摘要
在分析了正常网络流量分布的基础上,提出了基于多特征相似度的蠕虫检测方法.首先利用多个特征的高频统计结果分别计算相似度,然后将它们复合成一个相似度值,接下来比较相邻两次的相似度,最终发现异常.这种方法可以在一定程度上降低检测的误报率和漏报率,对蠕虫在大规模蔓延之前的检测效果也比较理想,可以在蠕虫爆发的早期阶段做出诊断,并且它不但可以用于已知类型的蠕虫检测而且对未知类型的蠕虫也有较好的检测效果.
Based on characteristics analysis of normal network traffic distribution, a method based on multi-feature likeness for worm detection is put forward. The method falls into three steps: firstly, getting multi-feature high frequent statistics resuits and then calculating their likenesses respectly; secondly, mixing them up into a mix-up likeness;finally, focusing on likeness changes between adjacent sampling time and detecting abnomality. To some extent, the method can decrease the false positive rate and false negative rate, can obtain good effect of detection before the worm overspreads the internet, and can be applied not only to the known worm, but aslo to the unknown worm.
出处
《高技术通讯》
CAS
CSCD
北大核心
2005年第8期11-17,共7页
Chinese High Technology Letters
基金
国家高技术研究发展计划(863计划)
