Current worm detection methods are unable to detect multi-vector polymorphic worms effectively. Based on negative selection mechanism of the immune system, a local network worm detection system that detects worms was ...Current worm detection methods are unable to detect multi-vector polymorphic worms effectively. Based on negative selection mechanism of the immune system, a local network worm detection system that detects worms was proposed. Normal network service requests were represented by self-strings, and the detection system used self-strings to monitor the network for anomaly. According to the properties of worm propagation, a control center correlated the anomalies detected in the form of binary trees to ensure the accuracy of worm detection. Experiments show the system to be effective in detecting the traditional as well as multi-vector polymorphic worms.展开更多
Objective To detect unknown network worm at its early propagation stage. Methods On the basis of characteristics of network worm attack, the concept of failed connection flow (FCT) was defined. Based on wavelet packet...Objective To detect unknown network worm at its early propagation stage. Methods On the basis of characteristics of network worm attack, the concept of failed connection flow (FCT) was defined. Based on wavelet packet analysis of FCT time series, this method computed the energy associated with each wavelet packet of FCT time series, transformed the FCT time series into a series of energy distribution vector on frequency domain, then a trained K-nearest neighbor (KNN) classifier was applied to identify the worm. Results The experiment showed that the method could identify network worm when the worm started to scan. Compared to theoretic value, the identification error ratio was 5.69%. Conclusion The method can detect unknown network worm at its early propagation stage effectively.展开更多
Instant messaging (IM) has become one of the most popular online communication tools among consumer and enterprise IM users. It provides instant message delivery, as well as convenient file transfer services. The in...Instant messaging (IM) has become one of the most popular online communication tools among consumer and enterprise IM users. It provides instant message delivery, as well as convenient file transfer services. The increasing popularity and functionalities of IM programs have made it increasingly attractive for attackers, especially for worm writers. IM contact list offers worm an easy way of finding potential victims so that the worm could achieve a surprising spreading speed. This paper first presents our experimental results of simulating IM worm propagation in the logical network defined by IM contact lists, which is reported to be a scale-free network. Then, the existing proposals for detecting and containing IM worm epidemics are discussed. At last, a new algorithm for this purpose is presented, which is based on the observation of the bi-directional nature of IM worm traffic, and its advantages and possible improvements in implementation are analyzed. The simulation results show the proposed algorithm is of significant effect on restricting IM worm propagation.展开更多
The spread of the worm causes great harm to the computer network. It has recently become the focus of the network security research. This paper presents a local-worm detection algorithm by analyzing the characteristic...The spread of the worm causes great harm to the computer network. It has recently become the focus of the network security research. This paper presents a local-worm detection algorithm by analyzing the characteristics of traffic generated by the TCP-based worm. Moreover, we adjust the worm location algorithm, aiming at the differences between the high-speed and the low-speed worm scanning methods. This adjustment can make the location algorithm detect and locate the worm based on different scanning rate. Finally, we verified the validity and efficiency of the proposed algorithm by simulating it under NS-2.展开更多
文摘Current worm detection methods are unable to detect multi-vector polymorphic worms effectively. Based on negative selection mechanism of the immune system, a local network worm detection system that detects worms was proposed. Normal network service requests were represented by self-strings, and the detection system used self-strings to monitor the network for anomaly. According to the properties of worm propagation, a control center correlated the anomalies detected in the form of binary trees to ensure the accuracy of worm detection. Experiments show the system to be effective in detecting the traditional as well as multi-vector polymorphic worms.
基金This work was supported by National "863" programof China (No.2003AA148010) and National Torch Project of China (No.2005EB011484) .
文摘Objective To detect unknown network worm at its early propagation stage. Methods On the basis of characteristics of network worm attack, the concept of failed connection flow (FCT) was defined. Based on wavelet packet analysis of FCT time series, this method computed the energy associated with each wavelet packet of FCT time series, transformed the FCT time series into a series of energy distribution vector on frequency domain, then a trained K-nearest neighbor (KNN) classifier was applied to identify the worm. Results The experiment showed that the method could identify network worm when the worm started to scan. Compared to theoretic value, the identification error ratio was 5.69%. Conclusion The method can detect unknown network worm at its early propagation stage effectively.
基金Supported by the National Natural Science Foundation of China (60573136)
文摘Instant messaging (IM) has become one of the most popular online communication tools among consumer and enterprise IM users. It provides instant message delivery, as well as convenient file transfer services. The increasing popularity and functionalities of IM programs have made it increasingly attractive for attackers, especially for worm writers. IM contact list offers worm an easy way of finding potential victims so that the worm could achieve a surprising spreading speed. This paper first presents our experimental results of simulating IM worm propagation in the logical network defined by IM contact lists, which is reported to be a scale-free network. Then, the existing proposals for detecting and containing IM worm epidemics are discussed. At last, a new algorithm for this purpose is presented, which is based on the observation of the bi-directional nature of IM worm traffic, and its advantages and possible improvements in implementation are analyzed. The simulation results show the proposed algorithm is of significant effect on restricting IM worm propagation.
基金the National Natural Science Foundation of China (Grant No. 60403028)
文摘The spread of the worm causes great harm to the computer network. It has recently become the focus of the network security research. This paper presents a local-worm detection algorithm by analyzing the characteristics of traffic generated by the TCP-based worm. Moreover, we adjust the worm location algorithm, aiming at the differences between the high-speed and the low-speed worm scanning methods. This adjustment can make the location algorithm detect and locate the worm based on different scanning rate. Finally, we verified the validity and efficiency of the proposed algorithm by simulating it under NS-2.