本文针对目前网络上的蠕虫攻击方法,提出了一种基于资源操作域的主机防护模型。模型从系统资源入手,立足于控制进程行为,建立了一个授权访问系统资源的进程以及操作方法的最小集合,从根本上提高了防护的主动性和对未知蠕虫攻击的防范能力。并且,基于本文提出的高效蠕虫早期检测算法研究,本文设计实现了一个蠕虫早期检测系统LEDW。该系统采用分布式结构设计,运行于Linux系统,采用Libpcap开发包和C++开发,基于Mysql存储采集数据。通过在现实网络环境中运行及对魔波蠕虫(Worm_Mocbot.A)的检测,表明该系统在蠕虫早期检测方面有比较好的实时性。最后,论文指出需要进一步完善的工作和今后潜在的研究方向。更多还原

【Abstract】 With the rapid growth of networks, worm attack in networks has become a serious problem. In the presence of the faster diffusion speed of the worm and the huger damage caused by it, the early detection of the worm has become the precondition and key technology challenge of the worm defending. As traditional intrusion detection system can’t detect and defend the worm, it is very necessary to study worm’s early-stage characteristics, so as to explore efficient methods for diffusion detection and control of worms. This thesis focuses on early-stage detection and defending algorithms of worms, in order to defend against worms as early as quickly, and decrease the damage caused by it.Aiming at the fact that there always are a large number of ICMP-T3 and RESET packages caused by the worm diffusion, by analyzing the two kinds of packages, this thesis proposes an efficient early-stage worm detection method. This method only needs to detect and analyze RESET and ICMP-T3 packages, avoiding analyzing all data flow, improving analyzing efficiency and reducing response time; at the same time, the thesis can obtain the host address affected by worms accurately through analyzing worm diffusion process that will expose DS transform characteristic compared to factitious scan.Secondly, based on existing various worm attacking methods, this thesis proposes a host protection model depending on resource operation field. This model start from the system resource, based on the control of procedure behavior, build a minimum aggregate of awarded visit system resource procedure and operation method. As a result, the defending of the worm is much more active and more effective to unknown worm’s attacking.Based on the aforementioned theory analysis, a LEDW system was built to detect worms as early as possible. The system adopted distributed structure and run in Linux OS. It was developed in C++ by Libpcap and the gathered data was stored and managed by Mysql. By detecting the Worm Mocbot.A in real network, the system was showed to have good effect and can be used in real time application.Finally, this thesis points out work to be improved and potential future researches.更多还原