A HONEYPOT-BASED DEGREE STATISTICS METHOD FOR SCANS DETECTION
One of difficulties network scan detection system must face is how to identify a scan source from normal and abnormal hybrid traffics. In this paper, firstly we use modified low interaction honeypots to get pure abnormal scan traffics for avoiding scan sources identification procedure. Secondly,we try to consider scans detection problem through the eye of a network on the basis of above dataset. A 3 layers scan detection network is constructed where the node of every layer is Source-IP, Destination-IP and Resource (the couple destination port, protocol), the link is the scan access connection between nodes. The scan detection network owns good features of layer and single-direction. A degree statistics method is put forward to grade the importance of nodes of the scan detection network and give proper warnings. By using a degree statistics method on honeypot dataset we can focus on the research of scan sources behaviors and stand out whats really worthy of noticing and warning instead of staying at the procedure of identifying whether a source is a scanner or not.Our method enriches the statistic information of scan detection and can effectively reduce warning false positives comparing to previous works.
Scan detection Honeypot Degree
LI-BO MA HAI-XIN DUAN QUANG-ANH TRAN XING LI
Department of Electronic Engineering, Tsinghua University, Beijing 100084, China Research Center of Information and Network Engineering, Tsinghua University, Beijing 100084, China Department of Electronic Engineering, Tsinghua University, Beijing 100084, China;Research Center of
国际会议
2006 International Conference on Machine Learning and Cybernetics(IEEE第五届机器学习与控制论坛)
大连
英文
2743-2748
2006-08-13(万方平台首次上网日期,不代表论文的发表时间)