计算机工程 ›› 2009, Vol. 35 ›› Issue (3): 173-175.doi: 10.3969/j.issn.1000-3428.2009.03.059

• 安全技术 • 上一篇    下一篇

P2P环境下的蠕虫检测算法

王秀英1,2,邵志清1,刘百祥1   

  1. (1. 华东理工大学信息科学与工程学院,上海 200237;2. 上海新侨职业技术学院计算机信息系,上海 200237)
  • 收稿日期:1900-01-01 修回日期:1900-01-01 出版日期:2009-02-05 发布日期:2009-02-05

Worm Detection Algorithm Under P2P Circumstances

WANG Xiu-ying1,2, SHAO Zhi-qing1, LIU Bai-xiang1   

  1. (1. School of Information Science and Engineering, East China University of Science and Technology, Shanghai 200237; 2. Department of Computer and Information, Shanghai Xinqiao Vocational and Technical College, Shanghai 200237)
  • Received:1900-01-01 Revised:1900-01-01 Online:2009-02-05 Published:2009-02-05

摘要: P2P下载与网络蠕虫具有相似的搜索机制,导致网络蠕虫难以被检测并定位。该文提出一种融合危险理论和ID3分类算法的检测算法D-ID3。利用熵理论分析P2P应用、蠕虫、正常主机的属性特征,得到轴属性。利用ID3分类算法得到可以区分蠕虫、P2P和正常流量的分类规则。实验结果表明,该算法能成功检测出网络蠕虫,其误警率较低。

关键词: 网络蠕虫, ID3算法, 危险理论, P2P流量,

Abstract: It is difficult to detect Internet worm in LAN, because of the similarity of probing mechanism between the P2P and internet worm. This paper proposes a detection algorithm names D-ID3 that is based on danger theory and ID3 classification algorithm. The entropy theory is used to analyz P2P application, worm, natural mainframe, and extract axis attributes. ID3 and danger theory are applied to get classification rules that can differentiate worm, P2P and natural traffic. Experimental results show that this algorithm can detect worm and P2P successfully with a low false alarm rate.

Key words: Internet worm, ID3 algorithm, danger theory, P2P traffic, entropy

中图分类号: