| Port scanning attack is the beginning of network attack,it can provide vulnerability information of target network for other intrusion behaviors.Slow port scanning attack is stealthy and easy to evade detection system,which increases the threat of network attacks.On one hand,the proportion of slow port scanning attack related network traffic in a unit time is low,collecting all network traffic to detect slow port scanning attack will increase unnecessary overhead.On the other hand,the detection algorithm based on the fixed time window mechanism is difficult to detect different speed of scanning attacks by setting the length of the time window in advance,which shows poor performance on dynamic.This thesis first analyzes the characteristics of the victim’s response messages,and proposes a data collection method to collect the scanning activity related data in SDN.Secondly,the rate feature of scanning attack is extracted to realize the dynamic adjustment strategy of time window.Finally,the scanning attack detection problem is set as a Sequential Probability Ratio Test(SPRT)problem and the detection result is calculated.The detection algorithm can accurately detect slow port scanning attacks while reducing the detection delay.The main innovative contributions of this thesis are as follow:(1)We proposed a data collection method in SDN.Based on the behaviors of TCP scanning and UDP scanning,two marking rules are suggested to mark suspicious flows.Then,the marking rules are converted into collection entries,which can collect the scanning activity related network traffic rather than the normal network traffic.Using the global view of the controller,the port directly connected to the network host in the edge switch is selected as the collection node to avoid collecting the same suspicious flow.Finally,the multiple flow table is utilized to configure the collection table in the OpenFlow switch to reduce switch resource consumption.The simulation results show that the suspicious flow data collection method collects 1.07% data from all network data,of which 81.93% is related to scanning attacks.(2)A scan attack detection algorithm based on dynamic time window mechanism is proposed.The scanning rate feature is extracted from the collected suspicious flows using the Exponentially Weighted Moving Average(EWMA)method,and the dynamic adjustment strategy is applied to set appropriate length of time window for different speed of scanning attacks.Generate connection event in each time window,and set the scanning attack detection problem as a Sequential Probability Ratio Test problem to improve the accuracy of the detection algorithm.The simulation results show that the scanning attack detection algorithm provides the true positive rate of 98.46% and the false alarm rate of 0.17%.Furthermore,the detection delay is decreased at least 7.61%compared with the detection algorithm based on the fixed time window mechanism. |
