【作者】 马嫄；

【导师】 李之棠；

【作者基本信息】 华中科技大学 ， 计算机系统结构， 2007， 硕士

【摘要】 近年来,随着互联网应用的深入,网络蠕虫对计算机系统安全和网络安全的威胁日益严重。传统的基于特征匹配的蠕虫检测方法受限于蠕虫特征的获取,无法检测未知的蠕虫;现有基于行为的蠕虫检测方法虽然能够检测未知的蠕虫,但是在检测时间和误报率之间仍然有一个平衡。因此,如何快速准确地检测未知蠕虫是目前亟待解决的现实问题。在蠕虫的传染爆发阶段,受感染主机数目急剧增加,短时间内会产生大量网络流量,因此设计了一种基于异常流量的蠕虫检测系统,旨在没有蠕虫特征库的情况下,根据流量的变化及时发现未知蠕虫的传播。系统采用NetFlow技术实现网络流量的采集,这就不需要关心数据包的负荷,直接获取所需要的流信息,减少了对系统资源的需求,大大提高了系统的实效性。在收集到实时的网络流量数据之后,采用基于动态流量基线的蠕虫检测算法来判断网络中是否存在蠕虫的攻击,该算法同时监测多个目的端口的流量,分别根据它们正常的流量基线模型确认出蠕虫的异常流量,并且进一步从异常数据流的TOP N主机中找出受蠕虫感染的可疑主机。为了降低误报率,算法根据实际流量的大小动态更新基线值,这样即使网络高峰造成正常流量的增加,也不会超过阈值范围。另外,对流量统计记录采用自适应哈希桶的存储结构,它们根据端口号的不同分别进行链表排列,并且按照流量值的大小递减排序,这样各个端口的监听线程只需要管理自己的链表,使算法的检测效率得到了提高。在发现蠕虫攻击之后,根据异常流量的严重程度,产生不同级别的报警信息,并且利用防火墙联动和路由器访问控制列表过滤两种响应机制来阻止蠕虫的继续传播,从而抑制了网络蠕虫的大规模泛滥。最后,构建了模拟的测试环境对蠕虫检测系统进行功能和性能测试,结果表明,该系统能够及时准确地检测出未知网络蠕虫。更多还原

【Abstract】 With the recent popularity of Internet, worms have been exerting increasing severe threat to the computer system and network. Traditional signature based detection method is not suitable for detecting unknown worms since it requires worm signatures in advance. Behavior based detection method can detect unknown worms. However, there is a trade off between the detection time and false positive. Therefore, it becomes a pressing task to detect unknown worms quickly and accurately.In the phase of worm eruption, the number of infected hosts sharp increases. It produces a lot of network traffic. So, an anomaly traffic based worm detection system is presented. It detects worms depending on the traffic fluctuation. It can detect unknown worms effectively and warn early in the epidemic phase.The system collects traffic by NetFlow. It does not care the contents of data packet, but directly gets flow information. Consequently it reduces the demand for system resources and enhances the efficiency. Then, the system detects worms using the detection algorithm based on dynamic traffic baseline. This algorithm monitors several destination ports and confirms anomaly traffic by the baseline of normal traffic. Then, using the TOP N data of NetFlow, infected hosts are probed. In order to reduce false positive, the detection algorithm updates traffic baseline dynamically according to the practical traffic. Then, even if the network reaches a peak and results in the sudden increase of normal traffic, it will not exceed the above critical value. In addition, the traffic records are stored in an adaptive hash bucket. Records of different ports are put into different linked list and arranged by the decreasing order of traffic value. As a result, each thread only needs to manage its own linked list and the efficiency of detection algorithm is improved. After worms are detected, the system sends out alarming information of different levels, and adopts active defending measures which are firewall linkage and router ACL to alleviate the ongoing worm attacks. Thus, it can restrain the large scale spread of network worms.Finally, the system is tested in a simulative environment. The results show that it can detect unknown worms accurately and in time.更多还原