节点文献
多态蠕虫自动检测技术研究
【作者】 张振芳;
【导师】 詹瑾瑜;
【作者基本信息】 电子科技大学 , 计算机应用技术, 2010, 硕士
【摘要】 随着网络的普及和深入,网络蠕虫对计算机系统安全和网络安全的威胁日益增加,尤其是网络蠕虫的多样化传播途径和复杂的应用环境使网络蠕虫的爆发频率激增。而且随着计算机技术的发展,网络蠕虫与木马技术、病毒技术的结合使得蠕虫的潜伏性更强,查杀难度更大,造成的损失也越来越大。应付网络蠕虫威胁已经成为一项极其紧迫的任务。世界上很多研究机构针对蠕虫检测和预防做了很多研究,并且有了一些重要的进展。但是目前最有效的蠕虫检测机制还是特征码匹配,这种方式在时间上有一定的滞后性,而且特征码多靠人工自动提取,费时费力。所以如何自动进行网络蠕虫的特征提取,如何实现蠕虫的预发现、预阻止就成了计算机网络安全界最关心的话题。本课题在对目前各种网络蠕虫检测方法分析、验证的基础上,总结出蠕虫的四个方面的特征:蠕虫的扫描行为特征、蠕虫的自我繁殖特征、蠕虫的分布式特征及蠕虫的规模爆发特征。提出了一种蠕虫的多维特征提取方案,并以此多维特征为依据,利用神经网络能够自我学习、自我训练的特性,使用经典的BP神经网络模型构造一个能够自动识别未知蠕虫,高效检测已知蠕虫的智能蠕虫检测系统。首先,系统以虚拟蜜罐技术为基础,设计了一个既支持客户端蜜罐又支持服务器端蜜罐的虚拟蜜罐系统。同时利用虚拟化技术的支持,在一个物理网段中构建多个逻辑物理网段,为蠕虫检测搭建了一个分布式网络环境。然后利用基于细粒度的时间域和频率域的扫描特征码提取技术、基于相似度匹配的繁殖特征提取技术、基于统计网络字节流的分布特征提取技术以及基于分层叠加模型的规模特征提取技术进行蠕虫特征码的提取。最后,为了保证系统各模块间数据通信的安全性和有效性,本系统在开源SSL的基础上通过自定义的通信协议,实现了安全保密的系统通信机制。最后,对本系统进行性能和功能方面的评估,并对本课题研究的不足进行了总结。
【Abstract】 As the internet is becoming more and more popular, network worms threat the security of computer system and network much more seriously. Particularly, the diversification of the worm transmission and the complex application environments surges the outbreak frequency of network worms. Moreover, with the development of computer technology, worms cooperate much more with Trojan horses and virus, which makes the worm more latent, more difficult to kill and resulting in more loss of wealth. So, it is an urgent task to confront the threat of network worms.A lot of research institutions in the world have done a lot of research on the detection and prevention ways of worms, and made some important progress. But at present the most effective way for worm detection is signature match; this way has a certain time lag and depends much on manual work, so it is time-consuming and labor wasting. Which force people in the network security field to focus much more attention on how to extract worm signatures automatically and then to pre-found and pre-block network worms from destroying the network.On the basis of a lot of analysis and validation work on current worm detection technologies, we got the most important features of network worms. They are: network scan, self-reproduction, distribution on the network, and large size breakout. On this basis, we proposed a new mechanism called multi-dimensional feature extraction mechanism to extract worm features. As we know, BP neural network can learn and train itself automatically, and then we use the classical BP neural network modeling to design an intelligent system so that to identify unknown worm automatically, and detect known worms effectively.First of all, with the support of virtual honeypot technology, we designed a virtual honeypot system which supports both a client-side honeypot and a server-side honeypot. Then we build a distributed virtual network environment by using virtualization technologies. Then using the following worm feature extraction technologies to extract worm features, these technologies are: extract scanning feature based on time-domain and frequency domain, extract self-preproduction feature based on similarity matching, extract network behaviors based on anglicizing network byte streams, as well as the large-scale breakout feature based on distribution of layered overlay model. Finally, in order to ensure safety and effectiveness of system data communication between modules, by modifying the open source SSL protocol to our own way to achieve a secure and confidential system communication mechanism.At the end of this thesis, we made an assessment on the system’s performance and its functionality.And summarized the lack of study on this topic and also did some periscopic work.
【Key words】 BP neural network; network worms; honeypot; multi-dimensional feature extraction mechanism; distribution;
- 【网络出版投稿人】 电子科技大学 【网络出版年期】2011年 04期
- 【分类号】TP393.08
- 【下载频次】92