Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Network worm detection and characteristic automatic extraction method and system

A worm and network technology, applied in the field of network security, can solve problems such as loss of effectiveness, and achieve the effect of preventing the spread of worms and preventing large-scale economic losses

Inactive Publication Date: 2010-11-24
GRADUATE SCHOOL OF THE CHINESE ACAD OF SCI GSCAS
View PDF2 Cites 64 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

The statistics of network worm outbreaks in recent years are as follows: figure 1 As shown, the chart lists the 10 worms with the greatest harm since 2000. The statistical results show that network worms often spread by exploiting serious system vulnerabilities. There are even network worms that use 0-day vulnerabilities to spread, which means that the traditional prevention strategy of manually extracting network worm features and then upgrading the features to end-user antivirus software has almost lost its effect on these fast-scanning and actively spreading network worms , which is also the fundamental reason why network worms can spread rapidly and cause great harm

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Network worm detection and characteristic automatic extraction method and system
  • Network worm detection and characteristic automatic extraction method and system
  • Network worm detection and characteristic automatic extraction method and system

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0036] Concrete implementation method of the present invention is:

[0037] Step 1: Capture network packets at the gateway by way of bypass listening.

[0038] Step 2: The data packets pass through the existing IDS, and are matched against the network attack signature database to detect known worm attacks.

[0039] Step 3: The anomaly detection subsystem will analyze and detect the captured data packets. The anomaly detection is divided into two stages: threshold training and online detection.

[0040] (I) Threshold training stage

[0041] Four anomaly detection strategies are performed on the traffic to calculate the thresholds of the four parameters of the number of initiated connections, the number of failed connections, divergence and packet similarity. During the training phase, normal network traffic captured by the system was used.

[0042] Below we will introduce the calculation methods of the observed values ​​of these four parameters one by one.

[0043] (I-1) Appl...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a network worm detection and characteristic automatic extraction method and a network worm detection and characteristic automatic extraction system and belongs to the technical field of network safety. The method comprises the following steps of: 1) performing abnormal detection on captured network data packets, and dividing the data packets into suspicious network flow and normal network flow according to detection results; 2) storing the suspicious network flow in a suspicious flow pool, and storing the normal network flow in a normal flow pool; 3) clustering the network flow in the suspicious flow pool and the normal flow pool, and extracting a characteristic signature; and 4) updating the extracted characteristic signature in a network attack database, and detecting the network worm. The system comprises an abnormal detection subsystem, a characteristic extraction subsystem, a network attack characteristic database, and a misuse detection system. The methodand the system can more accurately and timely discover the network worm, can automatically extract the worm characteristics and update the attack characteristic database of the existing misuse detection system. Therefore, the aim of suppressing worm propagation is really fulfilled.

Description

technical field [0001] The invention relates to a network worm detection and feature automatic extraction method and system, in particular to a behavior-based network worm detection and flow clustering-based automatic feature extraction method and system, belonging to the technical field of network security. Background technique [0002] There are many kinds of network malicious codes, including network worms, webpage Trojan horses and mobile malicious codes, etc. Among them, network worms cause the most serious harm due to their fast spreading speed and wide spreading range. The outbreak of the first network worm, Morris, in 1988 caused an economic loss of more than 10 million U.S. dollars. The network worm Conficker, which appeared at the end of 2008, has infected more than 12 million hosts worldwide. The statistics of network worm outbreaks in recent years are as follows: figure 1 As shown, the chart lists the 10 worms with the greatest harm since 2000. The statistical r...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06H04L12/24
Inventor 张玉清刘宇姚力
Owner GRADUATE SCHOOL OF THE CHINESE ACAD OF SCI GSCAS
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products