摘要
在分析网络蠕虫连接请求和网络正常连接请求差异的基础上,提出一种新的蠕虫检测和控制方法.该方法针对网络蠕虫攻击特定端口以及攻击地址发散的特性,采用基于端口的多工作集区分网络蠕虫连接请求和网络正常连接请求,在蠕虫控制中使用多延迟队列处理可疑连接请求,避免了不同端口流量之间的相互影响;针对网络正常连接请求的暂时突发特征,利用令牌桶控制多延迟队列的输出,缩短了正常连接请求在延迟队列中的停留时间.测试表明,在主机感染了蠕虫后,新方法将误报率从85%降低到12%,对正常连接请求的平均延迟时间从95.4 s降低到5.6 s.
A novel method for worm detection and control is proposed after the difference between worm and normal connection requests was analyzed. Considering the worm characters of attacking unique port and dispersed IP addresses, the method uses port-based multiple work sets to identify worm connection requests in worm detection process, and employs multiple delay queues to process the suspicious connection requests in worm control process to avoid influence of traffic of different ports. Aiming at the normal connection character of ephemeral bursting out, the method takes advantage of token bucket to control the output of delay queues to shorten the period of staying in the delay queue of normal requests. Tests results show that for infected hosts, the false positive was reduced from 85 % to 12 % and the average delay time of normal connection requests was shortened from 95.4 seconds to 5.6 seconds by using new methods.
出处
《华中科技大学学报(自然科学版)》
EI
CAS
CSCD
北大核心
2007年第3期38-41,共4页
Journal of Huazhong University of Science and Technology(Natural Science Edition)
基金
国家自然科学基金重大研究计划资助项目(90412010)
关键词
蠕虫检测
控制
误报率
延迟
worm detection
control, false positive, delay
