167 results about "Port scan" patented technology

Symmetric Connection Detection (SCD) is a method of detecting when a connection has been fully established in a resource-constrained environment, and works in high-speed routers, at line speed. Many network monitoring applications are only interested in connections that become fully established, so other connection attempts, such as port scanning attempts, simply waste resources if not filtered. SCD filters out unsuccessful connection attempts using a simple combination of Bloom filters to track the state of connection establishment for every flow in the network. Unsuccessful flows can be filtered out to a very high degree of accuracy, depending on the size of the bloom filter and traffic rate. The SCD methodology can also easily be adapted to accomplish port scan detection, and to detect or filter other types of invalid TCP traffic.

A system, method and computer program product are provided for minimizing the duration of a risk-assessment scan. Initially, a plurality of risk-assessment modules are selected each including vulnerability checks associated with a risk-assessment scan. Thereafter, a first set of ports is determined. Such first set of ports is required for communicating with network components subject to the risk-assessment modules associated with the risk-assessment scan. A port scan is subsequently executed on the first set of ports. Based on such port scan, a second set of ports is determined which includes ports unavailable for communicating with the network components subject to the risk-assessment modules associated with the risk-assessment scan. The risk-assessment modules associated with the second set of ports may then be disabled to minimize the duration of the risk-assessment scan.

The present invention discloses a vulnerability simulation overload honeypot method which comprises a host computer, a port scanning deception simulating module, a vulnerability scanning deception simulating module, a vulnerability scanning deception simulating module, a vulnerability attach deception simulating module, a data auditing module and a vulnerability utilizing module. When the attach sequence arrives at the simulated honeypot, a simulated honeypot system is used for processing according to the situation. When an attacker executes vulnerability scanning to the virtual host computer, the simulated honeypot responds and processes according to the vulnerability configuration information. Afterwards, these vulnerabilities are used for further attacking. Hereon, the simulated honeypot system transmits the vulnerability attack data flow to a vulnerability honeypot system. The vulnerability utilization attach of the attacker is processed and responded by a vulnerability attack simulating module. Finally, when the attacker successfully obtains the control power through the vulnerability attack, the attack data hereon is transmitted to a physical honeypot module. All attack processes and related data are recorded by a data auditing module for analyzing comprehensively. The method reduces the number of hardware devices in the honeynet and reduces the cost.

For port scanning an authentication bit sequence is created as an output of an authentication transformation, the authentication transformation having as input at least a given destination address and a given secret key. The authentication bit sequence is embedded in at least one authentication port scan event packet comprising the given destination address. At least one authentication port scan event packet is broadcast. Then, further port scan event packets are broadcast with given port identifiers and the given destination address. For port scanning detection, a received authentication bit sequence is derived from a least one authentication port scan event packet with identical source and destination addresses. Further port scan event packets are accepted with given port identifiers and the given destination address if authentication is given.

Method and apparatus for port sweep detection in a network is described. In one example, log data is obtained for a period of time. The log data is associated with a plurality of devices in the network. The log data is processed to identify connection requests from a source key for a port at a number of target internet protocol (IP) addresses. An alarm is generated if the number of target IP addresses associated with the connection requests from the source key exceeds a threshold.

In order to easily set IP addresses required for communicating with apparatuses connected to a network, an MHP includes a port scan unit for acquiring, by port scanning, an IP address of a server having a predetermined port open from one of the servers connected to the network, and a network environment storage part for storing a set of acquired IP address and a port number of the predetermined port.

The invention provides a network asset identification method and device, a medium and equipment. The network asset identification method comprises the following steps: acquiring an IP address list ofa target local area network; determining a survival host in the target local area network according to the IP address in the IP address list; performing full-port scanning on the survival host, and determining a survival port on the survival host; obtaining parameter information of the survival host, and obtaining parameter information of a corresponding survival port on the survival host; and adding the parameter information of the survival host and the parameter information of the survivalport on the survival host to a first network asset list corresponding to the target local area network.Through the first network asset list corresponding to the target local area network, network operation and maintenance personnel can conveniently manage the network assets in the target local area network.

A system for controlling abnormal traffic based on a fuzzy logic includes: an intrusion detection module for analyzing packets incoming from a network interface by means of a membership function defined based on a specific period of time, and outputting a fuzzy value representing a degree of a port scan attack; a fuzzy control module for recognizing the degree of the port scan attack based on the fuzzy value and outputting a control signal for traffic control according to the recognized degree of the port scan attack; and an intrusion blocking module for receiving the control signal and controlling the traffic with the network interface.

The invention relate to an apparatus and a method for monitoring all printers in an enterprise. The method includes for each transaction, authenticating a customer associated with the enterprise and obtaining a session ticket. The method also includes executing a printer list fetcher for downloading a list of in-service printer and print scan load frequency for each location with in the enterprise and executing a scheduler for implementing different categories of scans. The method further includes executing a network scan on a computer network to obtain information for all printers attached to the computer network, executing a local scan on each computer that is attached to a non-network printer to obtain information for all non-network printers in the enterprise and executing a port scan to obtain information for all non-catalogued printers. The method also includes compiling all scanned information, obtained from executing the network scan, the local scan and the port scan, in a file and dispatching the file to an external server and using the file in the external server to provide printer status information and usages for each printer in the enterprise.

The invention relate to an apparatus and a method for determining printer usage of all printers in an enterprise to generate accurate sales proposals. The method includes assigning an account for the enterprise and executing a network scan on a computer network to obtain information for all printers attached to the computer network. The method also includes executing a local scan on each computer that is attached to a non-network printer to obtain information for all non-network printers in the enterprise and executing a port scan to obtain information for all non-catalogued printers. The method further includes storing all of the information obtained from executing the network scan, the local scan and the port scan and performing each of the steps above at least during two predetermined times. The method also includes using the information to generate sales proposals for all printer usage within the enterprise.

The invention provides a port scanning attack detection method and device and electronic equipment. The method is applied to safety protection equipment, and the method comprises the following steps: receiving a to-be-detected SYN message and an SYN_ACK message corresponding to the SYN message; counting a first number of the received SYN messages; counting the second number of the received SYN_ACK messages corresponding to the SYN message; detecting whether a difference value between the first number and the second number reaches a preset threshold value or not; and if yes, determining that the port scanning attack behavior exists. According to the method and the device, under the condition of ultra-large flow, a normal TCP connection establishment process can be prevented from being misjudged as the port scanning attack, so the accuracy of port scanning attack detection is improved.

A system for data communications comprising a port scan detector configured to receive port access requests from a plurality of ports and to determine whether a port scan by a hostile device is in progress. A decoy port system configured to open a designated decoy port if the port scan detector determines that the port scan by a hostile device is in progress. A data packet hash manager configured to read a series of hash data fields in a corresponding series of data packets and to generate a flag if a sending device is not operating a hash increment system. An encapsulated artificial intelligence system configured to receive the flag and to monitor data communications from the sending device to determine whether the data communications are consistent with a levelling algorithm. An offensive code system configured to implant offensive code in the sending device and to control operation of the sending device if the sending device is the hostile device, if the sending device is not operating the has increment system and if the data communications are not consistent with the levelling algorithm.

The embodiment of the invention provides a method and a device for monitoring abnormal connection and scanning behaviors of a server. The method comprises: capturing network session data of a centralswitch; storing the network session data in a distributed database in the form of data records, wherein one data record corresponding to one request or confirmation; extracting behavior data of each IP from data records in the distributed database, wherein the behavior data comprises each connection behavior frequency, IP scanning frequency and port scanning frequency; judging abnormal behaviors of each IP based on the behavior data, wherein the abnormal behaviors comprise abnormal semi-connection, abnormal active connection, abnormal passive connection, abnormal IP scanning and abnormal portscanning; and displaying the abnormal behavior of each IP. According to the method and the device provided by the embodiment of the invention, a large amount of network session data can be processed,the network abnormal behavior is updated in real time, and the network abnormal behavior monitoring efficiency is improved.

The invention relates to the industrial control system network information safety field, and discloses a self-learning-based safety detection method for an OPC Classic protocol. The flow of the method includes the steps: detecting whether port scanning is being operated in the network of an OPC client, wherein if not, the data is filtered through access control and if so, the data is filtered through access control and an anomaly flow detection model which is generated through self-learning; transmitting the filtered data to an OPC server; and performing safety detection through the anomaly flow detection model which is generated through self-learning and access control. Therefore, a more reliable detection method is provided for stabilization and safety of connection of the OPC Classic protocol, and the safety for OPC communication is maximumly guaranteed.

The invention discloses a network anomaly detection method based on traffic data sample statistics and balanced information entropy estimation. The invention belongs to the technical field of networksecurity, comprises the steps of flow data collection, data format unification, data feature analysis and network anomaly determination, and is a detection method for estimating the overall situationby using a balance method of the sample information entropy based on network traffic small sample data features to identify the DoS and Port Scan attack rejection in the network.

A method for detecting a scan in network connections, each connection to a respective destination determined by a destination key and a destination parameter. For each of the connections, an active-connection entry is logged in a first table. The active-connection entry includes the destination key and the destination parameter. For each destination key entered in the first table, each active-connection entry is counted by: (i) entering in a second table a new-connection entry including the destination key, and (ii) assigning to the new-connection entry a use value; the use value equals a number of the active-connection entries with the destination key. A scan event is generated when the use value exceeds a previously determined new-connection-threshold. If the scan is an “address scan”, the destination key is a destination port and the destination parameter is a destination address (IP); and if the scan is a “port scan” then the destination key is a destination address and the destination parameter is a destination port.

The embodiment of the invention provides a port scanning method and device so as to reduce scanning misinformation. According to the port scanning method, ports are scanned in two times, the first time of scanning is pre-scanning, in the pre-scanning process, all the ports of IP addresses are not scanned one by one, a target service port is scanned according to a pre-scanning port list, and a pre-scanning result indicating whether the target service port is opened or not is obtained. And then, the exclusion list is updated according to the pre-scanning result, and the second scanning carried out after the exclusion list is updated is formal scanning. Due to the fact that the IP addresses and the network segments in the exclusion list are pre-judged, the IP addresses and the network segments which are misreported at a large probability cannot be scanned in formal scanning, misreporting of formal scanning can be reduced, and the scanning efficiency and accuracy are guaranteed.

The invention discloses a honeypot attacker tracing method based on TCP/UDP transparent proxys. The honeypot attacker tracing method comprises the following steps that a service party trap node forwards traffic; the service party trap node dynamically realizes virtual IP simulation; a trap node port achieves scanning and monitoring; the transparent proxy node forwards TCP/UPD traffic; corresponding node positioning is realized through traffic under a multi-forwarding-node scene. According to the method, head information of a transport layer protocol is read at a transparent proxy, attack traffic tracing is achieved, attack traffic is transparently forwarded to a real honeypot service through a real IP of an attacker, and correct request analysis and response of an application layer are achieved; the proxy layer is realized based on TCP/UDP, so that honeypots of all TCP/UDP protocol types are supported.