基于动态基线分析方法的网络蠕虫检测机制的研究

On Network Worm Detection Mechanism Based on Dynamic Baseline Analysis

提出了一种基于NetFlow的动态基线的蠕虫检测新方法。该方法利用NetFlow网络信息监测工具,每五分钟采集一次各通讯端口的信息,以其通讯端口、时间、流量三个维度所建立的信息基线过滤与基线偏离的信息,便可筛选出符合蠕虫行为的信息数据,进而找出可能的蠕虫及受感染的节点。

According to the characteristics of network attacks, the author collected the information about NetFlow containing char- acteristics of the worm and put forward a new method of worm detection based on a dynamic baseline of NetFlow. The method used NetFlow information network monitoring tools to collect the information of communications port every five minutes. Through the deviations of the baseline and the selection of information baseline on the basis of three dimensions of communication port, time and flow, we can get the information and data of worm behavior, and thereby identify possible worm and the infected node. The experimental results show that the method can accurately detect worm attacks and this mechanism will be able to play a role at the beginning of a new worm attack.