摘要： 通过分析网络蠕虫攻击的特点，定义了能够反映蠕虫攻击特征的失败连接流量偏离度（FCFD）的概念，并提出了一种基于FCFD时间序列分析的蠕虫早期检测方法。该方法利用小波变换对FCFD时间序列进行多尺度分析，利用高频分量模极大值进行奇异点检测，从而发现可能的蠕虫攻击。同时给出了一种基于失败连接分析的蠕虫感染主机定位和蠕虫扫描特征提取方法。实验结果显示，该方法能够有效检测未知蠕虫的攻击。和已有方法相比，该方法具有更高的检测效率和更低的误报率。

关键词: 网络蠕虫检测, 小波变换, 奇异点检测

Abstract: On the basis of analyzing the features of worm attack, the concept of failed connections flow dissimilarity (FCFD) which reflects the variation of network flow caused by worms attack is defined, and a novel approach for early detection of worms is proposed. This approach analyzes the FCFD time series with multi resolution analysis of wavelet transform, detects singularity point through the local maxima of high frequencies, so to detect possible worm attack. A method to derive the list of likely infected hosts and extract possible worm scanning features is also proposed. The experiment shows that the approach can detect possible worms attack in real-time. Compared with existing methods, this approach is more sensitive in the early stage of worm propagation, and has a lower false positive rate.

Key words: Network worm detection, Wavelet transform, Singularity detection

中图分类号: 

• TP393.08