扫描检测平台效用评估

Effectiveness Evaluation of a Scan Detection Platform

利用网络中未使用IP地址构建扫描检测平台能够有效提高检测准确率,降低虚警率.在扫描检测平台实际构建之前,需要对可控部署地址资源的预计检测效用进行评估,以确定地址资源可达的检测目标以及明确平台构建的必要性.为此,提出一种基于网络分类的扫描检测模型,依据此模型可对扫描检测平台对于随机扫描源和本地优先扫描源的检测效用进行评估,为扫描检测平台部署构建提供理论指导.以法国电信Leurre’com Honeynet Project实际分布式检测平台作为效用评估样例.评估结果表明该检测平台能够有效检测类似Slammer蠕虫的高速随机扫描源和每秒至少发出2个扫描连接的本地优先扫描源,对低速扫描源检测效用低下.实际数据统计结果与仿真实验验证了评估结果的准确性.

A scan detection phtform constructed by unused IP addresses will effectively improve detection accuracy and reduce false alarm. Before constructing a real scan detection phfform, we need to evaluate the detection effectiveness of controlled monitoring addresses to predict the detecting tagets and determine the necessity of the phfform deployment. To match these requirements, a new scan detection model based on network classification is presented. According to this model, we can evaluate the detection effectiveness of a scan detection phfform which is used to detect random or local preference scanning sources and provide theory guidance for the phtform construction and deployment. We use the Leurre＇ com Honeynet Project＇s distributed scan detection phfform as a practical evaluation instance. Evaluation resttlts show that the phtform can effectively detect high speed random scanning sources like Slammer worm and local preference scanning sources whose average scanning rate is more than 2 scan connections per second. To low speed scanning sources, the detection effectiveness is poor. Statistics of real monitoring data and simttlation resttlts validate the veracity of evaluation resttlts.