Title :
Mining Network Traffic for Worm Signature Extraction
Author :
Tu, Hao ; Li, Zhitang ; Liu, Bin
Author_Institution :
Network & Comput. Centre, Huazhong Univ. of Sci. & Technol., Wuhan
Abstract :
Recent worm increasingly threaten the availability of Internet. It is difficult to catch variety of 0day worms promptly with current signature matching approach because most signatures are developed manually. Several recent efforts to automatically extract worm signatures from Internet traffic have been done, but the efficiency is an unsolved problem especially in real high-speed network. We propose a binary clustering algorithm and a leaves preferred policy to improve the front traffic filter, which can reduce the traffic to be processed and enhance its purity. A position-aware signature generation method based bloom filter is proposed to bring better performance and more accurate signature for content-based defense. Both trace data and tcp dump data are used to test the prototype system and experiment results show the system can efficiently filter through suspicious traffic with high purity, which is no more than 25% of entire traffic, and extract more accurate signature, which can well support popular defense system such as Snort.
Keywords :
Internet; filtering theory; invasive software; telecommunication traffic; Internet traffic; binary clustering algorithm; bloom filter; content-based defense; current signature matching approach; front traffic filter; network traffic mining; popular defense system; position-aware signature generation method; worm signature extraction; Clustering algorithms; Data mining; High-speed networks; IP networks; Information filtering; Information filters; Internet; Prototypes; System testing; Telecommunication traffic;
Conference_Titel :
Fuzzy Systems and Knowledge Discovery, 2008. FSKD '08. Fifth International Conference on
Conference_Location :
Jinan Shandong
Print_ISBN :
978-0-7695-3305-6
DOI :
10.1109/FSKD.2008.434
