Analysis Of Port Scanning Behavior Based On IBR Traffic

Network scanning is a ubiquitous phenomenon on the Internet,caused by various scanning behaviors with different intentions.The intent of most scanning behaviors is not malicious,such as research on specific scientific projects,service discovery operations by search engine service providers in cyberspace,routine inspections by various network security and regulatory agencies,and even beginners in related majors out of practice Purpose try etc.However,scanning is also an important link in many malicious behaviors on the Internet,such as botnet propagation,exploitable attack object discovery,etc.Internet Background Radiation(IBR)traffic is unsolicited one-way traffic.Studies have shown that IBR traffic contains a large amount of scanning traffic,which is an ideal source of analysis data for scanning research.The research work of this paper takes the IBR traffic obtained at the network boundary of the CERNET Nanjing main node as the data source,and is oriented to the scanning traffic on the Internet from the perspective of scanning behavior.The research results of the dissertation include:1)An extensible UDP application request message recognition automaton library is established,which can currently support the recognition of 20 common UDP application request messages.Experiments show that the currently recognized UDP scanning traffic accounts for more than 90% of the UDP traffic.2)The concept of scanning event is proposed.Its essence is to classify the scanning traffic based on the basic principle that the source address of the scanning packet is real.Experiments at the network boundary of the main node of CERNET in Nanjing show that this method can reduce the daily scan packets(including UDP and TCP)from 2 billion to about 500,000 scan events,with an average of 40 million scan events per scan event.If there are scan packets,more than 95% of the scan traffic can be classified as scan event traffic.3)In order to better study scan events,this paper proposes five attributes to characterize scan events,including: Scan＿event＿capacity,Scan＿event＿scale,Scan＿event＿protocol,Scan＿event＿port,Scan＿event＿department.According to the attributes of scanning events,an algorithm for acquiring the source address set of scanning institutions is designed,and a total of 4538 real scanning source addresses from 18 regular institutions,such as censys and shodan,are identified.This indicates that most of the scanned traffic is non-malicious.4)The abnormal scanning event detection algorithm based on DBSCAN is designed.Combined with the attributes of scanning events,the anomaly detection can be performed on the remaining scanning events after filtering out the scanning events of the organization.Experiments show that the algorithm can detect about 100 abnormal scanning events from scanning events every day.According to the abnormal scanning event packet load and threat intelligence platform information,it is manually confirmed that some scanning events have obvious malicious behavior.5)The scanning behavior analysis and publishing system is designed and implemented.The scanning traffic publishing part adopts the Crypto-Pan algorithm to anonymize the addresses in the network,and then publishes it to the IPTAS platform(www.iptas.edu.cn).The scanning behavior analysis part performs statistical analysis on the attributes of scanning events,institutional events and abnormal scanning events,stores the statistical analysis results in the database,and displays them on the interface through the browser.