基于动态暗网的互联网扫描行为分析

Analysis of Internet scanning behavior based on dynamic dark network

为了对互联网上的扫描行为进行观测,采用基于动态暗网的互联网背景辐射(IBR)流量实时采集算法实现对IBR流量的采集,并对采集到的IBR流量进行分析;设计算法过滤出扫描流量,进行面向端口的扫描行为观测.该动态暗网是相对稳定且分散的,不易被定位,通过其获取到的IBR流量是进行扫描分析的可靠数据源.IBR流量主要由传输控制协议(TCP)、用户数据报协议(UDP)、Internet控制消息协议(ICMP)这3种协议组成,其中TCP流量占90%以上,与正常流量中3种协议的分布不同.IBR流量得到的TCP、UDP、ICMP流量都以扫描流量为主,且广泛采用水平扫描的形式.TCP、UDP的热门扫描端口都是危险端口,证明面向端口的扫描行为分析对于发现互联网中新出现的漏洞有重要作用.TCP端口扫描行为较分散,UDP端口扫描行为较集中.

A real-time Internet background radiation(IBR)traffic acquisition algorithm based on the dynamic dark network was used to collect IBR traffic and the collected IBR traffic was analyzed,in order to observe the scanning behavior on the Internet.An algorithm was designed to filter out the scanning traffic to observe the port-oriented scanning behavior.The dynamic dark network is relatively stable and scattered,thus it is not easily to be located.The IBR traffic obtained through it is a reliable data source for scanning analysis.IBR traffic is mainly composed of transmission control protocol(TCP),user datagram protocol(UDP)and Internet control message protocol(ICMP)protocols,of which TCP traffic accounts for more than 90%.It is different from the distribution of the three protocols in normal traffic.The TCP,UDP and ICMP traffic obtained by IBR traffic are mainly scanning traffic,of which horizontal scanning is widely used.The popular scanning ports for both TCP and UDP are dangerous ports,which proves that the port-oriented scanning behavior analysis plays an important role in discovering new vulnerabilities on the Internet.The TCP port scanning behavior is more dispersed,while the UDP port scanning behavior is more concentrated.