摘要
网络扫描通常是入侵的前奏,准确的检测网络扫描可以对网络入侵起到重要的预警作用.现有的网络扫描检测机制都过于简单且易于被攻击者逃避.提出了一种基于有穷自动机模型检测网络扫描的入侵预警算法(FSA-based intrusion pre-alert algorithm,SBIPA),用自动机状态迁移图表达扫描报文序列,同时设计了3种不同的机制基于自动机模型对扫描事件进行检测,并讨论了算法实现中的关键技术.实验表明,该算法能在更准确的检测普通扫描的同时,对分布式、多类型混杂扫描等现有技术难以检测的隐蔽扫描也有很好的检测效果,有效弥补了现有同类技术的不足.
Network scan is often the prelude of the network intrusion. Thus precise detection of the network scan plays an important role in the pre-alert of the network intrusion. But the current scan detection technologies are too simple and may be evaded by attackers easily. In this paper, based on the analysis of both the scan and detection technologies, a detection algorithm called SBIPA (FSA-based intrusion pre-alert algorithm) is proposed based on the FSA (finite state automata) model and the key implementation technology is analyzed. The state transfer diagram is used to illustrate the network scan packet series, and three different mechanisms are designed to detect the scan event based on FSA. Experiment reveals that this algorithm not only can detect the single type scan activity more precisely, but also can detect the unobvious scan such as distributed and multi-type mixed scan very well, which can't be detected by other detection technologies. It is believed that it eliminates the limitations of the current scan detection technology and has an important research and practice value.
出处
《计算机研究与发展》
EI
CSCD
北大核心
2006年第3期417-422,共6页
Journal of Computer Research and Development
基金
国家"八六三"高技术研究发展计划基金项目(2001AA110485
2001AA110233
2001AA144150)
国家自然科学基金项目(60073006)~~
关键词
网络扫描
入侵预警
自动机
检测算法
network scan
intrusion pre-alert
, FSA
detection algorithm
