Unlock instant, AI-driven research and patent intelligence for your innovation.

Automatic detection method of polymorphic worms

A self-detection and worm technology, applied in the field of network security, can solve problems such as inability to effectively deal with and detect polymorphic worms, and achieve the effect of low false positive rate and false negative rate

Inactive Publication Date: 2011-06-29
CHENGDU TOPSEC NETWORK SECURITY TECH
View PDF3 Cites 10 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0028] Cannot effectively deal with advanced polymorphic worms: the current advanced polymorphic worm deformation technology can perform certain deformation processing on the NopSled part, for example: by using other single-byte instructions that can complete the same function, or by using multi-byte Instructions, or use jump instructions to replace Nop instructions to complete the same function, or even use the stack alignment principle to construct a special type of Nop Sled. In this type of Sled, it is no longer possible to execute from every byte to shellcode. , but start at the 4-byte aligned position to execute the shellcode, so that the entire Nop Sled part may have a completely different form of expression, and Snort cannot detect this similar polymorphic worm that has been deformed by advanced deformation technology

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Automatic detection method of polymorphic worms
  • Automatic detection method of polymorphic worms
  • Automatic detection method of polymorphic worms

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0050] The present invention will be further described below in conjunction with accompanying drawing:

[0051] Such as figure 2 As shown, the system realized by the present invention is realized by the following devices:

[0052] Network packet capture device: This device is used to capture data packets in the network. This device can be placed in key positions such as the entrance and exit of the LAN, so as to capture the data packets entering and leaving the entire network. In this way, relatively few detection points need to be deployed, and the system operation overhead is relatively low.

[0053] The capture of data packets can be realized in two ways. That is, the detection system can be connected in series in the network. In this way, all data packets entering and leaving the internal network must belong to the detection system. This method requires the system to have very high processing performance and Detection accuracy usually requires special hardware to proce...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses an automatic detection method of polymorphic worms, comprising the following steps: (1) capturing all data packets which pass in and out of a network; (2) analyzing the captured data packets in accordance with responded protocols and extracting loads in the data packets as well as using each type of protocol hierarchy and standard to perform decoding, restructuring and command analysis on the loads in the data packets; (3) filtering the processed data packets containing the loads in the step (2); (4) judging whether the data packets in the step (3) contain Nop Sled so as to judge whether the data packets are worm data packets: as for a section of corresponding byte string with length of n, if disassembled instruction strings are valid at the beginning of each position, the data packets are determined to contain the Nop Sled, thereby judging that the data packets are the worm data packets; and (5) responding to the detected worm data packets.

Description

technical field [0001] The invention relates to the technical field of network security, in particular to an automatic detection method for polymorphic worms. Background technique [0002] The rapid development of computer networks has brought great convenience to user groups, and has penetrated into all aspects of social life and become an indispensable thing in our lives. However, the accompanying network security issues continue to plague users and become an urgent problem before us. Various means of network attacks emerge in an endless stream, their concealment becomes stronger and stronger, their scope of influence becomes wider and wider, and the losses caused become more and more serious. Among them, worms are incomparable to traditional viruses such as Trojan horses and macro viruses in terms of speed of propagation, range of propagation, and degree of damage. A typical example is: In 1988, the worm virus written by Morris, a graduate student at Cornell University ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): H04L12/26H04L29/06
Inventor 黄勇张小松鲍厚兵刘飞
Owner CHENGDU TOPSEC NETWORK SECURITY TECH