摘要
蠕虫扫描检测算法,先设定阈值为若干事件,在相应时间内,若一台主机向外发出连接数超过阈值就判定为扫描行为,并将失败的连接次数作为判定是否为扫描行为的依据。其基于概率模型,或判定一个外部源地址要访问本地网络的目的地址或端口异常性,或判定其访问本地网络的目的地址数和端口数的异常性。其算法采用事件序列假设检验或改进假设检验以判定。
For the detection algorithm of worm scan, threshold value was set up as numbers of event, and if a host computer sent connected data to exceed the threshold value in a given time window, scan happened. And times of falling connection were used as the reference judged whether scanning. On the basis of probability model, judge if external source IP address is connected to destination IP addrvsses of local notwork, or unusual ports or destination IP addresses, or the abnormality between quantity of IP addresses and quantity of ports of destination IP addresses. For the judged algorithm, event sequential hypothesis testing (HT) algorithm or improved HT algorithm is mainly applied.
出处
《兵工自动化》
2005年第6期53-54,共2页
Ordnance Industry Automation
关键词
网络蠕虫
扫描
假设检验
网络安全
Internetworm
Scan, Hypothesis testing
Network security