摘要： P2P下载与网络蠕虫具有相似的搜索机制，导致网络蠕虫难以被检测并定位。该文提出一种融合危险理论和ID3分类算法的检测算法D-ID3。利用熵理论分析P2P应用、蠕虫、正常主机的属性特征，得到轴属性。利用ID3分类算法得到可以区分蠕虫、P2P和正常流量的分类规则。实验结果表明，该算法能成功检测出网络蠕虫，其误警率较低。

关键词: 网络蠕虫, ID3算法, 危险理论, P2P流量, 熵

Abstract: It is difficult to detect Internet worm in LAN, because of the similarity of probing mechanism between the P2P and internet worm. This paper proposes a detection algorithm names D-ID3 that is based on danger theory and ID3 classification algorithm. The entropy theory is used to analyz P2P application, worm, natural mainframe, and extract axis attributes. ID3 and danger theory are applied to get classification rules that can differentiate worm, P2P and natural traffic. Experimental results show that this algorithm can detect worm and P2P successfully with a low false alarm rate.

Key words: Internet worm, ID3 algorithm, danger theory, P2P traffic, entropy

中图分类号: 

• TP393.08