摘要
根据网络流量的统计特征提出一种慢速端口扫描行为检测算法,以主机数和端口数的比值及被访问主机端口集合之间的相似度为基础,采用非参数累积和CUSUM算法及小波变换方法对流量统计特征进行分析,进而判断是否存在端口扫描行为。实验结果表明,所提取的网络流量特征及算法可以有效地检测异常行为,该方法和Snort相比较具有低的漏报率和误报率。
A slowly port scan detect method was presented based on the statistical traffic features. Two statistical features: the ratio between the number of hosts and ports a host communicates and similarities of the ports set, were selected to denote the traffic features. The CUSUM and wavelet transform methods were employed to analyze the features and detect the slowly port scan behaviors. The experimental results show that the methods proposed detect port scan behaviors efficiently and correctly, it has low false negative and false positive alarm rate compared with the Snort,
出处
《通信学报》
EI
CSCD
北大核心
2007年第12期14-18,共5页
Journal on Communications
基金
国家自然科学基金资助项目(60574087)
国家高技术研究发展计划("863"计划)基金资助项目(2007AA01Z475
2007AA01Z480
2007AA01Z464)
国家"111引智计划"基金资助项目~~
