Method for detecting Email worm

Abstract

The present invention provides a method CTCBF (Contact-Tracing Chain Based Framework) for detecting Email worms. The method is characterized in that differential entropy is utilized to detect abnormal sending of Emails at a network node; a tracing chain is established according to the connection relation between abnormal network nodes by means of a tracking algorithm; and when the length of the tracking chain is up to a certain threshold value, suspicious nodes on the chain are confirmed as infected nodes. Aiming at the nondeterminacy of the threshold value, the present invention provides a method of dynamic threshold value in which a threshold value is dynamically varied according to different network infection levels. The method can rapidly and accurately detect the dissemination of worms, and provide a now mode for detecting unknown Email worms.

Description

technical field [0001] The invention relates to the technical field of computer network virus detection, in particular to an Email worm detection method. Background technique [0002] Email worms are a common computer virus. It uses the network for replication and dissemination, and the way of infection is through the network and e-mail. A worm is a self-contained program that copies itself or parts of itself and spreads across a network to other computer systems. [0003] The biggest feature of the Email worm is that it can use Email to actively self-propagate, which is mainly reflected in two behavioral characteristics: infection characteristics and connection characteristics. Infection feature means that the monitored node has an abnormal active connection to other network nodes (such as the number of emails sent in a unit time period exceeds the preset threshold); connection feature means that the monitored node has an infected node or Behavior of suspicious node conn...

AI Technical Summary

Problems solved by technology

ZOUC, Gong W, TOWSLEY D. Feedback email worm defense system for enterprise networks[C] / / Umass ECE Technical Report TR-04-CSE-05: Umass, 2004. Introduced a detection method called "Feedback Defense System" ( Feedback Defense System), which utilizes existing intrusion detection software to intercept suspicious emails, and then uses a virtual honeypot system for analysis and detection. This method has a good protective effect on Email users, but for Email worms in the network Active control of broadcasting, the effect is not very obvious

GUPTA A, SEKAR R. An approach for detecting self-propagating Email using anomaly detection[C] / / Proceedings of Recent Advances in Intrusion Detection (RAID). Pittsburgh PA: Springer, 2003: 55-72. Introduced a method using machine learning The method of monitoring abnormal network traffic can effectively reduce the detection false positive rate, but this method needs to collect statistics on network traffic, and there is a certain detection delay

HUSNA H, PHITHAKKITNUKOONS, DANTU R.Traffic shaping of spam botnets[C] / / Proceedings of CCNC 2008, 5thIEEE.Las Vegas, NV: IEEE, 2008: 786-787. Proposed a method of using entropy to classify spam , this method analyzes the behavioral characteristics of spam (such as the number of consecutive emails sent in a unit time period), and uses the size of the entropy value to quickly distinguish spam from normal emails. The accuracy of this classification method depends on The size of the threshold, for the defender, it is difficult to find a suitable threshold to make the detection result achieve the minimum false positive (normal nodes are wrongly classified as infected nodes by the detection mechanism) and the minimum false negative (infected nodes are detected mechanism incorrectly classified as a normal node)

Images