基于漏洞传播蠕虫的检测技术应用研究及实现
|
摘要
随着互联网应用的深入,网络蠕虫对计算机系统安全和网络安全的威胁日益增加。网络蠕虫已经成为计算机使用者遇到的最普遍问题。它的传播不仅可以占用被感染主机的大部分系统资源,对目标系统造成破坏,同时,还会抢占网络带宽,造成网络严重堵塞,甚至使整个网络瘫痪。目前的网络蠕虫大多利用软件漏洞的方式。另外黑客技术的普及和编写蠕虫技术难度的降低,使得从漏洞发现到攻击程序产生,最后形成大面积爆发,周期越来越短,而控制清除的时间却越来越长。如何对网络蠕虫进行检测、预警和应对,已经成为计算机网络安全研究领域的一个重要课题。
本文首先从介绍一些著名的网络蠕虫入手,根据它们的行为给出其定义,并分析与传统计算机病毒的区别。然后对网络蠕虫的工作流程,功能结构和行为特征和发展趋势等进行阐释,并根据蠕虫的传播手段提出一种分类方式,另外总结了有关网络蠕虫的研究领域。接着专门针对基于漏洞传播的网络蠕虫,分析其传播策略,传播特点,传播方式以及攻击手段,为提出这类网络蠕虫的检测方法打下铺垫。
传统的蠕虫检测采用特征匹配的技术,需要不断更新特征库,才能保证检测到最新的蠕虫。在更新前用户系统就可能被新的蠕虫侵入,这就要求特征库要即时更新。防病毒软件厂商采用异常检测的方法来提取蠕虫特征。但是现有的异常检测需要大量的分析资源,小型网络都不能提供这样的环境。
在本文中探讨了基于蜜罐技术的轻量级蠕虫检测技术,该技术依靠蠕虫传播相似性的特点,可以利用较少的资源在检测到网络中的蠕虫,并可以提取出这些蠕虫的特征发送给模式匹配引擎。另外本文还提出了另外一个蠕虫异常检测方法,它通过统计TCP SYN包和UDP包来发现新蠕虫。
根据上述研究,设计并实现了一套检测系统,分别对特征检测子系统,蜜罐子系统和异常检测子系统的设计思路和实现方法进行了阐述,并且该系统通过了测试和验证。
最后对已有工作进行总结,并且提出下一步研究方向。
With the further application of internet, the threat of internet worm on the security of computer system and internet is increasing day by day. Internet worm has been the most obvious problem of computer users. Its spreading does not only infect the majority of system resources of the computer, but also occupy the internet traffic, causing serious block and paralysis of the target system. At present, internet worm mostly attack by means of software vulnerability. Meanwhile, the popularity of hacker’s technology and the reduction of difficulty in developing worms have shortened the period from finding vulnerability to arising of exploit and finally bursting in large range, while the time for controlling and cleaning is getting longer. How to detect, predict and handle the internet worm has become an important subject in computer and network security research.
The present thesis begins with introducing of some notorious internet worms, defining them according to their behavior and distinguishing them from the traditional computer virus. The next step is to explain the internet worms’work flow, function structure, behavior characteristics, and developing tendency, and to point out a kind of classification according to the spreading means of worms. What’s more, the research field concerned with internet worms will be summarized. Afterwards, the spreading strategy, characteristics, means and attacking methods of worms spreading by means of vulnerability are analyzed, functioning as the basis for the detection of worms.
Traditional worm detection uses mainly pattern-matching, which needs update signature database continuously. But new worm may intrude user's system before updating their signature. Reducing the period is obvious. The Anti-virus software venture create signature for worm using anomaly detection. However they all require heavy resources that network environment owned by small organization unable to offer.
In this dissertation we discussed technology of honey-pot based light-weight worm detection. It can utilize small amount of resources to detect worm within network traffic by recognizing similarity during worm propagation and create signature for pattern-matching engine. In addition we proposed detection for new worm by counting TCP SYN packets and UDP packets.
Based on the methods mentioned above, a set of detection system is designed and implemented suitable for small-scale network. It consists of three sub-system: signature detection sub-system, honeypot sub-system and anomaly sub-system.This system has been tested and confirmed.
In the end, there is a summary on the present work and the prospect is put forward.
本文首先从介绍一些著名的网络蠕虫入手,根据它们的行为给出其定义,并分析与传统计算机病毒的区别。然后对网络蠕虫的工作流程,功能结构和行为特征和发展趋势等进行阐释,并根据蠕虫的传播手段提出一种分类方式,另外总结了有关网络蠕虫的研究领域。接着专门针对基于漏洞传播的网络蠕虫,分析其传播策略,传播特点,传播方式以及攻击手段,为提出这类网络蠕虫的检测方法打下铺垫。
传统的蠕虫检测采用特征匹配的技术,需要不断更新特征库,才能保证检测到最新的蠕虫。在更新前用户系统就可能被新的蠕虫侵入,这就要求特征库要即时更新。防病毒软件厂商采用异常检测的方法来提取蠕虫特征。但是现有的异常检测需要大量的分析资源,小型网络都不能提供这样的环境。
在本文中探讨了基于蜜罐技术的轻量级蠕虫检测技术,该技术依靠蠕虫传播相似性的特点,可以利用较少的资源在检测到网络中的蠕虫,并可以提取出这些蠕虫的特征发送给模式匹配引擎。另外本文还提出了另外一个蠕虫异常检测方法,它通过统计TCP SYN包和UDP包来发现新蠕虫。
根据上述研究,设计并实现了一套检测系统,分别对特征检测子系统,蜜罐子系统和异常检测子系统的设计思路和实现方法进行了阐述,并且该系统通过了测试和验证。
最后对已有工作进行总结,并且提出下一步研究方向。
With the further application of internet, the threat of internet worm on the security of computer system and internet is increasing day by day. Internet worm has been the most obvious problem of computer users. Its spreading does not only infect the majority of system resources of the computer, but also occupy the internet traffic, causing serious block and paralysis of the target system. At present, internet worm mostly attack by means of software vulnerability. Meanwhile, the popularity of hacker’s technology and the reduction of difficulty in developing worms have shortened the period from finding vulnerability to arising of exploit and finally bursting in large range, while the time for controlling and cleaning is getting longer. How to detect, predict and handle the internet worm has become an important subject in computer and network security research.
The present thesis begins with introducing of some notorious internet worms, defining them according to their behavior and distinguishing them from the traditional computer virus. The next step is to explain the internet worms’work flow, function structure, behavior characteristics, and developing tendency, and to point out a kind of classification according to the spreading means of worms. What’s more, the research field concerned with internet worms will be summarized. Afterwards, the spreading strategy, characteristics, means and attacking methods of worms spreading by means of vulnerability are analyzed, functioning as the basis for the detection of worms.
Traditional worm detection uses mainly pattern-matching, which needs update signature database continuously. But new worm may intrude user's system before updating their signature. Reducing the period is obvious. The Anti-virus software venture create signature for worm using anomaly detection. However they all require heavy resources that network environment owned by small organization unable to offer.
In this dissertation we discussed technology of honey-pot based light-weight worm detection. It can utilize small amount of resources to detect worm within network traffic by recognizing similarity during worm propagation and create signature for pattern-matching engine. In addition we proposed detection for new worm by counting TCP SYN packets and UDP packets.
Based on the methods mentioned above, a set of detection system is designed and implemented suitable for small-scale network. It consists of three sub-system: signature detection sub-system, honeypot sub-system and anomaly sub-system.This system has been tested and confirmed.
In the end, there is a summary on the present work and the prospect is put forward.
引文
[1]2006 年全国信息网络安全状况与计算机病毒疫情调查分析报告 http://www.antivirus-china.org.cn/content/report2006.doc
[2]George Bakos, Vincent Berk.Early Detection of Internet Worm Activity by Metering ICMP Destination Unreachable Messages. Proceedings of the SPIE Aerosense 2002.
[3]Cheung S, Hoagland J, Levitt K,et al. The design of GrIDS:A graph-based intrusion detection system. Technical Report, CSE-99-2, Computer Science Department, U.C. Davis, 1999. http://citeseer.nj.nec.com/ cheung99design.html
[4]Cliff Changchun Zou, Lixin Gao, Weibo Gong, et al. Monitoring and early warning for Internet worms. Proceedings of the 10th ACM conference on Computer and communication security, Washington D.C. USA October 27-30, 2003.
[5]J.Wu, S. Vangala, L. Gao, et al. An Effective Architecture and Algorithm for Detecting Worms with Various Scan Techniques. In Proceedings of the Network and Distributed Security Symposium, February 2004.
[6]Bharath Madhusudan, John Lockwood. Design of a System for Real-TimeWorm Detection. Published in 12th Annual IEEE Symposium on High Performance Interconnects (Hot-I),August, 2004, Stanford, CA, pp. 77-83.
[7]H. Kim, B. Karp, Autograph: Toward Automated, Distributed Worm Signature Detection,In Proceedings of the 13th USENIX Security Symposium, August 2004.
[8]Spitzner L. Honeypots:tracking the hackers.2002, http://www.tracking-hackers.com
[9]Developments of the Honeyd Virtual Honeypot. http://www.honeyd.org/
[10]D. Dagon, X. Qin, G. Gu, et al.HoneyStat: LocalWorm detection using honeypots. 2004 7th International Symposium, RAID 2004, Sophia Antipolis, France, 39-58.
[11]杨惠珉.适用于小型网络之蠕虫侦测保护系统:[硕士学位论文].台湾:中原大学咨讯工程学系 2006
[12]信息周刊特别报道:20 年最强病毒排行榜,2006,http://www.donews.com/Content/200610/e744b04f929b47b1b4ef36c58def7072.shtm
[13]金山截获大量 Mytob 蠕虫,疯狂发送病毒邮件,2005, http://chinanews.sina.com/tech/2005/0406/0101466224.html
[14]2006 年度“毒王”—“威金”蠕虫,2006, http://hi.baidu.com/100p/blog/item/4711d6ef25bdd336adafd515.html
[15]Shoch,John F, JonA,flupp. The Worm Programs Early Experience with a Distributed Computation.Communications of the ACM,1982,25(3),172-180.
[16]E.H.Spafford. the Internet Worm Program:An Analysis,Technical Report CSD-TR-823, Department of Computer Science, Purdue University,1988,1-29
[17]D.M.Kienzle, M.C.Elder.Recent Worms:A Survey and Trends,In Proceedings of the 2003 ACM workshop on Rapid Malcode Washington DC, October 2003.
[18]郑辉.Internet 蠕虫研究:[博士学位论文]. 天津:南开大学信息技术科学学院 2003
[19]S.E.Schechter, M.D.Smith. Access For Sale:a new class of worm.In Proceedings of the 2003 ACM workshop on Rapid Malcode, Washington DC, 2003,138-147.
[20]王业君.网络蠕虫的机理与防范:[硕士学位论文]. 北京:中国科学院软件研究所 2005
[21]Cohen,Fred.Computer Viruses: Theory and Experiments.1984 http://vx.netlux.org/lib/afc01.html
[22]何朝辉.网络蠕虫研究与本地化网络蠕虫预警研究及原型系统设计:[硕士学位论文]. 北京:中国科学院软件研究所 2005
[23]Nazario J, Anderson J, Wash R, et al. The future of Internet worms. Blackhat Briefings. 2001. http://www.crimelabs.net/ docs/worm.html
[24] 文 伟 平 , 卿 斯 汉 , 蒋 建 春 , 等 . 网 络 蠕 虫 研 究 与 进 展 , 软 件 学 报 ,VOL.15,NO.8,2004,1208-1214.
[25]Malware description—Network Worms. http://www.viruslist.com/en/virusesdescribed?chapter=152540408
[26]description of Email-Worm.Win32.NetSky.d http://www.viruslist.com/en/viruses/encyclopedia?virusid=22747
[27]description of IM-Worm.Win32.Kelvir.k http://www.viruslist.com/en/viruses/encyclopedia?virusid=78581
[28]description of IM-Worm.Win32.VB.a http://www.viruslist.com/en/viruses/encyclopedia?virusid=70377
[29]description of P2P-Worm.Win32.Tibick.fhttp://www.viruslist.com/en/viruses/encyclopedia?virusid=70081
[30]Worm.Win32.Zindos.a http://www.viruslist.com/en/viruses/encyclopedia?virusid=60748
[31]卿斯汉,文伟平,蒋建春,等.一种基于网状关联分析的网络蠕虫预警新方法.通信学报,第 25 卷,第 7 期,2004 年 7 月,62-70
[32]W.Richard Stevens. TCP/IP Illustracted Volume 1:The Protocols.北京:机械工业出版社,2000.
[33]胡建伟,汤建龙,杨绍全.网络对抗原理.西安:西安电子科技大学出版社,2004
[34]许治坤,王伟,郭添森,等.网络渗透技术.北京:电子工业出版社,2005
[35]熊猫烧香病毒,2007,http://www.blueidea.com/computer/server/2007/4399.asp
[36]Virus-info:Worm.Win32.Viking.ai,2006 http://www.kaspersky.com.cn/virus-info/2006/10/102.htm#1
[37]Ed Skoudis,Lenny Zelter.决战恶意代码.北京:电子工业出版社,2005
[38]鲁丰.蠕虫传播流量模拟系统研究与实现:[硕士学位论文]. 杭州:浙江大学计算机学院 2005
[39]Streftaris G, Gibson GJ.Statistical inference for stochastic epidemic models.In Proc. Of the 17th Int’l Workshop on Statistical Modeling.Chania,609-616,2002
[40]Frauenthal JC.Mathematical Modeling in Epidemiology.New York:Springer-Verlag, 1980
[41]Wang Y,Wang CX.Modeling the effects of timing parameters on virus propagation. In:Staniford S,ed.Proc.of the ACM CCS Workshop on Rapid Malcode.Washington, 2003
[42]Zou CC, Gong W, Towsley D.CodeRed worm propagation modeling and anylysis.In:Proc.of the 9th ACM Symp.on Computer and Communication Security.Washington,138-147,2002
[43]温静静.蠕虫自动编写机与网络攻击研究:[硕士学位论文]. 曲阜:曲阜师范大学计算机学院 2006
[44]汪伟.网络蠕虫检测技术研究与实现:[硕士学位论文]. 杭州:浙江大学计算机科学与技术学院 2006
[45]汤战勇.基于体系对抗的网络蠕虫主动防御机制研究:[硕士学位论文]. 西安:西北大学信息科学与技术学院 2006
[46]张颖.网络蠕虫的传播与防范研究:[硕士学位论文]. 北京:北京邮电大学信息工程学院 2006
[47]荆涛,周庆国,武文忠.基于 SSFNet 的网络蠕虫实验床.中国教育网络,2005.03,p60-61
[48]Computer Worms – An Introduction http://www.asianlaws.org/cyberlaw/library/cc/what_worm.htm
[49]Vaccaro H.,Liepins G.,Detection of Anomalous Computer session Activity, Proc of IEEE Computer Society symposium on Security and Privacy, Oakland, California, May. 1989,280-289.
[50]Garvey T,Lunt T.,Model-based intrusion detection, Proc of the 14th National Computer security conf, Washington DC., Oct. 1991,372-385.
[51]Lippmann R.,Cunningham R.,Improving Intrusion detection performance Using keyword Selection and Neural network, Proc of the 2rd workshop on the recent advances in intrusion detection (RAID'99), 1999, http://www.raid-symposium.org/raid99/PAPERS/Lippmannl.pdf
[52]From AntiVirus to AntiWorm:A New Strategy for A New Thread Landscape Carey Nachenberg. Proceedings of the ACM Workshop on Rapid Malcode. 2004
[53]Internet Worm Resource:Slammer Worm,2003, http://worm.ccert.edu.cn/wiki/?SlammerWorm
[54]孙伟.基于模式匹配和协议分析的入侵检测技术研究:[硕士学位论文].长沙:湖南大学计算机与通信学院,2006
[55]徐成,喻飞,李红. 高速网络环境下的入侵检测. 中国安全科学学报,2005,15(1):74-75
[56]宋安利.基于异常流量的蠕虫预警模型研究:[硕士学位论文].西安:西安建筑科技大学,2006
[57]温世强,段海新,吴建平:网络蠕虫爆发的检测算法及其应用[J],计算机工程与设计,VOL26,NO.5,2005 1140-1143
[58]何雪煜.蠕虫预警系统-蠕虫传播模型分析和可扩展性预警系统设计:[硕士学位论文].北京:中国科学院软件所,
[59]The GNU Netcat project.http://netcat.sourceforge.net/
[60]贾坤,汤泽滢,基于 honeypot 的网络蠕虫联动对抗技术,信息安全与通信保密,2006.09,88-93
[61]Honeyd Vs MSBLAST.EXE http://www.citi.umich.edu/u/provos/honeyd/msblast.html
[62]Honeycomb Automated signature creation using honeypots http://www.icir.org/christian/honeycomb/
[63]刘俊斌.基于协议分析的入侵检测系统研究与应用:[工程硕士学位论文].重庆:重庆大学计算机学院,2005
[64]刘文涛.网络安全开发包详解.北京:电子工业出版社,2005
[65]彭国军,张焕国,一种新的蠕虫防范方法,计算机应用研究,第 8 期,123-125,2006
[66]Guofei Gu, M.Sharif, Xinzhou Qin, D.Dagon, W.Lee,Worm detection, early warning and response based on local victim information.IEEE Computer Security Application Conference, 2004,20th Annual, 136-145
[67]CHEN Shi-gang,TANGYong.Slowing down internet worms. Proceedings of 24th International Conference on Distributed Computing Systems(ICDCS'04).Tokyo :IEEE Computer Society, 2004.
[68]SCHECHTER S E, BERGER A W. Fast detection of Scanning worm infections. 7th International Symposium on Recent Advances in Infrusion Detection(RAID). France: Springer-Verlag-GmbH, 2004
[2]George Bakos, Vincent Berk.Early Detection of Internet Worm Activity by Metering ICMP Destination Unreachable Messages. Proceedings of the SPIE Aerosense 2002.
[3]Cheung S, Hoagland J, Levitt K,et al. The design of GrIDS:A graph-based intrusion detection system. Technical Report, CSE-99-2, Computer Science Department, U.C. Davis, 1999. http://citeseer.nj.nec.com/ cheung99design.html
[4]Cliff Changchun Zou, Lixin Gao, Weibo Gong, et al. Monitoring and early warning for Internet worms. Proceedings of the 10th ACM conference on Computer and communication security, Washington D.C. USA October 27-30, 2003.
[5]J.Wu, S. Vangala, L. Gao, et al. An Effective Architecture and Algorithm for Detecting Worms with Various Scan Techniques. In Proceedings of the Network and Distributed Security Symposium, February 2004.
[6]Bharath Madhusudan, John Lockwood. Design of a System for Real-TimeWorm Detection. Published in 12th Annual IEEE Symposium on High Performance Interconnects (Hot-I),August, 2004, Stanford, CA, pp. 77-83.
[7]H. Kim, B. Karp, Autograph: Toward Automated, Distributed Worm Signature Detection,In Proceedings of the 13th USENIX Security Symposium, August 2004.
[8]Spitzner L. Honeypots:tracking the hackers.2002, http://www.tracking-hackers.com
[9]Developments of the Honeyd Virtual Honeypot. http://www.honeyd.org/
[10]D. Dagon, X. Qin, G. Gu, et al.HoneyStat: LocalWorm detection using honeypots. 2004 7th International Symposium, RAID 2004, Sophia Antipolis, France, 39-58.
[11]杨惠珉.适用于小型网络之蠕虫侦测保护系统:[硕士学位论文].台湾:中原大学咨讯工程学系 2006
[12]信息周刊特别报道:20 年最强病毒排行榜,2006,http://www.donews.com/Content/200610/e744b04f929b47b1b4ef36c58def7072.shtm
[13]金山截获大量 Mytob 蠕虫,疯狂发送病毒邮件,2005, http://chinanews.sina.com/tech/2005/0406/0101466224.html
[14]2006 年度“毒王”—“威金”蠕虫,2006, http://hi.baidu.com/100p/blog/item/4711d6ef25bdd336adafd515.html
[15]Shoch,John F, JonA,flupp. The Worm Programs Early Experience with a Distributed Computation.Communications of the ACM,1982,25(3),172-180.
[16]E.H.Spafford. the Internet Worm Program:An Analysis,Technical Report CSD-TR-823, Department of Computer Science, Purdue University,1988,1-29
[17]D.M.Kienzle, M.C.Elder.Recent Worms:A Survey and Trends,In Proceedings of the 2003 ACM workshop on Rapid Malcode Washington DC, October 2003.
[18]郑辉.Internet 蠕虫研究:[博士学位论文]. 天津:南开大学信息技术科学学院 2003
[19]S.E.Schechter, M.D.Smith. Access For Sale:a new class of worm.In Proceedings of the 2003 ACM workshop on Rapid Malcode, Washington DC, 2003,138-147.
[20]王业君.网络蠕虫的机理与防范:[硕士学位论文]. 北京:中国科学院软件研究所 2005
[21]Cohen,Fred.Computer Viruses: Theory and Experiments.1984 http://vx.netlux.org/lib/afc01.html
[22]何朝辉.网络蠕虫研究与本地化网络蠕虫预警研究及原型系统设计:[硕士学位论文]. 北京:中国科学院软件研究所 2005
[23]Nazario J, Anderson J, Wash R, et al. The future of Internet worms. Blackhat Briefings. 2001. http://www.crimelabs.net/ docs/worm.html
[24] 文 伟 平 , 卿 斯 汉 , 蒋 建 春 , 等 . 网 络 蠕 虫 研 究 与 进 展 , 软 件 学 报 ,VOL.15,NO.8,2004,1208-1214.
[25]Malware description—Network Worms. http://www.viruslist.com/en/virusesdescribed?chapter=152540408
[26]description of Email-Worm.Win32.NetSky.d http://www.viruslist.com/en/viruses/encyclopedia?virusid=22747
[27]description of IM-Worm.Win32.Kelvir.k http://www.viruslist.com/en/viruses/encyclopedia?virusid=78581
[28]description of IM-Worm.Win32.VB.a http://www.viruslist.com/en/viruses/encyclopedia?virusid=70377
[29]description of P2P-Worm.Win32.Tibick.fhttp://www.viruslist.com/en/viruses/encyclopedia?virusid=70081
[30]Worm.Win32.Zindos.a http://www.viruslist.com/en/viruses/encyclopedia?virusid=60748
[31]卿斯汉,文伟平,蒋建春,等.一种基于网状关联分析的网络蠕虫预警新方法.通信学报,第 25 卷,第 7 期,2004 年 7 月,62-70
[32]W.Richard Stevens. TCP/IP Illustracted Volume 1:The Protocols.北京:机械工业出版社,2000.
[33]胡建伟,汤建龙,杨绍全.网络对抗原理.西安:西安电子科技大学出版社,2004
[34]许治坤,王伟,郭添森,等.网络渗透技术.北京:电子工业出版社,2005
[35]熊猫烧香病毒,2007,http://www.blueidea.com/computer/server/2007/4399.asp
[36]Virus-info:Worm.Win32.Viking.ai,2006 http://www.kaspersky.com.cn/virus-info/2006/10/102.htm#1
[37]Ed Skoudis,Lenny Zelter.决战恶意代码.北京:电子工业出版社,2005
[38]鲁丰.蠕虫传播流量模拟系统研究与实现:[硕士学位论文]. 杭州:浙江大学计算机学院 2005
[39]Streftaris G, Gibson GJ.Statistical inference for stochastic epidemic models.In Proc. Of the 17th Int’l Workshop on Statistical Modeling.Chania,609-616,2002
[40]Frauenthal JC.Mathematical Modeling in Epidemiology.New York:Springer-Verlag, 1980
[41]Wang Y,Wang CX.Modeling the effects of timing parameters on virus propagation. In:Staniford S,ed.Proc.of the ACM CCS Workshop on Rapid Malcode.Washington, 2003
[42]Zou CC, Gong W, Towsley D.CodeRed worm propagation modeling and anylysis.In:Proc.of the 9th ACM Symp.on Computer and Communication Security.Washington,138-147,2002
[43]温静静.蠕虫自动编写机与网络攻击研究:[硕士学位论文]. 曲阜:曲阜师范大学计算机学院 2006
[44]汪伟.网络蠕虫检测技术研究与实现:[硕士学位论文]. 杭州:浙江大学计算机科学与技术学院 2006
[45]汤战勇.基于体系对抗的网络蠕虫主动防御机制研究:[硕士学位论文]. 西安:西北大学信息科学与技术学院 2006
[46]张颖.网络蠕虫的传播与防范研究:[硕士学位论文]. 北京:北京邮电大学信息工程学院 2006
[47]荆涛,周庆国,武文忠.基于 SSFNet 的网络蠕虫实验床.中国教育网络,2005.03,p60-61
[48]Computer Worms – An Introduction http://www.asianlaws.org/cyberlaw/library/cc/what_worm.htm
[49]Vaccaro H.,Liepins G.,Detection of Anomalous Computer session Activity, Proc of IEEE Computer Society symposium on Security and Privacy, Oakland, California, May. 1989,280-289.
[50]Garvey T,Lunt T.,Model-based intrusion detection, Proc of the 14th National Computer security conf, Washington DC., Oct. 1991,372-385.
[51]Lippmann R.,Cunningham R.,Improving Intrusion detection performance Using keyword Selection and Neural network, Proc of the 2rd workshop on the recent advances in intrusion detection (RAID'99), 1999, http://www.raid-symposium.org/raid99/PAPERS/Lippmannl.pdf
[52]From AntiVirus to AntiWorm:A New Strategy for A New Thread Landscape Carey Nachenberg. Proceedings of the ACM Workshop on Rapid Malcode. 2004
[53]Internet Worm Resource:Slammer Worm,2003, http://worm.ccert.edu.cn/wiki/?SlammerWorm
[54]孙伟.基于模式匹配和协议分析的入侵检测技术研究:[硕士学位论文].长沙:湖南大学计算机与通信学院,2006
[55]徐成,喻飞,李红. 高速网络环境下的入侵检测. 中国安全科学学报,2005,15(1):74-75
[56]宋安利.基于异常流量的蠕虫预警模型研究:[硕士学位论文].西安:西安建筑科技大学,2006
[57]温世强,段海新,吴建平:网络蠕虫爆发的检测算法及其应用[J],计算机工程与设计,VOL26,NO.5,2005 1140-1143
[58]何雪煜.蠕虫预警系统-蠕虫传播模型分析和可扩展性预警系统设计:[硕士学位论文].北京:中国科学院软件所,
[59]The GNU Netcat project.http://netcat.sourceforge.net/
[60]贾坤,汤泽滢,基于 honeypot 的网络蠕虫联动对抗技术,信息安全与通信保密,2006.09,88-93
[61]Honeyd Vs MSBLAST.EXE http://www.citi.umich.edu/u/provos/honeyd/msblast.html
[62]Honeycomb Automated signature creation using honeypots http://www.icir.org/christian/honeycomb/
[63]刘俊斌.基于协议分析的入侵检测系统研究与应用:[工程硕士学位论文].重庆:重庆大学计算机学院,2005
[64]刘文涛.网络安全开发包详解.北京:电子工业出版社,2005
[65]彭国军,张焕国,一种新的蠕虫防范方法,计算机应用研究,第 8 期,123-125,2006
[66]Guofei Gu, M.Sharif, Xinzhou Qin, D.Dagon, W.Lee,Worm detection, early warning and response based on local victim information.IEEE Computer Security Application Conference, 2004,20th Annual, 136-145
[67]CHEN Shi-gang,TANGYong.Slowing down internet worms. Proceedings of 24th International Conference on Distributed Computing Systems(ICDCS'04).Tokyo :IEEE Computer Society, 2004.
[68]SCHECHTER S E, BERGER A W. Fast detection of Scanning worm infections. 7th International Symposium on Recent Advances in Infrusion Detection(RAID). France: Springer-Verlag-GmbH, 2004