Port scan detection method and device

A port scanning and receiving port technology, which is applied in the field of network security, can solve problems such as low detection accuracy, poor performance, and small detection range of port scanning, and achieve the effects of improving accuracy and performance, expanding range, and avoiding misjudgment

Active Publication Date: 2017-03-15
NSFOCUS INFORMATION TECHNOLOGY CO LTD +1
View PDF3 Cites 7 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0004] The present invention provides a port scanning detection method and device to solve the problems of small port scanning detection range, low detection accuracy and poor performance in the prior art

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Port scan detection method and device
  • Port scan detection method and device
  • Port scan detection method and device

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0042] figure 1 A schematic diagram of a port scanning detection process provided by an embodiment of the present invention, the process includes:

[0043] S101: Count the number of data packet transmissions between each connection initiator and connection responder within the set time period, each receiving port of the connection responder receiving data packets, and the duration of each data transmission from the connection initiator to the connection responder , the number of data packets and the size of data packets transmitted between the connection initiator and the connection responder each time, determine the feature vector between each connection initiator and the connection responder.

[0044] In the embodiment of the present invention, the connection initiator generally refers to a device such as a personal computer (PC) or a server that initiates port scanning, and the connection responder generally refers to a device such as a server whose port is scanned. During...

Embodiment 2

[0057] In order to improve the accuracy of port scanning detection, on the basis of the above embodiments, in the embodiment of the present invention, the determining the feature vector between each connection initiator and connection responder includes:

[0058] For each connection initiator and connection responder, the number of data packet transmissions, each receiving port for the connection responder to receive data packets, the duration of each data transmission from the connection initiator to the connection responder, and the connection initiator and connection response The number of data packets and the size of data packets for each data packet transmission between the two parties, and determine each parameter in the feature vector between the connection initiator and the connection responder, wherein the first parameter is the connection responder The ratio of the second number of data transmissions to the connection initiator and the first number of data transmissio...

Embodiment 3

[0062] On the basis of the above-mentioned embodiments, in order to facilitate the subsequent determination of the feature vector between each connection initiator and connection responder, in the embodiment of the present invention, each connection initiator to the connection within the statistically set time length Before the responder initiates the number of data transfers, the method further includes:

[0063] For each unidirectional network flow program (netflow) obtained, select the netflow that satisfies the Transmission Control Protocol (TCP);

[0064] The selected netflow is spliced ​​into a bidirectional flow, and each connection initiator and connection responder is determined according to the bidirectional flow.

[0065] A netflow is generated every time a data packet is transmitted between the connection initiator and the connection responder, and the information contained in the netflow can be obtained by analyzing each netflow. Such as figure 2 Shown is a sch...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

Embodiments of the invention disclose a port scan detection method and device. The method comprises the following steps of (A) counting information for carrying out data packet transmission between each connection initiator and each connection responder within a set time duration; (B) determining a number of categories after clustering; (C) clustering feature vectors according to the determined number of categories and a distance between feature points corresponding to the feature vectors; judging whether a cluster corresponding to a minimum distance between a central point of a current cluster and a preset standard point meets a termination condition; if no, carrying out (B); and (D) if yes, taking the cluster corresponding to the minimum distance between the central point of the current cluster and the preset standard point as a target cluster; and determining the connection initiator corresponding to each feature vector in the target cluster to carry out port scan on the connection responder. The method and the device are used for solving the problems of small port scan detection range, low detection precision and bad performance of the existing technology.

Description

technical field [0001] The invention relates to the technical field of network security, in particular to a port scanning detection method and device. Background technique [0002] Port scanning refers to the behavior of using port scanning tools to detect the open ports of receiving devices. Port scanning itself is not a malicious network behavior, but it is often used by some illegal users to find vulnerabilities in receiving devices, and exploit the vulnerabilities of receiving devices to give normal The operation has an impact and brings losses. If the receiving device can know that there is a connection initiator that is performing port scanning on itself, it can start corresponding protection measures to protect its own security and avoid losses. [0003] However, in the prior art, port scanning detection is mostly carried out on the receiving device. If a connection initiator has accessed more ports of the receiving device within a set time, it is judged that there i...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06
Inventor 袁帅皮靖汪可尹飞
Owner NSFOCUS INFORMATION TECHNOLOGY CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap