Академический Документы
Профессиональный Документы
Культура Документы
VDS
seak@antiy.net
Outline
The pop trend of virus in 2004
Quality of the IDS
Mechanism of the VDS
Data processing
/
3%
6%
10%
PE
2%
11%
0%
21%
1%
UNIX
0%
46%
Outline
The pop trend of virus in 2004
Quality of the IDS
Mechanism of the VDS
Data processing
20
AV Ware: Target
objects diffluence.
IDS: Protocols
diffluence.
quantity
Email worm
2807
IM-worm
172
P2P-worm
1007
IRC-worm
715
Other worm
675
total
5376
Besides worm,
there are over
20,000 kinds as the
Trojan, Backdoor,
etc related to the
network.
The corresponding
rule set may
exceed 30,000
records.
200
6000
180
5000
160
140
4000
ms
100
3000
80
2000
60
40
1000
20
0
95
00
11
00
0
12
50
0
14
00
0
15
50
0
17
00
0
18
50
0
20
00
0
21
50
0
23
00
0
80
00
65
00
50
00
35
00
50
0
20
00
2000
1900
1800
1700
1600
1500
1400
1300
1200
1100
900
1000
800
700
600
500
400
300
200
0
100
ms
120
Test by snort of the latest version, good efficiency by small set VS dramatically
downfall by large set
Efficiency pressure brought by the increasing rule sets, is the fundamental pressure
for IDS when adopting the anti-virus mechanism
The network prospective, detecting level, no small granular virus locating of IDS,
consist the reason why it fails to assume such pressure
Outline
The pop trend of virus in 2004
Quality of the IDS
Mechanism of the VDS
Data processing
How to unifiy
The network flow falls into three categories according to its content
category
example
Direct
matching
Preprocessing
Required
Specific
Algorithm
Required
script
Algorithm optimization1
5000
4500
4000
3000
2500
2000
1500
1000
500
records
24
00
22
50
21
00
19
50
18
00
16
50
15
00
13
50
12
00
10
50
90
00
75
00
60
00
45
00
30
00
0
0
15
00
durtation(ms)
3500
Algorithm optimization 2
Scan speed is also
related to the
quality of patterns.
Because of the
5000
approximation
4000
between the virus
3000
characteristic, can
2000
not present the
characteristic of the
1000
random distribution.
0
And so does the
network data. So
they all make
records
effect to the
Scan methods and objects influence on the datamatching situation.
24000
22500
21000
19500
18000
16500
15000
13500
12000
10500
9000
7500
6000
4500
3000
1500
duration (ms)
Algorithm optimization 3
speed(k b/s)
1200
1000
original
800
improved
600
400
200
29000
27500
26000
24500
23000
21500
20000
18500
17000
15500
14000
12500
11000
9500
8000
6500
5000
3500
2000
500
records
Architecture of VDS
System structure
Data efficiency
Outline
The pop trend of virus in 2004
Quality of the IDS
Mechanism of the VDS
Data processing
Event Processing ( 1 )
DEDLDetection
Events Description
Language.
By using the symbol
description mode,
defined the network
event into a format
criterion, and support
the ability of common
condition- deriving.
Defined elements:
event typeevent ID
source IPtarget IP
event time such more
than 20 key elements.
Processing methods
Tech-based Internal
combine
Parallel-type combine
Analysis-based Parallel
combine
Radiant-type combine
Convergence-type
combine
Chain-type combine
Event Processing ( 2 )
If existNet_Action(RPC_Exploit)[IP(1)->IP(2);time(1)]
Net_Action(RPC_Exploit) [IP(2)->IP(3) ;time(2)]
and
time(2)>time(1)
than
Net_Action(RPC_Exploit) [IP(1)-> IP(2) -> IP(3)]
Behavior Classify
DEDL events
Net_Action(act)[IP(1),IP(2):445; ;time(1)]
Net_Action(act)[IP(1),IP(3):445; ;time(1)]
.
Net_Action(act)[IP(1),IP(12):445; ;time(1)]
Net_Action(Trans,Worm.Win32.Dvldr)[IP(1)->IP(12);time(1)]
I-Worm.Mabutu.a
I-Worm.LovGate.w
I-Worm.LovGate.f
I-Worm.LovGate.x
I-Worm.Runouce.b
I-Worm.Klez.h
I-Worm.Mydoom.e
I-Worm.Rays
I-Worm.LovGate.ag
I-Worm.LovGate.ad
I-Worm.NetSky.q
I-Worm.NetSky.c
I-Worm.LovGate.w
I-Worm.NetSky.d
I-Worm.Mydoom.m
I-Worm.LovGate.ag
I-Worm.NetSky.aa
I-Worm.NetSky.ac
I-Worm.NetSky.t
I-Worm.LovGate.ad
Reflections
Monitor the network virus has been
explored academically and
productively, it has extended to be a
new technology in its direction.
The way made up of attack and
defense is from the world of certain
to the world of freedom. we are
on the road.
Thank
You !