| With the rapid popularization and development of the Internet,various network service vulnerabilities have also emerged,and the network security issues are facing unprecedented challenges.In the most basic client/server(C/S)model under the Internet architecture,the server responds to all requests from clients in an open environment,which makes intrusion possible,and scanning is the basis of intrusion behavior.Therefore,the study of Internet scanning behavior is conducive to grasping the trend of attacks on the Internet,identifying the precursors of serious attacks,and thus strengthening the prevention of cyber attacks.In addition,there are many regular scanning organizations such as cyberspace search engines on the Internet.When analyzing the scanned traffic,non-malicious scanning traffic from these organizations needs to be taken into account.The research work in this paper is aimed at the detection and analysis of scanning behavior on the Internet.The paper first discusses the principle and definition of the scanning,and classifies the scanning according to the scanning technique and the scanning target range.The paper locates the research on TCP horizontal scanning because it is the most common scanning behavior at present.In terms of the technical route,the measured data is selected as the research object,specifically from the IBR traffic on the network boundary and server host.Three analysis data sources,IBR traffic,IP flow records and host measured traffic,are used for scanning detection methods.In terms of scanning detection based on IBR traffic,the paper first completed NINET_IBR,which is a system to acquire real-time IBR traffic on the boundary of the network in Nanjing master node of CERNET.Based on characteristics of IBR traffic,the paper then gives the rules for filtering the scanning traffic from IBR traffic.Based on this,a scanning detection algorithm based on IBR traffic is proposed,which implements horizontal TCP scanning detection using IBR traffic provided by NJNET_IBR system.The paper analyzes the four measures of obtained IBR traffic: the daily scanned traffic proportion,the daily horizontal scanned traffic proportion,the port daily horizontal scanning traffic,and the port daily horizontal scanning host number.The results show that the TCP scanning traffic is an important part of the IBR traffic,and scanning on the Internet widely uses the TCP horizontal scanning method.In the aspect of IBR traffic scanning analysis,the paper proposes a method for filtering non-malicious scanning traffic based on whitelist,and successfully obtains some scanning host addresses of ShadowServer organization.Based on the white list established by these addresses,horizontal scanning traffic from the agency were obtained and analysed.Based on the popular scanning port analysis of IBR traffic,the paper implements an improvement to a scanning detection system,which uses flow records as the analysis data source.And the improvements include dynamic adjustment of the detection port.The measured results show that the improved system can support the dynamic detection of scanning behavior on the current hot ports.In terms of scanning detection based on host measured traffic.According to the difference in TCP state transition process between the TCP,SYN scannnig and the normal TCP interaction in server traffic,a finite state automaton is designed to analyze the transition process of each TCP connection state,then make a scanning decision.Based on this idea,a scanning detection algorithm is designed to filter TCP SYN scanning traffic from packets received by the server with tracking and analyzing the follow-up behavior of the scan in the same time. |
PDF Full Text Request