结合多态蠕虫的特点,着重考虑负载字节之间的关系,将蠕虫负载内部的近邻关系特征(NRS,neighborhood-relation signature)提取出来用于蠕虫检测.NRS建立在蠕虫负载内部相邻字节之间关系的基础上,体现了某些多态蠕虫各形态之间的共性特征,能够更灵活地对多态蠕虫进行检测.设计了NRSGA(NRS generating algorithm)算法来提取1-NRS、2-NRS和(1,2)-NRS,并分别进行了实验,以测试特征提取过程的正确性和NRS检测蠕虫的有效性.实验结果表明,与其他方法相比,NRS在检测多态蠕虫时具有更低的漏报率,能够更好地防御多态蠕虫的传播.%A class of neighborhood-relation signatures (NRS) was proposed based on neighborhood relationship between worm bytes. Because NRS embodies common characteristics of different morph of some polymorphic worms, Different patterns of polymorphic worms efficiently were detected. NRS generating algorithm (NRSGA) was designed to generate three types of signatures: 1-NRS, 2-NRS and (1,2)-NRS. Some experiments were performed to demonstrate the correctness of the process of signatures generation and the effectiveness of NRS. Experiment results show that our approach has lower false negative ratio in detecting worms, and is effective to prevent polymorphic worms from propagating.
展开▼
