一种新的蠕虫检测和控制方法

在分析网络蠕虫连接请求和网络正常连接请求差异的基础上,提出一种新的蠕虫检测和控制方法.该方法针对网络蠕虫攻击特定端口以及攻击地址发散的特性,采用基于端口的多工作集区分网络蠕虫连接请求和网络正常连接请求,在蠕虫控制中使用多延迟队列处理可疑连接请求,避免了不同端口流量之间的相互影响;针对网络正常连接请求的暂时突发特征,利用令牌桶控制多延迟队列的输出,缩短了正常连接请求在延迟队列中的停留时间.测试表明,在主机感染了蠕虫后,新方法将误报率从85%降低到12%,对正常连接请求的平均延迟时间从95.4s降低到5.6s.

A novel method for detection and control of worms

A novel method for worm detection and control is proposed after the difference between worm and normal connection requests was analyzed. Considering the worm characters of attacking unique port and dispersed IP addresses,the method uses port-based multiple work sets to identify worm connection requests in worm detection process,and employs multiple delay queues to process the suspicious connection requests in worm control process to avoid influence of traffic of different ports.Aiming at the normal connection character of ephemeral bursting out,the method takes advantage of token bucket to control the output of delay queues to shorten the period of staying in the delay queue of normal requests.Tests results show that for infected hosts,the false positive was reduced from 85 % to 12 % and the average delay time of normal connection requests was shortened from 95.4 seconds to 5.6 seconds by using new methods.