摘要
定义扫描事件的概念,并提出6个扫描属性.提出一种异常扫描事件检测方法,该方法基于扫描事件归属属性过滤分离出正常机构扫描事件.对于剩余的扫描事件,根据扫描属性特征设计聚类算法,以得到潜在的异常扫描事件.以在CERNET南京主节点网络边界获取的IBR流量为数据源,运行该算法来识别扫描流量,并从扫描意图的角度对其展开分析.实验表明,超过95%的扫描流量可以被归纳为扫描事件流量,其中非恶意的机构扫描事件超过50%.在此基础上,每日可从非机构扫描事件中检测出约60条潜在异常扫描事件.经验证,异常扫描事件的检测准确率超过60%.
The concept of scanning events was introduced,accompanied by the proposal of six scanning attributes.A method for detecting exceptional scanning events was devised,based on the filtration of scanning event ownership attributes to separate normal organizational scanning events.For the remaining scanning events,a clustering algorithm was employed,designed around scanning attribute features,to identify potential exceptional scanning events.The experiments in this research were conducted using IBR traffic data obtained from the network boundary of the CERNET Nanjing main node as the data source.The algorithm was executed to identify scanning traffic and undertake an analysis from the perspective of scanning intent.The results of the experiments indicate that over 95%of scanning traffic can be categorized as scanning event traffic,with non-malicious organizational scanning events constituting more than 50%of this category.Building upon these findings,approximately 60 potential exceptional scanning events can be detected daily from non-organizational scanning events.Upon verification,the detection accuracy of exceptional scanning events exceeds 60%.
作者
黄勉
丁伟
朱章驰
HUANG Mian;DING Wei;ZHU Zhangchi(School of Cyber Science and Engineering,Southeast University,Nanjing,Jiangsu 211100,China)
出处
《福州大学学报(自然科学版)》
CAS
北大核心
2023年第5期704-710,共7页
Journal of Fuzhou University(Natural Science Edition)
基金
国家重点研发计划资助项目(2021YFB3101401)。
关键词
互联网背景辐射流量
扫描事件
扫描属性
扫描意图
异常检测
internet background radiated traffic
scan events
scan attribute
scan intent
anomaly detection
