| 一种高效的系统扫描检测方法 |
| |
| 引用本文: | 李小勇,单蓉胜,白英彩. 一种高效的系统扫描检测方法[J]. 计算机工程与应用, 2003, 39(1): 19-21 |
| |
| 作者姓名: | 李小勇 单蓉胜 白英彩 |
| |
| 作者单位: | 上海交通大学计算机科学与工程系,上海,200030 |
| |
| 基金项目: | 国家863高技术研究发展计划项目(编号:2001AA144060.2) |
| |
| 摘 要: | 系统扫描检测是网络入侵检测与预警系统的重要组成部分。传统基于统计的系统扫描方法具有阈值、时间窗口难以设定,而且难以检测隐蔽扫描等不足。该文提出一种基于TCP包头异常检测的系统扫描检测方法THAD。通过学习到达被保护主机的TCP包的端口(Port)和标记(Flag)的分布特征,THAD可计算出每个到达TCP包的异常值,并结合TCP协议本身的特征对检测方法进行优化。测试表明,THAD可以有效地检测包括慢扫描和隐蔽扫描等多种系统扫描行为,与已有多种检测方法相比,THAD显著提高了检测的准确性,并提高了检测的效率和实时性。
|
| 关 键 词: | 端口扫描 异常检测 TCP/IP 网络安全 |
| 文章编号: | 1002-8331-(2003)01-0019-03 |
| 修稿时间: | 2002-07-01 |
An Effective Method to Detect System Scan |
| |
| Li Xiaoyong Shan Rongsheng Bai Yingcai. An Effective Method to Detect System Scan[J]. Computer Engineering and Applications, 2003, 39(1): 19-21 |
| |
| Authors: | Li Xiaoyong Shan Rongsheng Bai Yingcai |
| |
| Abstract: | Detection of system scan is an important component of network intrusion detection and prevention system.Traditional statistical methods have several disadvantages:it can be easily evaded and it's difficult to set the threshold and time window size.This paper present s a new method based on TCP packet anomaly detection(THAD)to detect system scans.Through learning the distribution of ports and flags of TCP packets that arrive at the protected host,THAD can compute the anomaly score of each TCP packet,it also optimizes the detection method by considering the procedure of TCP protocol.Experiments show that THAD can detect system scans including slow scans and stealthy scans effectively,Compared with other methods,THAD improves accuracy of detection remarkably,and improves the efficiency of detection also. |
| |
| Keywords: | Port scan Anomaly Detection TCP/IP Network Security |
| 本文献已被 CNKI 维普 万方数据 等数据库收录! |
