The detection system is composed of network flow acquisition unit distributed at each terminal in network system, and network worm analytic unit setup at server. The former collects information into and out of the terminal in real time. After snapshot and standardized processes, data are transferred to the analytic unit. Under request of analytic unit, the acquisition unit delivers suspicious attacking sample and basic status information of terminal. The analytic unit carries out statistics and analysis for flow data provided by the acquisition unit. Based on threshold value of flow, the analytic unit determines whether the terminal is possible to be suffered from worm attack or to become an attacking source. Based on determined result, and under interaction with the acquisition unit, the analytic unit requests the acquisition unit to deliver the said sample and information to carry out querying and matching operation in order to make determination, meanwhile alarming is sent out. |