| With the rapid development of information technology, information security is facing unprecedented challenge, and Internet security has attracted increasing attention. Among complex network intrusion behaviors, port scanning, where attackers launch an exploratory visit on the target network or host port in order to gather intelligence for further attacks,is alwaystend to bethe first step of attackers’ actions.Therefore,testing scanning behaviors in the network port has significant meaning in protecting the security of the target network or host, which not only can discover potential risks and attackers,to provide warning for the protected system, but also has a variety of applications in the honeypot system, electronic evidence and other fields.The traditional port scan detection system is mostly based on a simple time window threshold mechanism.While with the development of the scanning technology;,it’s very easy for experienced attackers to escape the detection mechanism. Researchers started to propose a new detection algorithm by setting up rules for more precise, probability and statistics, abnormal flow analysis, and even visual direction,but there isn’t anuniversal detection algorithm that can be applied to all the practical environment and provides better detection performance at the same time. According to the detection algorithm based on sequential hypothesis testing research, this article proposed an optimized scheme based on the original algorithm, combiningthe practical application of detection system environment, and appliedthe theory of Dempster-Shafer evidence to conduct data fusion of applied algorithm based on the assumption of the sequence and the results of the detection algorithm based on the characteristics of port distribution, used as a scan detection model as a port in the application in the actual system, aiming to help improve detection rate when scanning in the actual network environment for port and control the rate of false positives in a reasonable range. |
PDF Full Text Request