Computer Engineering & Science >
A Worm Dectection System Based on Process Traffic Behaviors
Received date: 2009-03-02
Revised date: 2009-06-23
Online published: 2011-04-25
With the propagation speed getting faster and faster, the damages caused by worms are getting more and more serious. To detect worms quickly, three wormrelated process traffic behaviors are described: the total amount of source port in wormlike traffic, the change frequency of source port in wormlike traffic and the ratio of wormlike traffic and total traffic for a single process. And based on the three behaviors, a worm detection system based on process traffic behaviors is presented and its definitions, framework design and key implementation are also introduced. Finally, through experimenting with the worms and normal applications in the real world, the system is proved to be able to detect worms quickly and correctly, and has only few false positives.
Key words: 蠕虫检测;进程流量行为;蠕虫行为;行为检测
XIAO Fengtao1,WANG Wei2,LIU Bo1,CHEN Xin1 . A Worm Dectection System Based on Process Traffic Behaviors[J]. Computer Engineering & Science, 2011 , 33(4) : 19 -24 . DOI: 10.3969/j.issn.1007130X.2011.
[1]Moore D,Paxson V, Savage S, et al. Inside the Slammer Worm[J].IEEE Security& Privacy, 2003,1(4):3339.
[2]Staniford S, Moore D, Paxson V, et al. The Top Speed of Flash Worms[C]∥Proc of the 2004 ACM Workshop on Rapid Malcode,2004:3342.
[3]QING Sihan, WEN Weiping. A New Approach to Forecasting Internet Worms Based on Netlike Association Analysis[J]. Journal on Communications, 2004, 25(7):6270.
[4]StanifordChen S, Cheung S,Crawford R,et al. GrIDS:A GraphBased Intrusion Detection System for Large Networks[C]∥Proc of the 19th National Information Systems Security Conf, 1996:361370.
[5]ZOU C C,GONG W,TOWSLEY D.Monitoring and Early Detection of Internet Worms[C]∥Proc of the 10th ACM Conf on Computer and Communications Security,2003:190199.
[6]Xiong J. ACT: Attachment Chain Tracing Scheme for Email Virus Detection and Control[C]∥Proc of the ACM Workshop on Rapid Malcode (WORM), 2004:1122.
[7]Dubendorfer T,Plattner B. Host Behaviour Based Early Detection of Worm Outbreaks in Internet Backbones[C]∥Proc of the 14th IEEE WET ICE/STCA Security Workshop, 2005:166171.
[8]Spitzner L.Honeypots:Tracking Hackers[M]. Addison Wesley Professional, 2002:4046.
[9]Ishignro M,Suzuki H,Murase I,et al.Internet Threat Detection System Using Bayesian Estimation[C]∥Proc of the 16th Annul FIRST Conf on Computer Security Incident Handling, 2004.
[10]Wagner A, Plattner B. Entropy Based Worm and Anomaly Detection in Fast Ip Networks[C]∥Proc of WET ICE’05, 2005:172177.
[11]CHEN Bo, FANG Binxing. Approach to Early Detection and Defense Against Internet Worms[J]. Journal on Communications, 2007, 28(2):916.
[12]ZHANG XinYu, QING SiHan. A Coordinated Worm Detection Method Based on Local Nets[J]. Journal of Software, 2007,18(2):412421.
[13]Xiao Fengtao,Hu Huaping. PTBBWD: A Fast ProcessTraffic Behavior Based Worm Detection Algorithm[C]∥Proc of FITME’08, 2008:181186.
/
| 〈 |
|
〉 |