一個針對電腦蠕蟲防治的混合偵測演算法

Abstract

近年來，一些在電腦網路上散佈流傳的電腦病毒(Computer Viruses)急劇增加，廣義來說，電腦病毒指的是各式各樣具有感染、複製、破壞或影響電腦正常運作的電腦程式。較早期的電腦病毒必須靠檔案交換才能感染，電腦感染後通常會有一定程度的破壞性，例如：無法開機、檔案損毀、出現錯誤訊息、耗用系統資源等。其形式可分為開機型病毒(Boot Viruses)、Windows病毒(Windows Viruses)、JAVA/ActiveX病毒（Java/ActiveX Viruses）、指令檔型病毒(Script Viruses)、巨集型病毒等(Macro Viruses)。

有別於早期的電腦病毒，近年來較為流行的電腦病毒透過較為先進的感染手法以感染網路上其他電腦，其形式可分為電腦蠕蟲（Computer Worm）、特洛依木馬程式（Trojans Horse Programs）、PE型程式、間諜程式(Spyware)、及後門程式（Backdoors Programs）等，相較於早期的電腦病毒，這些型態的電腦病毒對於電腦安全的影響與威脅是急劇增加的。

由於目前普遍使用的防毒軟體(Anti-virus Software)，其病毒碼的產生、部署更新到完全清除電腦蠕蟲，整個流程中仍存在著一定的時間差，本論文從電腦病毒的形成原因、特性描述、散佈感染的途徑、造成的影響與威脅與解決方案的探討著手，進而聚焦於其中感染能力最強、傳播數度最快的電腦蠕蟲，透過負面表列清單並採取平行比對手法，搭配正面表列清單與決策樹模型判斷所形成之『混合偵測演算法』，對其進行偵測與分析。

透過此混合偵測演算法，能夠快速偵測出系統異常的狀況，分析時也能夠快速定義出電腦蠕蟲的特性，並據此產生出一套簡易的工具程式來協助網路管理者快速清除電腦蠕蟲，夠提大幅縮短等待病毒碼更新的時間，提高作業系統的防護能力。

In recent years, some "Computer Viruses" of dispersal increases quickly on the network. Generally, computer viruses included various computer programs which have the ability to infection, replication and break or influence a computer‘s operate. Earlier computer viruses infection depends on file commutation, computer usually have the destructiveness of certain degree after infecting. For example: Can't boot, file damage, show error message and system resource overhead etc. Its form can be divided into these type: "Boot Viruses", "Windows Viruses", "Java/ActiveX Viruses", "Script Viruses", "Macro Viruses". Different from traditional computer viruses, the near future computer viruses ascends other computers by infection network through advanced infection skill. Its form can be divided into "PE program", "Trojans Horse Programs", "Spyware", “Computer Worm" and "Backdoors Programs" etc. Compare with the earlier computer viruses, these types computer viruses influence toward computer security and threat are rapid to increase. Currently the anti-virus software of widespread usage, the process of build virus pattern, deploy to computer and clear computer viruses still have time margin, this thesis begins the study of describe the become reason, characteristic, the way of spreads and infection, influence, threats and resolve solution of computer viruses. Then focused in to computer worms that with the best ability of infection and spread quickest. Through the “Hybrid Algorithm” by using “Negative form list“ and “Parallel ratio method” mixture with “Positive form list” and “Decision tree model” to detecting and analyzing computer worms.

Through “Hybrid Algorithm”, we can detect the system abnormality quickly, when we analyzing it, this method also can define the characteristic of computer worms and produce a set of simple tool to help network administrator to clear computer worms in a short time, reduce the time to wait for update anti-virus pattern and can raise the protection ability of the operation system.