基于NLA的Polymorphic蠕虫特征自动提取算法研究

随着Polymorphic蠕虫变形技术的不断发展,如何快速有效地提取其特征是入侵检测中特征提取领域的一个重要研究方向。采用基于模式的特征提取算法NLA(Normalized Local Alignment),通过对多个可疑Polymorphic蠕虫流量进行序列比对,自动提取高相似度公共子序列,以向量的形式构造蠕虫特征。实验结果表明该算法在误报率和漏报率方面均优于传统算法。     

一种改进的多态蠕虫特征提取算法

大多数多态蠕虫特征提取方法不能很好地处理噪音,提取出的蠕虫特征无法对多态蠕虫进行有效检测。为此,提出一种改进的多态蠕虫特征提取算法。采用Gibbs算法从包含n条序列(包括k条蠕虫序列)的可疑流量池中提取出蠕虫特征,在识别蠕虫序列的过程中基于color coding技术提高算法的运行效率。仿真实验结果表明,该算法能够减少时间和空间开销,即使可疑池中存在噪音,也能有效地提取多态蠕虫。     

基于改进蚁群算法的多态蠕虫特征提取

多态蠕虫特征提取是基于特征的入侵检测的难点,快速提取出精确程度更高的多态蠕虫特征对于有效防范蠕虫的快速传播有着重要的作用。针对层次式的多序列匹配(HMSA)算法进行多序列比对的时间效率较低和由迭代方法提取出的特征不够精确等问题,提出了基于改进蚁群算法的多态蠕虫特征提取方法antMSA。该方法首先对蚁群的搜索策略进行了相应的改进,并将改进后的蚁群算法引入到奖励相邻匹配的全局联配(CMENW)算法中,利用蚁群算法快速收敛能力,在全局范围内快速生成较好解,提取出多态蠕虫的特征片段;然后将其转化为标准入侵检测系统(IDS)规则,用于后期防御。实验表明,改进后的蚁群算法能够较好地克服基本蚁群算法的停滞现象,扩大搜索空间,能够有效提高特征提取的效率和质量,降低误报率。     

基于彩色编码的多态蠕虫特征自动提取方法

快速而准确地提取蠕虫特征对于有效防御多态蠕虫的传播至关重要,但是目前的特征产生方法在噪音干扰下无法产生正确的蠕虫特征.提出基于彩色编码的特征自动提取算法CCSF(color coding signature finding)来解决有噪音干扰情况下的多态蠕虫特征提取问题.CCSF算法将可疑池中的n条序列分成m组,然后运用彩色编码对每组序列进行特征提取.通过对每组提取出来的特征集合进行过滤筛选,最终产生正确的蠕虫特征.采用多类蠕虫对CCSF算法进行测试,并与其他蠕虫特征提取方法进行比较,结果表明,CCSF算法能够在有噪音干扰的条件下准确地提取出多态蠕虫的特征,该特征不包含碎片,易于应用到IDS(intrusion detection system)中对多态蠕虫进行检测.     

改进的蠕虫特征自动提取模型及算法设计

文章提出了一种基于序列比对的蠕虫特征自动提取模型,该模型针对现有蠕虫特征自动提取系统的可疑蠕虫样本流量单来源和粗预处理等问题,提出了对网络边界可疑流量和蜜罐捕获网络流量统一的聚类预处理,并使用改进的T-Coffee多序列比对算法进行蠕虫特征提取。实验分别对Apache-Knacker和TSIG这两种蠕虫病毒进行特征提取,从实验结果可以看出文章提出的模型产生的特征质量优于比较流行的Polygraph、Hamsa两种技术。     

基于特征提取的未知蠕虫攻击防御模型设计

本文提出了一种基于特征提取的蠕虫攻击防御模型,该模型能早期检测蠕虫攻击流量,提取未知蠕虫的代码特征片断,动态更新入侵检测系统规则库.本文给出了整体模型及组成功能模块的详细设计.     

基于奇异事件特征的时间序列相似模式匹配

现有的时间序列特征提取方法多为单尺度方法，导致特征点的时间定位不准确，从而影响模式发现的质量。该文基于小波奇异检测理论，提出了一种多尺度时间序列特征提取方法，利用奇异特征将时间序列压缩为事件序列表示，定义了事件序列动态时间弯曲相似度量，给出了基于事件序列相似模式匹配算法。实验表明，该方法具有较高的匹配精度和较低的计算代价。     

一种基于序列比对的入侵特征提取算法

本文提出了一种新的基于多序列比对1的入侵特征提取算法.该算法包括两部分:基于局部比对的两序列比对算法SLA(Sequence Local Alignment)和多序列比对算法MSA(Multi-Sequence Alignment).SLA算法借鉴了生物信息学中两序列比对的思想,用局部序列比对思想和仿射空位罚分模型代替了目前在攻击特征提取中常用的全局序列比对思想和权值恒定空位罚分模型,以提高攻击特征的泛化程度.MSA算法利用一种新的剪枝策略来提高现有多序列比对算法在攻击特征提取中的抗噪声能力.本文详细介绍了两个算法,并给出了算法分析,最后对算法的有效性、提取的攻击特征在检测中的有效性以及抗噪声能力进行了实验验证.     

基于失败连接流量偏离度的蠕虫早期检测方法

通过分析网络蠕虫攻击的特点，定义了能够反映蠕虫攻击特征的失败连接流量偏离度（FCFD）的概念，并提出了一种基于FCFD时间序列分析的蠕虫早期检测方法。该方法利用小波变换对FCFD时间序列进行多尺度分析，利用高频分量模极大值进行奇异点检测，从而发现可能的蠕虫攻击。同时给出了一种基于失败连接分析的蠕虫感染主机定位和蠕虫扫描特征提取方法。实验结果显示，该方法能够有效检测未知蠕虫的攻击。和已有方法相比，该方法具有更高的检测效率和更低的误报率。     

基于人机交互和特征提取的英汉翻译系统研究

为了提高英汉翻译系统的翻译精度,提出一种基于人机交互和特征提取的英汉翻译系统模型。首先,为了实现翻译特征语境特征的提取,通过特征提取算法提取语义翻译语境矩阵和非语义翻译语境矩阵;其次,为度量同一翻译环境下的两个语义向量之间的相似度,选择余弦相似度函数计算翻译相似度。将翻译相似度引入英汉翻译系统模型,通过比较两个语义向量之间的翻译相似度实现英汉之间的翻译。与SOA、SCA和SLA对比可知,基于人机交互和特征提取的英汉翻译具有更高的准确率、精确率和召回率,为英语翻译提供新的方法和途径。     

Graph based signature classes for detecting polymorphic worms via content analysis

Malicious softwares such as trojans, viruses, or worms can cause serious damage for information systems by exploiting operating system and application software vulnerabilities. Worms constitute a significant proportion of overall malicious software and infect a large number of systems in very short periods. Polymorphic worms combine polymorphism techniques with self-replicating and fast-spreading characteristics of worms. Each copy of a polymorphic worm has a different pattern so it is not effective to use simple signature matching techniques. In this work, we propose a graph based classification framework of content based polymorphic worm signatures. This framework aims to guide researchers to propose new polymorphic worm signature schemes. We also propose a new polymorphic worm signature scheme, Conjunction of Combinational Motifs (CCM), based on the defined framework. CCM utilizes common substrings of polymorphic worm copies and also the relation between those substrings through dependency analysis. CCM is resilient to new versions of a polymorphic worm. CCM also automatically generates signatures for new versions of a polymorphic worm, triggered by partial signature matches. Experimental results support that CCM has good flow evaluation time performance with low false positives and low false negatives.     

基于AOI方法的未知蠕虫特征自动发现算法研究

近年来频繁爆发的大规模网络蠕虫对Internet的整体安全构成了巨大的威胁，新的变种仍在不断出现。由于无法事先得到未知蠕虫的特征，传统的基于特征的入侵检测机制已经失效。目前蠕虫监测的一般做法是在侦测到网络异常后由人工捕获并进行特征的分析，再将特征加入高速检测引擎进行监测。本文提出了一种新的基于面向属性归纳（AOI）方法的未知蠕虫特征自动提取方法。该算法在可疑蠕虫源定位的基础上进行频繁特征的自动提取，能够在爆发的早期检测到蠕虫的特征，进而通过控制台特征关联监测未知蠕虫的发展趋势。实验证明该方法是可行而且有效的。     

基于蠕虫攻击模型和语义分析的特征码自动提取

传统手工提取蠕虫的特征串需要很长时间,而基于串模式分析自动提取的虚警率和漏警率始终不太理想.该文提出了一种基于蠕虫攻击模型的语义分析特征提取法.该方法基于蠕虫攻击模型先验知识,自动识别蠕虫代码各个功能部分,将蠕虫攻击的必用部分作为蠕虫的特征串,提出了蠕虫攻击的通用模型OSJUMP.基于该模型,证明了基于语义提取蠕虫特征的有效性,给出了一种基于语义的蠕虫特征自动提取算法.对Red Code等各种实际蠕虫进行测试,结果显示自动提取生成的蠕虫特征值和安全厂商手工分析提供的特征值具有很大的可比性.     

WormShield: Fast Worm Signature Generation with Distributed Fingerprint Aggregation

Fast and accurate generation of worm signatures is essential to contain zero-day worms at the Internet scale. Recent work has shown that signature generation can be automated by analyzing the repetition of worm substrings (that is, fingerprints) and their address dispersion. However, at the early stage of a worm outbreak, individual edge networks are often short of enough worm exploits for generating accurate signatures. This paper presents both theoretical and experimental results on a collaborative worm signature generation system (WormShield) that employs distributed fingerprint filtering and aggregation over multiple edge networks. By analyzing real-life Internet traces, we discovered that fingerprints in background traffic exhibit a Zipf-like distribution. Due to this property, a distributed fingerprint filtering reduces the amount of aggregation traffic significantly. WormShield monitors utilize a new distributed aggregation tree (DAT) to compute global fingerprint statistics in a scalable and load-balanced fashion. We simulated a spectrum of scanning worms including CodeRed and Slammer by using realistic Internet configurations of about 100,000 edge networks. On average, 256 collaborative monitors generate the signature of CodeRedl-v2 135 times faster than using the same number of isolated monitors. In addition to speed gains, we observed less than 100 false signatures out of 18.7-Gbyte Internet traces, yielding a very low false-positive rate. Each monitor only generates about 0.6 kilobit per second of aggregation traffic, which is 0.003 percent of the 18 megabits per second link traffic sniffed. These results demonstrate that the WormShield system offers distinct advantages in speed gains, signature accuracy, and scalability for large-scale worm containment.     

入侵检测报警信息融合系统的构建与实现

针对目前入侵检测系统（IDS）存在的误报、漏报等问题,首先分析了存在误警的原因,设计并实现了一个入侵检测报警信息融合系统的模型。该模型提出一种相似隶属函数对报警事件进行关联,最后对系统进行了实验验证。结果表明该系统能有效地减少报警数量,降低误报、漏报率,从而提高了报警的有效性。同时通过事件关联完成攻击场景的重构,为加深对攻击者攻击意图的了解带来了方便,达到预警的目的,具有较强的实用价值。     

入侵检测报警信息融合系统的构建与实现

针对目前入侵检测系统(IDS)存在的误报、漏报等问题,首先分析了存在误警的原因,设计并实现了一个入侵检测报警信息融合系统的模型。该模型提出一种相似隶属函数对报警事件进行关联,最后对系统进行了实验验证。结果表明该系统能有效地减少报警数量,降低误报、漏报率,从而提高了报警的有效性。同时通过事件关联完成攻击场景的重构,为加深对攻击者攻击意图的了解带来了方便,达到预警的目的,具有较强的实用价值。     

Intrusion detection in computer networks by a modular ensemble of one-class classifiers

Since the early days of research on intrusion detection, anomaly-based approaches have been proposed to detect intrusion attempts. Attacks are detected as anomalies when compared to a model of normal (legitimate) events. Anomaly-based approaches typically produce a relatively large number of false alarms compared to signature-based IDS. However, anomaly-based IDS are able to detect never-before-seen attacks. As new types of attacks are generated at an increasing pace and the process of signature generation is slow, it turns out that signature-based IDS can be easily evaded by new attacks. The ability of anomaly-based IDS to detect attacks never observed in the wild has stirred up a renewed interest in anomaly detection. In particular, recent work focused on unsupervised or unlabeled anomaly detection, due to the fact that it is very hard and expensive to obtain a labeled dataset containing only pure normal events.The unlabeled approaches proposed so far for network IDS focused on modeling the normal network traffic considered as a whole. As network traffic related to different protocols or services exhibits different characteristics, this paper proposes an unlabeled Network Anomaly IDS based on a modular Multiple Classifier System (MCS). Each module is designed to model a particular group of similar protocols or network services. The use of a modular MCS allows the designer to choose a different model and decision threshold for different (groups of) network services. This also allows the designer to tune the false alarm rate and detection rate produced by each module to optimize the overall performance of the ensemble. Experimental results on the KDD-Cup 1999 dataset show that the proposed anomaly IDS achieves high attack detection rate and low false alarm rate at the same time.     

开放式网络攻击特征库的设计与实现

随着网络攻击的全球化，入侵检测系统要保护的不再是个别子网，而是整个的网络环境．由此，产生了对入侵检测开放式资源的迫切需求．本文的工作实现了一个开放式的网络攻击特征库系统，它包括了1200多条有效的攻击特征．本文设计并实现了用于攻击特征实时更新的攻击特征交换协议（ISEP），并描述了其中基于数字证书扣角色的访问控制技术．最后，通过Nachi蠕虫的实例说明了本特征库中攻击特征的提取方法．     

An Automated Signature-Based Approach against Polymorphic Internet Worms

Capable of infecting hundreds of thousands of hosts, worms represent a major threat to the Internet. However, the defense against them is still an open problem. This paper attempts to answer an important question: How can we distinguish polymorphic worms from normal background traffic? We propose a new worm signature, called the position-aware distribution signature (PADS), which fills the gap between traditional signatures and anomaly-based intrusion detection systems. The new signature is a collection of position-aware byte frequency distributions. It is more flexible than the traditional signatures of fixed strings while it is more precise than the position-unaware statistical signatures. We propose two algorithms based on expectation-maximization (EM) and Gibbs sampling to efficiently compute PADS from a set of polymorphic worm samples. We also discuss how to separate a mixture of different polymorphic worms such that their respective PADS signatures can be calculated. We perform extensive experiments to demonstrate the effectiveness of PADS in separating new worm variants from normal background traffic.