CN105763573A - TAPS optimizing method for reducing false drop rate of WEB server - Google Patents

TAPS optimizing method for reducing false drop rate of WEB server Download PDF

Info

Publication number
CN105763573A
CN105763573A CN201610297845.0A CN201610297845A CN105763573A CN 105763573 A CN105763573 A CN 105763573A CN 201610297845 A CN201610297845 A CN 201610297845A CN 105763573 A CN105763573 A CN 105763573A
Authority
CN
China
Prior art keywords
web server
scanner unit
taps
main frame
detected
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610297845.0A
Other languages
Chinese (zh)
Inventor
玄世昌
杨武
王巍
苘大鹏
童心
刘畅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Harbin Engineering University
Original Assignee
Harbin Engineering University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Harbin Engineering University filed Critical Harbin Engineering University
Priority to CN201610297845.0A priority Critical patent/CN105763573A/en
Publication of CN105763573A publication Critical patent/CN105763573A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a TAPS optimizing method for reducing the false drop rate of a WEB server.The method comprises the steps that firstly, the specific value or inverse ratio of an IP to a port of a host to be detected is calculated and then compared with a threshold value, the rate value of each source IP address is calculated under two conditions, then the rate values are compared with a threshold value, and a suspected scanner set is extracted; finally, the WEB server is screened out of the suspected scanner set, and a new scanner set is obtained.The method is mainly used for solving the problem that in an existing TAPS method, the WEB server can be considered as a scanning host by mistake.It is verified through experiments that in the TAPS method, the WEB server can be considered as the scanning host by mistake, meanwhile, the WEB server can be fast detected out through the method, and therefore the falser drop rate is reduced.

Description

A kind of TAPS optimization method reducing WEB server false drop rate
Technical field
The present invention relates to a kind of Network scan detection method, be specifically mainly a kind of TAPS optimization method reducing WEB server false drop rate.
Background technology
Along with defense function from strength to strength, the change of network scanning method is also more and more diversified, the TCP detection technique of traditional, simple, low level, can not meet requirement, be difficult to correct, detect TCP behavior efficiently, so flow and packet feature when needing normal network traffics and packet feature and scanning behavior occurs carry out more deep relative analysis.But, detection port base line can be disturb by normal network behavior, occurs the situation of flase drop also can exist.Now, how improving the accuracy that detection port base line is, the false drop rate that reduction detection port base line is becomes particularly important.
Current TAPS method there is also a very general shortcoming, that is, in the IP address detected, it may appear that substantial amounts of flase drop situation, analyzes and draw in the IP address of flase drop, and many WEB server have been mistakened as into scanning main frame.It is known that in most of the cases, WEB server can by the client-access of only a few, and this purpose IP number of addresses resulting in WEB server is only small.Meanwhile, the browser of most clients, when accessing website, can use multiple source port number to initiate concurrently to connect simultaneously, which results in the destination interface number of WEB server a lot.Its destination interface number and purpose IP number of addresses ratio are also significantly high, so having a lot of WEB server to be misidentified as scanner unit.
Summary of the invention
It is an object of the invention to provide the TAPS optimization method of a kind of reduction WEB server false drop rate that can be correctly detected out WEB server.
The object of the present invention is achieved like this:
First calculate the IP of main frame to be detected and the ratio of port or inverse ratio, then pass through and compare with threshold value, carry out the calculating of the rate value of each source IP address in two kinds of situation, then rate value and threshold value are compared, extract the set of doubtful scanner unit;Finally in the set of doubtful scanner unit, filter out WEB server, obtain new scanner unit set.
The present invention can also include:
1, the set extracting doubtful scanner unit described in specifically includes: if the two has one more than threshold value, so calculate the conditional probability that hypothesis is scanner unit, and updating the rate value of source host, computing formula is assume it is the conditional probability of the scanner unit rate value that is multiplied by the last time;If both of which is less than or equal to threshold value, then calculate and assume it is the conditional probability of optimum main frame, and update the rate value of source host, computing formula is assume it is the conditional probability of the optimum main frame rate value that is multiplied by the last time.
2, filtering out WEB server described in specifically include: first determine whether in a period of time, whether the inbound connection number of main frame to be detected is far longer than departures connects number, if so, carries out following judgement;Then judge that multiple IP address accesses the time of main frame to be detected, if present certain regularity, if so, carry out following judgement;Finally judge that main frame to be detected is for whether fixing seldom several of the port number that communicates, is if so, then that WEB server is rejected, obtains new scanner unit set.
Compared with prior art, the present invention has following beneficial effect:
The present invention is directed to existing TAPS method and WEB server can be mistakened as into scanning main frame, propose a kind of TAPS optimization method reducing WEB server false drop rate, TAPS and WEB server are detected and combines, in the set of doubtful scanner unit, filter out WEB server, obtain new scanner unit set.Demonstrating TAPS method by experiment and WEB server can be mistakened as into scanning main frame, what the present invention can be correct simultaneously detects WEB server, thus reducing false drop rate.
Accompanying drawing explanation
Fig. 1 is TAPS method flow diagram.
Fig. 2 is the TAPS optimization method frame diagram reducing WEB server false drop rate.
Fig. 3 is the experimental result comparison diagram of TAPS method and the present invention.
Detailed description of the invention
Below in conjunction with specific embodiment, the present invention is described in detail.
The TAPS optimization method of the reduction WEB server false drop rate of the present invention, specifically includes following steps:
Step 1: extract the set of doubtful scanner unit;
Step 2: screening WEB server;
Described step 1 mainly comprises the following steps:
Step 11, calculates the purpose IP number of addresses of main frame to be detected and the ratio of destination interface number or inverse ratio in a period of time.
Step 12, compares ratio and threshold value.If having one more than threshold value, then calculate and assume it is the conditional probability of scanner unit, and update the rate value of source host, computing formula is assume it is the conditional probability of the scanner unit rate value that is multiplied by the last time.If both of which is less than or equal to threshold value, then calculate and assume it is the conditional probability of optimum main frame, and update the rate value of source host, computing formula is assume it is the conditional probability of the optimum main frame rate value that is multiplied by the last time.
Step 13, compares rate value and threshold value, if rate value is more than η1, then this IP address is joined in the middle of scanner unit sequence;If its value is less than η0, this IP address is deleted.Wherein, η0And η1Represent constant, η0It is 0.01, η1It is 99.
Described step 2 mainly comprises the following steps:
Step 21, takes the packet of main frame to be detected in a period of time and is analyzed, and the inbound connection number obtained within this period of time is connected number with departures, and their ratio compares with the threshold value set, if more than threshold value, then carries out step 22.
Step 22, sees in every day, and the number of network connections order of main frame to be detected is much the same.Now needing to set the percentage threshold of its difference, namely when the linking number of two days differs less than threshold value, being namely considered as in every day the number of network connections of main frame to be detected is substantially the same, and carries out step 23.
Step 23, was divided into 24 time periods by one day, then the network on the same day recorded respectively by current time in the integral point moment of every day connects sum.Then calculating by current time, all integral point moment connect the standard deviation of sum.If every day, mutually standard deviation in the same time all differed less than threshold value, then carry out step 24.
Step 24, compared with being carried out with the COM1 number that it is used by the main frame to be detected inbound connection number within a period of time, the ratio obtained and threshold value compare, if more than threshold value, then main frame to be detected is WEB server.Weeding out the scanner unit set after WEB server is final testing result.
The effect of the present invention is verified below in conjunction with specific embodiment:
(1) experimental situation
This experiment is to develop by C language under linux, needs to install libpcap and libnids bag in Linux simultaneously.
Present invention data used in an experiment are derived from the experimental data of the LINCOLN laboratory of Massachusetts Institute Technology.We select and use the experimental data compared 1999 widely.Experimental data comprises two parts, and one is training dataset, and another is test data set.DARPA intrusion detection in 1999 provides the experimental data of five weeks altogether, and wherein first three week is as training dataset, and the training dataset of first week and the 3rd week does not have any attack information, and intruding detection system can be trained by these data of two weeks.Containing Network Intrusion in the data set of second week, attack type not only includes some attack types in 1998, is also added into new attack type.How main purpose is exactly for going to report that these attack offer example.The 4th week data of the 5th week are test data set.Time is from JIUYUE in 1999 on October 1st, 16 days 1.This contains 56 kinds of attack types for two weeks altogether, and the details of concrete attack also provide.
(2) experimental result and analysis
The present invention selects the experimental data of five days altogether, respectively the week, the data of every day all select intranet data to test, have 5 files, each file is to provide with the form of tcpdump, here need the file by tcpdump form to be converted to pcap file, then extract tcp packet and carry out subsequent analysis.
Real scanning source IP address is 34.For the judgment criteria of testing result, using verification and measurement ratio and false drop rate to pass judgment on, verification and measurement ratio is the correct result and the real ratio attacking number that detect, and false drop rate is the IP address number ratio with the doubtful scanner unit set detected of flase drop.
TAPS method detects scanner unit IP address number 31 altogether, is 6 times including IP number of flase drop.As can be seen here, verification and measurement ratio is 25/34=73.5%, and false drop rate is 6/ (6+25)=19.3%.
Next the TAPS doubtful scanner unit IP address set detected is analyzed further.By these 31 IP addresses in the detection carrying out WEB server.By experiment, 3 WEB server are detected altogether.So false drop rate becomes 3/ (3+25)=10.7%.It is experimentally confirmed false drop rate really to reduce.

Claims (3)

1. the TAPS optimization method reducing WEB server false drop rate, it is characterized in that: first calculate the IP of main frame to be detected and the ratio of port or inverse ratio, then pass through and compare with threshold value, carry out the calculating of the rate value of each source IP address in two kinds of situation, again rate value and threshold value are compared, extract the set of doubtful scanner unit;Finally in the set of doubtful scanner unit, filter out WEB server, obtain new scanner unit set.
2. the TAPS optimization method of reduction WEB server false drop rate according to claim 1, the set extracting doubtful scanner unit described in it is characterized in that specifically includes: if the two has one more than threshold value, so calculate the conditional probability that hypothesis is scanner unit, and updating the rate value of source host, computing formula is assume it is the conditional probability of the scanner unit rate value that is multiplied by the last time;If both of which is less than or equal to threshold value, then calculate and assume it is the conditional probability of optimum main frame, and update the rate value of source host, computing formula is assume it is the conditional probability of the optimum main frame rate value that is multiplied by the last time.
3. the TAPS optimization method of reduction WEB server false drop rate according to claim 1 and 2, filter out WEB server described in it is characterized in that to specifically include: first determine whether in a period of time, whether the inbound connection number of main frame to be detected is far longer than departures connects number, if so, following judgement is carried out;Then judge that multiple IP address accesses the time of main frame to be detected, if present certain regularity, if so, carry out following judgement;Finally judge that main frame to be detected is for whether fixing seldom several of the port number that communicates, is if so, then that WEB server is rejected, obtains new scanner unit set.
CN201610297845.0A 2016-05-06 2016-05-06 TAPS optimizing method for reducing false drop rate of WEB server Pending CN105763573A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610297845.0A CN105763573A (en) 2016-05-06 2016-05-06 TAPS optimizing method for reducing false drop rate of WEB server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610297845.0A CN105763573A (en) 2016-05-06 2016-05-06 TAPS optimizing method for reducing false drop rate of WEB server

Publications (1)

Publication Number Publication Date
CN105763573A true CN105763573A (en) 2016-07-13

Family

ID=56323579

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610297845.0A Pending CN105763573A (en) 2016-05-06 2016-05-06 TAPS optimizing method for reducing false drop rate of WEB server

Country Status (1)

Country Link
CN (1) CN105763573A (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6237032B1 (en) * 1998-09-30 2001-05-22 Hewlett-Packard Company Network scan server ready state recovery method
CN1838588A (en) * 2006-04-26 2006-09-27 南京大学 Invasion detecting method and system based on high-speed network data processing platform
US20080295172A1 (en) * 2007-05-22 2008-11-27 Khushboo Bohacek Method, system and computer-readable media for reducing undesired intrusion alarms in electronic communications systems and networks
CN101589595A (en) * 2007-01-23 2009-11-25 阿尔卡特朗讯公司 A containment mechanism for potentially contaminated end systems
US7908655B1 (en) * 2005-08-16 2011-03-15 Sprint Communications Company L.P. Connectionless port scan detection on a network
CN104836702A (en) * 2015-05-06 2015-08-12 华中科技大学 Host network abnormal behavior detection and classification method under large flow environment

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6237032B1 (en) * 1998-09-30 2001-05-22 Hewlett-Packard Company Network scan server ready state recovery method
US7908655B1 (en) * 2005-08-16 2011-03-15 Sprint Communications Company L.P. Connectionless port scan detection on a network
CN1838588A (en) * 2006-04-26 2006-09-27 南京大学 Invasion detecting method and system based on high-speed network data processing platform
CN101589595A (en) * 2007-01-23 2009-11-25 阿尔卡特朗讯公司 A containment mechanism for potentially contaminated end systems
US20080295172A1 (en) * 2007-05-22 2008-11-27 Khushboo Bohacek Method, system and computer-readable media for reducing undesired intrusion alarms in electronic communications systems and networks
CN104836702A (en) * 2015-05-06 2015-08-12 华中科技大学 Host network abnormal behavior detection and classification method under large flow environment

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
AVINASH SRIDHARAN等: "Connectionless port scan detection on the backbone", 《2006 IEEE INTERNATIONAL PERFORMANCE COMPUTING AND COMMUNICATIONS CONFERENCE》 *
WEIJIE WANG等: "Detecting Subtle Port Scans Through Characteristics Based on Interactive Visualization", 《RIIT "14 PROCEEDINGS OF THE 3RD ANNUAL CONFERENCE ON RESEARCH IN INFORMATION TECHNOLOGY》 *

Similar Documents

Publication Publication Date Title
CN108200054B (en) Malicious domain name detection method and device based on DNS (Domain name Server) resolution
CN107483455B (en) Flow-based network node anomaly detection method and system
US20200374306A1 (en) Network traffic anomaly detection method, apparatus, computer device and storage medium
CN107154950B (en) Method and system for detecting log stream abnormity
Lee et al. Effective value of decision tree with KDD 99 intrusion detection datasets for intrusion detection system
RU2019103228A (en) SYSTEM AND METHODS FOR DETECTING NETWORK FRAUD
CN109257329A (en) A kind of website risk index computing system and method based on magnanimity Web log
CN103607413B (en) Method and device for detecting website backdoor program
Vengatesan et al. Anomaly based novel intrusion detection system for network traffic reduction
Seif et al. Foreshocks and their potential deviation from general seismicity
CN111143175A (en) Risk behavior detection method, device, equipment and computer storage medium
CN106534146A (en) Safety monitoring system and method
CN110213124A (en) Passive operation system identification method and device based on the more sessions of TCP
CN104601573A (en) Verification method and device for Android platform URL (Uniform Resource Locator) access result
CN105072214A (en) C&C domain name identification method based on domain name feature
Allodi The heavy tails of vulnerability exploitation
CN109257393A (en) XSS attack defence method and device based on machine learning
CN106534042A (en) Server invasion identifying method and apparatus based on data analysis and cloud safety system
CN109951419A (en) A kind of APT intrusion detection method based on attack chain attack rule digging
CN110781876B (en) Method and system for detecting light weight of counterfeit domain name based on visual characteristics
WO2017063274A1 (en) Method for automatically determining malicious-jumping and malicious-nesting offensive websites
CN105635064A (en) CSRF attack detection method and device
CN105959321A (en) Passive identification method and apparatus for network remote host operation system
CN102982048A (en) Method and device for assessing junk information mining rule
US20120096150A1 (en) Method and system for providing network monitoring, security event collection apparatus and service abnormality detection apparatus for network monitoring

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20160713