【摘要】 对蠕虫检测技术的进展进行了研究。由于能检测未知蠕虫,异常检测已成为蠕虫检测的重要发展方向。被动检测采用故意设计为有缺陷的系统HoneyPot,用来吸引攻击者、收集攻击信息并进行深度分析。主动检测对正常主机和蠕虫主机的混和流量进行处理,包括基于连接载荷和基于蠕虫行为的检测。分析并讨论了各类方法的特点和适用性,提出目前的检测技术需要更为有效的蠕虫检测指标,并基于正常主机和蠕虫主机在流量自相似性的差异,给出了相应的实时检测指标选择思路。更多还原

【Abstract】 The worm detection technologies are discussed. Anomaly detection will be a promising development because of the ability to detect unknown worms. For passive detection, the HoneyPot system designed deliberately with vulnerabilities is used to attract atta- ckers, collect attack information and process analysis. Active detection methods can process the mixed traffics of benign hosts and worm hosts, including the payload-based and behavior-based worm detection methods. The characters and applicability of each method are discussed. The viewpoint that more effective worm detection indices are needed for detection methods is proposed. Based on the diffe- rences of traffic self-similarity between benign hosts and worm hosts, the idea on how to select real-time detection indices is interpreted.更多还原