Analysis Of Internet Scanning Behavior Based On IBR Traffic

Scanning is a common phenomenon on the Internet and its main purpose is to find services and vulnerabilities.With the large-scale development of new applications such as artificial intelligence,cloud computing,big data,Internet of Things and industrial Internet,network vulnerabilities and risks are also increasing.The appearance of new vulnerabilities or the disappearance of old vulnerabilities will change the scanning behavior of the corresponding ports.Therefore,the detection and analysis of the scanning behavior of ports on the Internet is helpful to observe the network security situation.The current research has proved that IBR(Internet Background Radiation)traffic can be used as a data source for scanning traffic research.Therefore,this thesis first builds an IBR traffic collection and analysis system called NJNET?IBR.The system is based on an algorithm that acquires inactive space at the network boundary.It can collect and cyclically save the IBR traffic flowing into the CERNET(China Education and Research Network)Nanjing master node network boundary,served as the data source of this thesis' s follow-up study.In addition,the system also designs statistical measurements for the cyclically stored IBR traffic and the statistical results are stored in the database.In terms of scanning behavior analysis,the first thing to complete is the statistical analysis of the port scanning behavior.The results obtained include: 1)TCP port scanning behavior is relatively scattered but UDP port scanning behavior is more concentrated.All TCP and UDP popular scanning ports have vulnerabilities or services.2)Port 23 corresponding to the traditional Telnet service has always been the most popular scanning port,but compared to 2019,the number of scanning packets on this port in 2020 has been significantly reduced.3)The TCP popular scanning ports named port 445,port 37215 and port 5038 in 2019 are no longer popular scanning ports in 2020.4)In 2020,the number of scanning packets of the UDP popular scanning port 53413 has dropped by 84% compared to 2019;5)The number of scanning packets of UDP ports with amplifier vulnerabilities such as port 123 and port 1900 has increased significantly in 2020.6)Port 5683 and port 1194 have become new UDP popular scanning ports,which may be caused by the development of new applications such as the Internet of Things.Subsequently,two algorithms are designed to detect anomalies in port scanning behavior.Since NJNET?IBR does not permanently store IBR traffic,the TCP scanning library is designed and implemented on the basis of NJNET?IBR to save TCP port scanning information and TCP scanning packet summary.There are two ways to detect port scanning behavior anomaly,which are the anomaly detection of a single port and the anomaly detection of all ports.The main idea of single port anomaly detection is to convert the port scanning behavior anomaly detection into the time series anomaly detection,and construct the port scanning behavior anomaly detection algorithm based on exponential smoothing and Fourier transform and low-pass filter,and design experiments to analyze the detection results of the two algorithms.Experimental results show that the port scanning behavior anomaly detection algorithm based on exponential smoothing is more suitable for relatively stable time series;when the time series fluctuates frequently,the port scanning behavior anomaly detection algorithm based on Fourier transform and low-pass filter has higher accuracy.Considering that the time series formed based on the number of daily scanning packets of the port fluctuates greatly in general,the port scanning behavior anomaly detection algorithm based on Fourier transform and low-pass filter is more suitable.The idea of the anomaly detection of all ports is to build a port scanning behavior model to characterize the scanning behavior of all ports.When the model changes,it indicates that there is an abnormal scanning behavior of the ports.Based on this idea,a port scanning behavior algorithm based on the centroid of a circle is proposed.The movement trajectory of centroids reflects the scanning situation of all ports.The change of the movement trajectory of centroids indicates the port abnormal scanning behavior.The abnormal port can be located according to the position where the trajectory shape changes.Compared with the single port scanning behavior anomaly detection algorithm,the algorithm does not need to model each port separately and has higher accuracy.