关键词: 蚁群算法, 序列比对, 特征提取, 入侵检测, 多态蠕虫

Abstract: Polymorphic worms signature extraction is a critical part of signature-based intrusion detection. Extracting precise signatures quickly plays an important role in preventing the spread of the worms. Since the classical Hierarchical Multi-Sequence Alignment (HMSA) algorithm has bad time performance in extracting signatures when multiple sequences alignment was used and the extracted signatures were not precise enough, a new automatic signature extraction method called antMSA was proposed based on the improved ant optimal algorithm. The search strategy of the ant group was improved, and then it was introduced to the Contiguous Matches Encouraging Needleman-Wunsch (CMENW) algorithm to get a better solution quickly in global range by using the rapid convergence ability of ant colony algorithm. The signature fragments were extracted and converted into the standard rules of the intrusion detection system for subsequent defense. The experimental results show that the new method solves the stagnation problem of the classical ant optimal algorithm, extends the search space, extracts signatures more efficiently and precisely, and reduces the false positive rate and the false negative rate.

Key words: Ant Colony Algorithm (ACA), sequence alignment, signature extraction, intrusion detection, polymorphic worm