摘要
系统扫描检测是网络入侵检测与预警系统的重要组成部分。传统基于统计的系统扫描方法具有阈值、时间窗口难以设定,而且难以检测隐蔽扫描等不足。该文提出一种基于TCP包头异常检测的系统扫描检测方法THAD。通过学习到达被保护主机的TCP包的端口(Port)和标记(Flag)的分布特征,THAD可计算出每个到达TCP包的异常值,并结合TCP协议本身的特征对检测方法进行优化。测试表明,THAD可以有效地检测包括慢扫描和隐蔽扫描等多种系统扫描行为,与已有多种检测方法相比,THAD显著提高了检测的准确性,并提高了检测的效率和实时性。
Detection of system scan is an important component of network intrusion detection and prevention system.Traditional statistical methods have several disadvantages:it can be easily evaded and it's difficult to set the threshold and time window size.This paper present s a new method based on TCP packet anomaly detection(THAD)to detect system scans.Through learning the distribution of ports and flags of TCP packets that arrive at the protected host,THAD can compute the anomaly score of each TCP packet,it also optimizes the detection method by considering the procedure of TCP protocol.Experiments show that THAD can detect system scans including slow scans and stealthy scans effectively,Compared with other methods,THAD improves accuracy of detection remarkably,and improves the efficiency of detection also.
出处
《计算机工程与应用》
CSCD
北大核心
2003年第1期19-21,共3页
Computer Engineering and Applications
基金
国家863高技术研究发展计划项目(编号:2001AA144060.2)
