The Research Of Firewall Detection Technology For Internal Host Scanning Attacks

In recent years, the network occupies very important position in the life of people.Relative to the network security, firewall is an indispensable role, scanning attack detection is a core function of the firewall. As the network scanning attack method is more and more diversified, the traditional port scan detection technology already cannot meet the requirements, cannot detect the port scanning behavior correctly and efficiently. Therefore, it becomes especially important on how to improve the accuracy and reduce the false drop rate on detecting of port scanning behavior. This paper will optimize the algorithm from the two aspects, based on the traffic and data packets.1) The first point is based on the data packets to optimize the algorithm. At present, TRW algorithm is typically algorithm based on the packet. This algorithm can detect the port scanning only for the entire network, furthermore, aiming at IP addresses of the host, without analyzing the ports of each host deeply. So in order to analyze the conditions of the source host and the destination host better when the port scanning occurs, this paper puts forward an improved algorithm based on the former studies. According to this improved algorithm, we research the IP addresses and the port at the same time, whether the detection rate of the algorithm is improved, and if there is a lower error detection rate. Experiments show that the detection rate increased, at the same time, the detection error rate is reduced, thus the availability of optimization algorithm is further improved.2) The second point is based on the flow to optimize the algorithm. At present, this algorithm has the best performance among all the port scanning detection that based on the flow. Some researchers have applied this algorithm to detect port scanning behavior, they found that in the hosts of error checking, most of the inaccurate scanning hosts are the WEB servers. Therefore this paper proposes a TAPS optimization algorithm that can reduce the WEB server error detection rates. This optimization algorithm mainly combines a detection method that can detect the WEB server. Experiments show that apply TAPS algorithm for detecting scanning behaviors, and then detect WEB servers from the IP address of the former test, in this way, we can filter out the WEB servers, and make the error detection rate decreased.