Method and system for detecting scanning behaviors of ports

Abstract

The invention provides a method and a system for detecting scanning behaviors of ports. The method comprises the following steps of: writing a corresponding relationship between the IP address of each protected client and an open port number thereof into a configuration file; monitoring the accessed condition of each protected client, and maintaining an open port access list and an unopened port access list of the access clients for the protected clients; calculating the average numbers of open ports and unopened ports, accessed by the access clients, of the protected clients according to the open port access list and the unopened port access list of the access clients for the protected clients respectively; and simultaneously performing quick scanning judgment and slow scanning judgment according to the preset quick scanning judgment rule and the preset slow scanning judgment rule so as to detect the quick scanning behaviors of the ports and well discover the slow scanning behaviors.

Description

technical field [0001] The present invention relates to the detection of port scanning behaviors for network hosts and devices, and in particular to a method of collecting port asset information and port asset activity information of hosts or network devices on network devices or host terminals, and based on these port asset information and port asset information. Asset activity information to detect port scanning behaviors for these network devices and host terminals, including the detection of TCP port scanning and UDP port scanning. Background technique [0002] Port scanning, especially port slow scanning, is a common information collection behavior before network attacks. Attackers use this type of port detection to discover the open services on the target host, and even the type of software running, so that the attacker can conduct attacks. Choose the appropriate attack method and attack count at the right time to infiltrate the target host. Therefore, although the po...

AI Technical Summary

Problems solved by technology

[0003] There are many forms of port scanning, but they can be divided into two types: TCP port scanning and UDP port scanning. Generally speaking, TCP port scanning is used to obtain the open information of TCP ports, and UDP port scanning is used to obtain open information of UDP ports. Information, TCP port scanning accounts for the vast majority of terminal scanning, and TCP port scanning is divided into TCP SYN Only port scanning and TCP full connection scanning. The former scanning only sends TCP SYN handshake messages, and does not complete complete The three-way handshake process, so it is easier to judge, the latter scan will establish a complete TCP handshake, so it is relatively difficult to detect, and the concealment is relatively high

[0004] From the way of use, port scanning is divided into two types: slow scanning and fast scanning. In most cases, ordinary attackers often use fast scanning to detect ports. It can be easily detected by software, but in order to avoid the detection of detection software, experienced attackers often use the rarer slow scan method for port detection. The method of detecting limited ports for a long time is very concealed. It is difficult to identify them in normal visits, so it has become a major problem for various detection products

Images