System and method for detecting network worm in interactive mode

Abstract

The detection system is composed of network flow acquisition unit distributed at each terminal in network system, and network worm analytic unit setup at server. The former collects information into and out of the terminal in real time. After snapshot and standardized processes, data are transferred to the analytic unit. Under request of analytic unit, the acquisition unit delivers suspicious attacking sample and basic status information of terminal. The analytic unit carries out statistics and analysis for flow data provided by the acquisition unit. Based on threshold value of flow, the analytic unit determines whether the terminal is possible to be suffered from worm attack or to become an attacking source. Based on determined result, and under interaction with the acquisition unit, the analytic unit requests the acquisition unit to deliver the said sample and information to carry out querying and matching operation in order to make determination, meanwhile alarming is sent out.

Description

technical field [0001] The invention relates to a security detection system and method for a computer network. Specifically, it relates to an interactive network worm detection system and method, which belongs to the network equipment security in data communication [0002] technology field. Background technique [0003] With the rapid popularization of computer networks and the continuous rise of various new network services, network security issues have gradually penetrated into various fields of social life and become more and more severe. A network worm is a self-contained program that runs without computer user intervention and spreads by continually gaining partial or complete control of a vulnerable computer on a network. The biggest difference between a worm and a virus is that it does not require human intervention and can replicate and spread autonomously and continuously. Every outbreak of network worms will bring huge losses to the society. For example, on No...

AI Technical Summary

Problems solved by technology

The Nimda network worm was discovered on September 18, 2001. The estimated damage caused by it has climbed from 500 million US dollars to 2.6 billion US dollars, and it has continued to climb since then. It has been impossible to estimate

On the one hand, enabling the packet snapshot function of network equipment in this type of system will cause a certain burden on the network equipment, and at the same time, not all network equipment can provide the snapshot function of IP data packets, which makes the application of this type of system have certain limitations; On the other hand, due to the lack of interaction between this type of system and the attacked host system, the attack of the network worm can only be judged from the change of the traffic size, and the attack cannot be confirmed according to the state of the attacked host system and the characteristic matching of the attack data packet. Therefore, this kind of system also has some false positives.

[0009] To sum up, the existing network worm detection methods either cause a certain burden on the network equipment and the host system, affect the efficiency of equipment operation, or have certain false positives due to the lack of necessary information interaction with the attacked host , so how to make necessary improvements to the network worm detection system and method has become a new subject of research and development in the industry

Images