摘要
从面向连接的角度出发,以Petri网为工具,建立了TCP协议异常检测模型.该模型以TCP协议的状态变迁图为基础,并根据协议规范可对传输报文的标志位进行系统的分析,从而识别出标志位非法组合构成的畸形报文(FIN-RST报文).模型中规定了各种状态下可接收的标志位集合,同时还细化了各状态下的超时异常,据此可准确地检测出各种异常,以抵御已知和未知的非法行为.利用该模型不仅可发现已知异常事件,还可对未知漏洞进行防范.通过实验发现,网络中的错误标志位报文、端口扫描以及DOS攻击产生的异常流量将占到总流量的10%以上.
Based on Petri net, a connection oriented TCP protocol anomaly detection model was established. Based on TCP state transition diagram, the flag bits of packets were systemically analyzed according to TCP protocol specification. So the malformed packets, which abnormally formed by flag bits, such as FIN-RST packets can be identified. The receivable flag bit set of each state in the model was defined, meanwhile the timeout anomaly of each state was refined, by which varied anomaly can be detected accurately so as to defend the known and unknown abnormal behaviors. With the detection model, not only the known anomalies can be discovered, but also can it protect from unknown attacks. Experimental results show that the quantity of anomalies generated by packets with malformed flag, port scans and DOS attacks will occupy more than 10 percent of the total traffic in networks.
出处
《西安交通大学学报》
EI
CAS
CSCD
北大核心
2006年第6期659-662,共4页
Journal of Xi'an Jiaotong University
基金
国家信息化计算机网络与信息安全基金资助项目(2001-研1-010)
关键词
协议异常检测
状态变迁图
协议规范
标志位
protocol anomaly detection
state transition diagram
protocol specification
flag bit