【作者】 杨秀华； 李天博； 李振建； 杨玉芬；

【Author】 Yang Xiuhua, Li Tianbo, Li Zhenjian, Yang Yufen(Network Information Center ,Jilin University, Changchun 130012, China)

【机构】 吉林大学网络中心；

【摘要】 大规模网络蠕虫事件的频频爆发,造成了巨大的危害。目前已成为对Internet安全最大的威胁。蠕虫及时检测并且尽早发现蠕虫的行为特征对于减少蠕虫的破坏,是非常重要的。本文分析了网络蠕虫的特征行为,讨论了网络蠕虫的扫描策略,通过对蠕虫爆发时,根据网络出现的异常情况,提出了根据ICMP-T3数据异常分析、CPU使用率异常以及平均数据包长度变小等异常因素进行综合分析方法,实现对未知蠕虫的检测。更多还原

【Abstract】 The frequent breakouts of Internet worms result in tremendous damage to our society. Internet worm has been serious threat to Internet security. It is necessary to detect the presence of a worm in the Internet as quickly as possible. Knowing an active worm characteristics very early in its propagation can significantly reduce the damage it may cause. First, the behavior characteristics and scanning strategies are discussed. Then, We defined the anomaly vector to share among the detection agents, using ICMP Destination Unreachable (ICMP-T3) messages generated by routers for packets to unused IP addresses, the recent CPU usage statistics and small packets statistics. We proposed a monitoring method based on anomalous network data.更多还原