共查询到19条相似文献,搜索用时 171 毫秒
1.
2.
为了阻止外网蠕虫向本地网的传播,设计了一个基于本地网保护的蠕虫防御系统.该系统通过监测外部主机连接本地网的连接强度、端口相似度和失败比率等统计信息预警蠕虫扫描行为和可疑外部主机,通过检测和丢弃来自可疑主机的蠕虫攻击包防御蠕虫向本地网传播.为了提高系统效率和减少系统对正常网络活动的影响,蠕虫攻击包检测采用了源地址跟踪和蠕虫特征匹配两级检测.最后建立了该蠕虫防御系统保护下的本地网蠕虫传播模型,并通过仿真实验验证了系统的有效性. 相似文献
3.
巩永旺 《计算机技术与发展》2011,21(7)
为了准确检测外网蠕虫对本地网的传播,在研究蠕虫扫描行为模式的基础上,提出一种基于扫描流量统计的本地网蠕虫检测方法,并给出蠕虫检测方法实现的总体思路、关键算法和检侧过程.该检侧方法分为异常流量检测和扫描包特征匹配检测两个步骤,即首先使用马尔科夫和坎泰利不等式在网络边界检测进入本地网的扫描流量,提取异常流量中的可疑扫描包的特征;然后监控本地网,检测与可疑扫描包特征相匹配的本地网扫描活动,进而判定本地网是否感染外网蠕虫.分析与初步实验证明,该方法能够检测准确检测外网蠕虫对本地网的传播. 相似文献
4.
5.
提出一种综合采用网络蠕虫行为检测和网络蠕虫反馈检测的混合蠕虫检测方法.在网络蠕虫行为检测方面,将一个局域网作为一个访问模型对于蠕虫进行检测.在网络反馈蠕虫检测方面,利用网络对于蠕虫攻击反馈的信息作为网络反馈检测方法的特征.然后,通过CUSUM(Cumu lative Sum)算法将以上两种检测方法综合考虑来提高网络蠕虫检测的准确性.实验结果表明本文提出的方法可以准确高效地检测网络蠕虫. 相似文献
6.
在高速链路中蠕虫会以一种无法预料的高速率传播,因此设计一个高效的自动防御系统是十分必要的.这种防御系统的设计需要以高度可信的检测准确度和实时的流量分析为基础.针对这些问题,提出了利用蠕虫的信息流量可视化进行监测.介绍了一个简单巧妙的信息可视化方法,那就是在包的源IP、目标IP和目标端口的三维空间里描绘一个包.用这种可视化方法可以清晰地辨别出蠕虫.基于此性质设计了一个高效的蠕虫检测和分类的规则. 相似文献
7.
基于卡尔曼滤波的蠕虫检测方法 总被引:1,自引:0,他引:1
蠕虫对Internet安全构成了严重威胁,检测和防范蠕虫成为网络安全的研究课题.提出了一种基于卡尔曼滤波的蠕虫检测方法,建立适当的数学模型,给出相应的滤波方程,最后进行仿真分析.该方法可以利用实时量测信息不断地修正估计值.仿真结果表明,采用卡尔曼滤波能够快速有效地检测出蠕虫的爆发. 相似文献
8.
基于相似通信特征扩散分析的未知蠕虫检测 总被引:1,自引:0,他引:1
传统的未知蠕虫检测方法大多局限于识别蠕虫的盲目扫描行为及其指数级增长模式,该文则侧重于评估蠕虫扩散拓扑结构中的通信特征相似度,通过识别相似通信特征的扩散行为来检测未知蠕虫。 相似文献
9.
陈霜霜 《网络安全技术与应用》2012,(12):84-85
本文依据蠕虫扫描时会产生FCC失败连接概率高和FCC连接速度快这两个网络行为,通过使用支持向量机分别学习正常主机和受蠕虫感染主机的训练样本集,然后使用训练后的分类器对待测主机进行分类,实现了蠕虫攻击的自动检测,并进行了实验验证。实验结果表明,该方法对未知扫描类蠕虫有较好的检测效果。 相似文献
10.
为在免疫机制生效前最大限度地控制邮件蠕虫的传播,提出了一种以动态分布的陷阱邮箱为基础的蠕虫邮件行为模式识别方法.该方法通过陷阱诱骗及行为模型匹配两个方面对蠕虫邮件进行互补过滤,克服了以往检测方法对传播延时较长的邮件蠕虫活动敏感度不高的缺点.模拟试验结果表明,对于不同传播因子的邮件蠕虫,新方法在控制病毒的传播上有显著的成效. 相似文献
11.
Dima Stopel Robert Moskovitch Zvi Boger Yuval Shahar Yuval Elovici 《Neural computing & applications》2009,18(7):663-674
Detecting computer worms is a highly challenging task. We present a new approach that uses artificial neural networks (ANN)
to detect the presence of computer worms based on measurements of computer behavior. We compare ANN to three other classification
methods and show the advantages of ANN for detection of known worms. We then proceed to evaluate ANN’s ability to detect the
presence of an unknown worm. As the measurement of a large number of system features may require significant computational
resources, we evaluate three feature selection techniques. We show that, using only five features, one can detect an unknown
worm with an average accuracy of 90%. We use a causal index analysis of our trained ANN to identify rules that explain the
relationships between the selected features and the identity of each worm. Finally, we discuss the possible application of
our approach to host-based intrusion detection systems. 相似文献
12.
13.
目前已有一些蠕虫检测系统利用蠕虫传播特性进行检测,误报率高,不能对大范围网络进行检测。为此,首先对蠕虫传播模型进行了分析和优化,提出了新蠕虫分布式传播模型。针对该模型提出了分布式蠕虫检测技术,亦即采用基于规则的检测方法监控网络蠕虫,控制台管理和协调多个检测端的工作。实验结果表明,该方法能够很好地预警蠕虫的传播行为并进行监控和报警,具有高检测率和低误报率。 相似文献
14.
Kostas G. Anagnostakis Michael B. Greenwald Sotiris Ioannidis Angelos D. Keromytis 《International Journal of Information Security》2007,6(6):361-378
Cooperative defensive systems communicate and cooperate in their response to worm attacks, but determine the presence of a worm attack solely on local information. Distributed worm detection and immunization systems track suspicious behavior at multiple cooperating nodes to determine whether a worm attack is in progress. Earlier work has shown that cooperative systems can respond quickly to day-zero worms, while
distributed detection systems allow detectors to be more conservative (i.e., paranoid) about potential attacks because they
manage false alarms efficiently. In this paper we present our investigation into the complex tradeoffs in such systems between
communication costs, computation overhead, accuracy of the local tests, estimation of viral virulence, and the fraction of
the network infected before the attack crests. We evaluate the effectiveness of different system configurations in various
simulations. Our experiments show that distributed algorithms are better able to balance effectiveness against worms and viruses
with reduced cost in computation and communication when faced with false alarms. Furthermore, cooperative, distributed systems
seem more robust against malicious participants in the immunization system than earlier cooperative but non-distributed approaches. 相似文献
15.
本文通过对警报数据的观察和分析,提出了一种基于时间序列分析理论适合对大规模网络IDS警报数据进行实时宏观分析的新方法。该方法利用正常情况下每天IDS警报数的自相似性来建立IDS警报数的季节模型,并利用该模型和警报数在宏观上的关系对网络中出现的像DDoS和蠕虫等大规模入侵进行预警。理论分析和实验结果表明,此方法能及时发现网络中的大规模网络入侵并进行预警,并具有比基于网络流量异常的入侵预警方法准确和与IDS集成好的优点。 相似文献
16.
Chenfeng Vincent Zhou Christopher Leckie Shanika Karunasekera 《Journal of Network and Computer Applications》2009,32(5):1106-1123
The growth in coordinated network attacks such as scans, worms and distributed denial-of-service (DDoS) attacks is a profound threat to the security of the Internet. Collaborative intrusion detection systems (CIDSs) have the potential to detect these attacks, by enabling all the participating intrusion detection systems (IDSs) to share suspicious intelligence with each other to form a global view of the current security threats. Current correlation algorithms in CIDSs are either too simple to capture the important characteristics of attacks, or too computationally expensive to detect attacks in a timely manner. We propose a decentralized, multi-dimensional alert correlation algorithm for CIDSs to address these challenges. A multi-dimensional alert clustering algorithm is used to extract the significant intrusion patterns from raw intrusion alerts. A two-stage correlation algorithm is used, which first clusters alerts locally at each IDS, before reporting significant alert patterns to a global correlation stage. We introduce a probabilistic approach to decide when a pattern at the local stage is sufficiently significant to warrant correlation at the global stage. We then implement the proposed two-stage correlation algorithm in a fully distributed CIDS. Our experiments on a large real-world intrusion data set show that our approach can achieve a significant reduction in the number of alert messages generated by the local correlation stage with negligible false negatives compared to a centralized scheme. The proposed probabilistic threshold approach gains a significant improvement in detection accuracy in a stealthy attack scenario, compared to a naive scheme that uses the same threshold at the local and global stages. A large scale experiment on PlanetLab shows that our decentralized architecture is significantly more efficient than a centralized approach in terms of the time required to correlate alerts. 相似文献
17.
Capable of infecting hundreds of thousands of hosts, worms represent a major threat to the Internet. However, the defense against them is still an open problem. This paper attempts to answer an important question: How can we distinguish polymorphic worms from normal background traffic? We propose a new worm signature, called the position-aware distribution signature (PADS), which fills the gap between traditional signatures and anomaly-based intrusion detection systems. The new signature is a collection of position-aware byte frequency distributions. It is more flexible than the traditional signatures of fixed strings while it is more precise than the position-unaware statistical signatures. We propose two algorithms based on expectation-maximization (EM) and Gibbs sampling to efficiently compute PADS from a set of polymorphic worm samples. We also discuss how to separate a mixture of different polymorphic worms such that their respective PADS signatures can be calculated. We perform extensive experiments to demonstrate the effectiveness of PADS in separating new worm variants from normal background traffic. 相似文献
18.
提出一种新的基于漏洞的蠕虫特征,其区别于传统的基于语法或语义分析的技术,对蠕虫攻击的漏洞特征进行分析,将该算法应用于检测系统中。通过实验证明,该检测系统能有效地检测出各种多态变形蠕虫。 相似文献
19.
在针对内网的入侵行为中以网络蠕虫危害最大,传统的网络安全手段存在缺陷,蜜场技术作为监测和信息搜集手段与传统网络安全手段的本质不同。研究提出了一种基于三级内网蜜场系统的网络蠕虫检测技术,它可以有效提高蠕虫检测速度,对提高内部网络的安全,具有重要实用意义。 相似文献