摘要： 根据蠕虫抽象共性，提出了一种基于包内容的未知蠕虫发现策略，并实现了对应的原型系统。在具体实现中，解决了数据包中重复串快速统计和增量维护多串匹配的问题，并比较了系统参数对其性能的影响。模拟实验的结果表明：该系统具有较高的发现率和较低的误报率，处理性能达到40Mbps，可多台并行部署于骨干网结点处进行蠕虫检测。

关键词: 未知蠕虫；包内容；串匹配；网络安全

Abstract: According to the abstract feature common to all current worm, this paper proposes an automated method for detecting unknown worm based on packet content and completes a system. In complementation it solves the problems of computing repetitive content and matching multiple contents, and compares the effect of various parameters. Preliminary results on a simulated experiment show promising results: the system has identified worms with a low percentage of false positives and dealt with the traffic at speed of 40Mbps. Besides, multiple machines can be deployed on the node of bone network, to detect worm in a parallel way.

Key words: Unknown worm; Packet content; String matching; Network security