基于种子——扩充的多态蠕虫特征自动提取方法

doi:10.3969/j.issn.1000-436x.2014.09.002

摘要/Abstract

摘要：

提出基于种子—扩充的多态蠕虫特征自动提取方法 SESG。SESG 算法首先按序列的权重大小将其放入一个队列，然后依序次对队列中的种子序列进行扩充，从而对各类蠕虫以及噪音序列进行分类，并从分类后的蠕虫列中提取其特征。测试结果表明，SESG 算法能够在包含噪音的可疑池中很好地区分各类蠕虫序列，更易于提取有效的蠕虫特征。

关键词: 信息安全, 种子扩充算法, 多态蠕虫, 蠕虫检测, 蠕虫特征

Abstract:

A polymorphic worm signature generation approach based on seed-extending,SESG,was proposed.Firstly,algorithm SESG puts all sequences into a queue based on their weight.Seed sequence in the queue is extended,and all kinds of worm sequences and noise sequences are classified.Finally,worm signature is generated from classified worm sequences.Experiments are run to test SESG and compared with other approaches.Experiment results show that SESG can classify worm sequences and noise sequences from suspicious flow pool over other existed approaches,which can generate effective worm signature more easily.

Key words: nformation security, seed-extending algorithm, polymorphic worm, worm detection, worm signature

汪洁,何小贤. 基于种子——扩充的多态蠕虫特征自动提取方法[J]. 通信学报, 2014, 35(9): 12-19.

Jie WANG,Xiao-xian HE. Automated polymorphic worm signature generation approach based on seed-extending[J]. Journal on Communications, 2014, 35(9): 12-19.

图/表 21

图1

图2

图3

图4

表1

表2

表3

表4

表5

表6

表7

表8

表9

表10

表11

表12

表13

表14

表15

表16

表17

参考文献 28

[1]	文伟平，卿斯汉，蒋建春等．网络蠕虫研究与进展[J]．软件学报， 2004,15(8):1208-1219. WENG W P , QING S H , JIANG J C , et al. Research and development of internet worms[J]. Journal of Software, 2004,15(8):1208-1219.
[2]	和亮，冯登国，王蕊等．基于MapReduce的大规模在线社交网络蠕虫仿真[J]．软件学报， 2013,24(7):1666-1682. HE L , FENG D G , WANG R , et al. Mapreduce-based large-scale online social network worm simulation[J]. Journal of Software, 2013,24(7):1666-1682.
[3]	苏飞，林昭文，马严等． IPv6网络环境下的蠕虫传播模型研究[J]．通信学报， 2011,32(9):51-60. SU F , LIN Z W , MA Y , et al. Research on worm propagation model in IPv6 networks[J]. Journal on Communications, 2011,32(9):51-60.
[4]	吴国政，秦志光．大规模对等网络蠕虫仿真技术研究[J]．通信学报， 2011,32(8):128-135. WU G Z , QIN Z G . Research on large-scale P2P worm simulation[J]. Journal on Communications, 2011,32(8):128-135.
[5]	张伟，王汝传，李鹏．基于云安全环境下的蠕虫传播模型[J]．通信学报， 2012,33(4):17-24. ZHANG W , WANG R C , LI P . Worm propagation modeling in cloud security[J]. Journal on Communications, 2012,33(4):17-24.
[6]	刘波，王怀民，肖枫涛等．面向异构网络环境下的蠕虫传播模型Enhanced-AAWP[J]．通信学报， 2011,32(12):103-113. LIU B , WANG H M , XIAO F T , et al. Enhanced-AAWP,a heteroge-neous network oriented worm propagation model[J]. Journal on Communications, 2011,32(12):103-113.
[7]	杨峰，段海新，李星．网络蠕虫扩散中蠕虫和良性蠕虫交互过程建模与分析[J]．中国科学(E辑)， 2004,34(8):841-856. YANG F , DUAN H X , LI X . Modeling and analyzing interaction be-tween network worm and antiworm during the propagation process[J]. Science in China Ser E, 2004,34(8):841-856.
[8]	肖枫涛，胡华平，刘波． HPBR：用于蠕虫检测的主机报文行为评级模型[J]．通信学报， 2008,29(10):108-116. XIAO F T , HU H P , LIU B . HPBR: host packet behavior ranking model used in worm detection[J]. Journal on Communications, 2008,29(10):108-116.
[9]	COMAR P M , LIU L , SAHA S , et al. Combining supervised and unsupervised learning for zero-day malware detection[A]. Proceedings of 32nd Annual IEEE International Conference on Computer Commu-nications (INFOCOM 2013)[C]. Turin,Italy, 2013.2022-2030.
[10]	KAUR R. , SINGH M . Efficient hybrid technique for detecting zero-day polymorphic worms[A]. 2014 IEEE International Advance Computing Conference (IACC)[C]. Gurgaon,India, 2014.95-100.
[11]	唐勇，诸葛建伟，陈曙晖等．蠕虫正则表达式特征自动提取技术研究[J]．通信学报， 2013,34(3):141-147. TANG Y , ZHUGE J W , CHEN S H , et al. Automatic generating regu-lar expression signatures for real network worms[J]. Journal on Communications, 2013,34(3):141-147.
[12]	王平，方滨兴，云晓春．基于自动特征提取的大规模网络蠕虫检测[J]．通信学报， 2006,27(6):87-93. WANG P , FANG B X , YUN X C . Large scale network worm detection using automatic signature extraction[J]. Journal on Communications, 2006,27(6):87-93.
[13]	KAUR R , SINGH M . A survey on zero-day polymorphic worm detec-tion techniques[J]. IEEE Communications Surveys ＆ Tutorials, 2014:1-30.
[14]	PORTOKALIDIS G , BOS H . Sweetbait: zero-hour worm detection and containment using low-and high-interaction honeypots[J]. Computer Networks, 2007,51(5):1256-1274.
[15]	CAI M , HWANG K , PAN J , et al. Wormshield: fast worm signature generation with distributed fingerprint aggregation[J]. IEEE Transac-tions on Dependable and Secure Computing, 2007,4(2):88-104.
[16]	RANJAN S , SHAH S , NUCCI A , et al. Dowitcher: effective worm detection and containment in the internet core[A]. IEEE INFOCOM 2007[C]. Alaska,USA, 2007.2541-2545.
[17]	MOHAMMED MMZE , CHAN H A , VENTURA N , et al. An auto-mated signature generation method for zero-day polymorphic worms based on multilayer perceptron model[A]. 2013 International Confer-ence on Advanced Computer Science Applications and Technologies (ACSAT)[C]. Zhengzhou,China, 2013.450-455.
[18]	YEGNESWARAN V , GIFFIN J T , BARFORD P , et al. An architecture for generating semantics-aware signatures[A]. Proceedings of the 14th Conference on USENIX Security Symposium[C]. Baltimore, 2005.
[19]	NEWSOME J , KARP B , SONG D . Polygraph: automatically generat-ing signatures for polymorphic worms[A]. Proceedings of 2005 IEEE Symposium on Security and Privacy Symposium[C]. Oakland,California, 2005.226-241.
[20]	LI Z , SANGHI M , CHEN Y , et al. Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience[A]. Proceedings of IEEE Symposium on Security and Privacy[C]. Berkeley/Oakland,California, 2006.32-47.
[21]	CAVALLARO L , LANZI A , MAYER L , et al. LISABETH: automated content-based signature generator for zero-day polymorphic worms[A]. Proceedings of the Fourth International Workshop on Software Engi-neering for Secure Systems[C]. Berlin,Germany, 2008.41-48.
[22]	BAYOGLU B , SOGUKPINAR I . Polymorphic worm detection using token-pair signatures[A]. Proceedings of the 4th International Work-shop on Security,Privacy and Trust in Pervasive and Ubiquitous Com-putting[C]. New York,USA, 2008.7-12.
[23]	MOHAMMED MMZE , CHAN H A , VENTURA N . Honeycyber:automated signature generation for zero-day polymorphic worms[A]. IEEE Military Communications Conference,MILCOM 2008[C]. New York,USA, 2008.1-6.
[24]	WANG J , WANG J X , CHEN J E , et al. An automated signature gen-eration approach for polymorphic worm based on color coding[A]. IEEE ICC 2009[C]. Dresden,Germany, 2009.1-6.
[25]	TANG Y , XIAO B , LU X , et al. Using a bioinformatics approach to generate accurate exploit-based signatures for polymorphic worms[J]. Computers ＆ Security, 2009,28(8):827-842.
[26]	TANG Y , CHEN S . An automated signature-based approach against polymorphic internet worms[J]. IEEE Transactions on Parallel and Distributed Systems, 2007,18(7):879-892.
[27]	BAYOGLU B , SOGUKPINAR L . Graph based signature classes for detecting polymorphic worms via content analysis[J]. Computer Networks, 2012,56(2):832-844.
[28]	汪洁，王建新，刘绪崇．基于近邻关系特征的多态蠕虫防御方法[J]．通信学报， 2011,32(8):150-158. WANG J , WANG J X , LIU X C . Novel approach based on neighbor-hood relation signature against polymorphic Internet worms[J]. Journal on Communications, 2011,32(8):150-158.

类别	噪音序列	Blaster蠕虫
1组	16条序列	0条序列
2组	30条序列	0条序列
3组	0条序列	50条序列
4组	4条序列	0条序列

类别	噪音序列	Blaster蠕虫
1组	8条序列	50条
2组	42条序列	0条

测试	GNRS	CCSF	Normalized Cuts+NRS	SESG+NRS
误报率	0.4315	0	0.1017	0
漏报率	0	0	0	0

类别	SQL Slammer蠕虫序列	Blaster蠕虫序列
1组	0条序列	50条序列
2组	50条序列	0条序列

类别	SQL Slammer蠕虫序列	Blaster蠕虫序列
1组	50条序列	2条序列
2组	0条序列	48条序列