随着蠕虫传播速度的不断加快,所造成的威胁也越来越大.为快速检测蠕虫,本文描述了和蠕虫相关的三种重要的进程流量行为:类蠕虫流量中源端口总数、类蠕虫进程流量中源端口的变化频率以及进程流量中类蠕虫流量占总进程流量的总数.基于这三种行为,本文提出了一种基于进程流量行为的蠕虫检测系统,同时介绍了该系统的相关定义、框架设计和关键实现.最后,采用真实程序进行了实验,结果表明该系统可以快速准确地检测蠕虫,并具有较小的误报率.%With the propagation speed getting faster and faster, the damages caused by worms are getting more and more serious. To detect worms quickly, three worm-related process traffic behaviors are described: the total amount of source port in worm-like traffic, the change frequency of source port in worm-like traffic and the ratio of worm-like traffic and total traffic for a single process. And based on the three behaviors, a worm detection system based on process traffic behaviors is presented and its definitions, framework design and key implementation are also introduced. Finally, through experimenting with the worms and normal applications in the real world, the system is proved to be able to detect worms quickly and correctly, and has only few false positives.
展开▼
