Method for extracting worm features and device therefor

A feature extraction and worm technology, applied in the field of worm feature extraction methods and devices, can solve the problems of poor accuracy and low worm feature accuracy, and achieve the effects of improving accuracy, reducing human resource investment and reducing costs

Inactive Publication Date: 2009-12-09
HUAWEI DIGITAL TECH (CHENGDU) CO LTD +1
View PDF0 Cites 3 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0004] However, during the research of the present invention, the inventor found that the above-mentioned scheme has t

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method for extracting worm features and device therefor
  • Method for extracting worm features and device therefor
  • Method for extracting worm features and device therefor

Examples

Experimental program
Comparison scheme
Effect test

no. 1 example

[0032] figure 1 It is a flow chart of the worm feature extraction method provided by the first embodiment of the present invention. The method can be realized by a worm feature extraction device, and the worm feature extraction device can be composed of hardware or software, or a combination of software and hardware. The method of this embodiment specifically includes the following steps:

[0033] Step 100, obtaining network data packets;

[0034] Step 200, extract the byte sequence (token) from the obtained network data packet;

[0035] Step 300, in the pre-acquired normal network data packets, calculate the false alarm rate of each byte sequence, and assemble the byte sequence with the false alarm rate less than or equal to the preset value into a worm feature, wherein the false alarm rate is the probability that a normal network packet containing a byte sequence appears in all normal network packets.

[0036] In this embodiment, firstly, the network data packets must be...

no. 2 example

[0044] figure 2 It is a flowchart of byte sequence extraction in the worm feature extraction method provided in the second embodiment of the present invention. This embodiment can be based on the above-mentioned first embodiment. In this embodiment, step 200 specifically includes the following steps:

[0045] Step 201, assembling the acquired network data packets into a network data stream;

[0046] Step 202, extract byte sequences from each network data stream.

[0047] Assemble the network data flow, that is, shape the network data packets according to the set shaping rules. When a worm spreads, it often does not send out a single network packet, but multiple network packets. The exact worm characteristics or byte sequences may be scattered in multiple network packets, so it is necessary to connect multiple network packets as one Only by analyzing the network data flow can the accuracy of extracting worm features be improved.

[0048]The setting shaping rules for assemb...

no. 3 example

[0051] image 3 It is a flow chart of capturing network data packets in the worm feature extraction method provided by the third embodiment of the present invention. This embodiment can be based on the above-mentioned embodiments, and the operation of obtaining network data packets in step 100 can be specifically:

[0052] Step 101, capturing network packets;

[0053] Step 102, performing a screening operation on the captured network data packets, and retaining abnormal network data packets.

[0054] It may be to capture network data packets within a set period, and the captured network data packets usually include normal network data packets and abnormal network data packets. The concept of normal network data packets is as described above, and the rest of the network data packets can be regarded as abnormal network data packets.

[0055] The above-mentioned screening of network data packets is not a necessary step, but it has significant advantages. It can reduce the numbe...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The embodiment of the invention relates to a method for extracting worm features and a device therefor. The method comprises: acquiring network data packet, extracting byte sequences from the network data packet, calculating false alarm rate of each byte sequence in the normal network data packet and assembling the byte sequences with the false alarm rate smaller or equal to the preset value intoworm features. The device comprises functional modules for executing the method. The embodiment of the invention introduces calculation of false alarm rates in the process of assembling the byte sequences into worm features, the worm features are assembled according to the false alarm rates, so that the worm features can meet the requirement of false alarm rates, thus improving the accuracy of assembling worm features in real time.

Description

technical field [0001] Embodiments of the present invention relate to worm feature extraction technology, and in particular to a worm feature extraction method and device. Background technique [0002] There are a large number of identical or similar application software popular on the Internet, and worms use the loopholes of these application software to spread automatically, and the propagation speed and harm are astonishing. Currently, there are two major research directions in the field of worm detection and defense, one is misuse detection and the other is anomaly detection. [0003] The idea of ​​misuse detection is to use known worm characteristics to compare with network data packets, and if the network data packets contain worm characteristics, it will be regarded as a detected worm. The so-called worm feature is a feature composed of one or several byte sequences in the worm sample. Usually, an accurate worm feature should appear in all worm copies, but not in oth...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): H04L29/06
Inventor 陈厅张小松孙志敏
Owner HUAWEI DIGITAL TECH (CHENGDU) CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap