摘要
传统手工提取蠕虫的特征串需要很长时间,而基于串模式分析自动提取的虚警率和漏警率始终不太理想。该文提出了一种基于蠕虫攻击模型的语义分析特征提取法。该方法基于蠕虫攻击模型先验知识,自动识别蠕虫代码各个功能部分,将蠕虫攻击的必用部分作为蠕虫的特征串,提出了蠕虫攻击的通用模型OSJUMP。基于该模型,证明了基于语义提取蠕虫特征的有效性,给出了一种基于语义的蠕虫特征自动提取算法。对Red Code等各种实际蠕虫进行测试,结果显示自动提取生成的蠕虫特征值和安全厂商手工分析提供的特征值具有很大的可比性。
Since manual Internet worm signature extraction takes a long time while automatically pattern-based analysis causes high false negatives and false positives, this paper proposes a new worm signature extraction method based on worm attack model and semantic analysis. It contributes a definition of worm attacking model OSJUMP model, proves the preciseness of worm signature based on worm attacking model, and presents a semantic analysis algorithm for automatically extract invariable parts as signature. The evaluation demonstrates that the algorithm produces signature as the same as the one provided by vendors.
出处
《计算机工程》
CAS
CSCD
北大核心
2007年第10期134-135,146,共3页
Computer Engineering
关键词
网络蠕虫
特征码
自动提取
Internet worm
Signature
Automatic extraction