Host port scanning behavior detection method and device

A detection method and host port technology, applied in the field of information security, can solve problems such as the inability to determine the server, achieve the effect of improving statistical accuracy and reducing misjudgment

Active Publication Date: 2020-02-04
HANGZHOU ANHENG INFORMATION TECH CO LTD
View PDF7 Cites 7 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Therefore, the above two methods have the following disadvantages: only the client with scanning behavior is determined, and the scanned server cannot be determined.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Host port scanning behavior detection method and device
  • Host port scanning behavior detection method and device
  • Host port scanning behavior detection method and device

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0029] figure 1 A detection method for a host port scanning behavior provided by an embodiment of the present invention. refer to figure 1 , where the method includes the following steps:

[0030] Step S101 , acquiring network traffic of a switch, and mirroring the network traffic to obtain mirrored traffic; wherein, the mirrored traffic includes at least one data packet.

[0031] In the embodiment of the present invention, in order to obtain the network traffic of the switch, the embodiment of the present invention first adopts the bypass monitoring mode to realize network monitoring. Wherein, the bypass monitoring mode may refer to realizing monitoring through a "port mirroring" function of a network device such as a switch. The deployment of the bypass monitoring mode is flexible and convenient, and the network traffic can be obtained by configuring the mirror port on the switch without affecting the existing network structure. In addition, the mirrored traffic is analy...

Embodiment 2

[0059] Figure 4 A device for detecting host port scanning behavior provided by an embodiment of the present invention. refer to Figure 4 , the above device may include the following modules:

[0060] The acquiring module 11 is configured to acquire network traffic of the switch, and perform mirroring processing on the network traffic to obtain mirrored traffic; wherein, the mirrored traffic includes at least one data packet;

[0061] The acquisition module 11 may refer to the traffic collection module, the purpose of which is to obtain the mirrored traffic obtained by the switch for mirroring the network traffic, that is to say, to copy the network traffic and pass it to the preprocessing module, wherein the preset module refers to the processing of data packets The preprocessing module, the purpose of the preset module is to mark different connections according to different client IP addresses, client ports, server IP addresses, and server ports. At the same time, it is ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention provides a host port scanning behavior detection method and device, and relates to the technical field of information security, and the method comprises the steps: obtaining the networkflow of a switch, and carrying out the mirroring of the network flow, and obtaining the mirroring flow, wherein the mirror image traffic comprises at least one data packet; then collecting the characteristics of the data packets of which the connection marks do not appear, wherein the characteristics comprise a client IP address, a server IP address and a server port; taking the client IP addressand the server IP address as two-tuple information to mark data packets which do not appear in the connection mark; counting the number of data packets of which the two-tuple information is consistentand the server ports are inconsistent and the connection marks do not appear to obtain statistical data; and finally, detecting all statistical data by adopting an inertia mechanism, and giving an alarm when any statistical data exceeds a threshold value. According to the invention, the scanning behavior can be rapidly detected, and the scanned server can be accurately determined.

Description

technical field [0001] The invention relates to the technical field of information security, in particular to a detection method and device for host port scanning behavior. Background technique [0002] With the rapid development of the Internet, various intrusion means emerge in an endless stream, and one of the important intrusion means is port scanning. The principle is that the intruder sends a group of port scanning messages to intrude into a computer, and first understands the type of computer network services it provides during the intrusion process, and then conducts further attacks on these network services. [0003] At present, there are two methods for detecting port scanning behavior: one is the traditional detection method, that is, within a fixed time T, detect whether the number of data packets sent by different ports of the client exceeds the preset threshold N, and if so, determine the client The other is the snort detection method, that is, within a fixed ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/55H04L29/06
CPCG06F21/55H04L63/1416H04L63/1425H04L63/0236
Inventor 蔡福杰范渊
Owner HANGZHOU ANHENG INFORMATION TECH CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap