| 面向事件属性的扫描意图分析 |
| |
| 引用本文: | 黄 勉,丁 伟,朱章驰. 面向事件属性的扫描意图分析[J]. 福州大学学报(自然科学版), 2023, 51(5): 704-710 |
| |
| 作者姓名: | 黄 勉 丁 伟 朱章驰 |
| |
| 作者单位: | 东南大学网络空间安全学院,东南大学网络空间安全学院,东南大学网络空间安全学院 |
| |
| 摘 要: | 网络扫描是互联网上普遍存在的现象,是由各种不同意图的扫描行为造成的,通过检测和分析互联网上的扫描行为,有助于观测网络安全态势。为了更加系统地描述扫描过程,本文定义了扫描事件的概念,并提出了6个扫描属性:扫描事件容量、全网扫描、扫描事件协议数、扫描事件端口数、扫描事件归属、扫描事件压缩比来刻画扫描事件。出于对扫描行为中扫描意图的进一步关注,本文提出了一种基于扫描属性过滤和聚类的异常扫描事件检测方法,该方法基于扫描事件归属属性过滤分离出正常机构扫描事件,对于剩余的扫描事件根据扫描属性特征设计聚类算法得到潜在的异常扫描事件。本文的实验以在 CERNET 南京主节点网络边界获取的 IBR 流量为数据源,运行算法识别扫描流量,并从扫描意图的角度对其展开分析。实验表明,超过95%的扫描流量可以被归纳为扫描事件流量,其中非恶意的机构扫描事件超过50%。在此基础上,每日可从非机构扫描事件中检测出约60条潜在异常扫描事件,经验证,异常扫描事件的检测准确率超过60%。
|
| 关 键 词: | 扫描事件;异常检测;互联网背景辐射流量 |
| 收稿时间: | 2023-10-06 |
| 修稿时间: | 2023-10-18 |
Scan intent analysis oriented by event attribute |
| |
| HUANG Mian,DING Wei,ZHU Zhangchi. Scan intent analysis oriented by event attribute[J]. Journal of Fuzhou University(Natural Science Edition), 2023, 51(5): 704-710 |
| |
| Authors: | HUANG Mian DING Wei ZHU Zhangchi |
| |
| Affiliation: | School of Cyber Science and Engineering, Southeast University,School of Cyber Science and Engineering, Southeast University,School of Cyber Science and Engineering, Southeast University |
| |
| Abstract: | Network scanning is a common phenomenon on the Internet, caused by various scanning behaviors with different intentions, and it helps to observe the network security posture by detecting and analyzing the scanning behaviors on the Internet. In order to describe the scanning process more systematically, this paper defines the concept of scanning events and proposes six scanning attributes: scanning event capacity, network-wide scanning, number of scanning event protocols, number of scanning event ports, scanning event attribution, and scanning event compression ratio to portray scanning events. Out of further concern for scanning intent in scanning behavior, this paper proposes an abnormal scanning event detection method based on scanning attribute filtering and clustering, which separates normal organization scanning events based on scanning event attribute filtering, and designs clustering algorithms for the remaining scanning events based on scanning attribute features to get potential abnormal scanning events. The experiments in this paper take the IBR traffic obtained at the network boundary of CERNET Nanjing master node as the data source, run the algorithm to identify the scanning traffic and analyze it from the perspective of scanning intent. The experiments show that more than 95% of the scan traffic can be classified as scan event traffic, of which more than 50% are non-malicious institutional scan events. Based on this, about 50 potential anomalous scan events can be detected from non-institutional scan events per day, and the accuracy of anomalous scan event detection is verified to be over 60%. |
| |
| Keywords: | scan events anomaly detection Internet background radiated traffic |
|
| 点击此处可从《福州大学学报(自然科学版)》浏览原始摘要信息 |
|
点击此处可从《福州大学学报(自然科学版)》下载免费的PDF全文 |
|
