CN105763573A - TAPS optimizing method for reducing false drop rate of WEB server - Google Patents
TAPS optimizing method for reducing false drop rate of WEB server Download PDFInfo
- Publication number
- CN105763573A CN105763573A CN201610297845.0A CN201610297845A CN105763573A CN 105763573 A CN105763573 A CN 105763573A CN 201610297845 A CN201610297845 A CN 201610297845A CN 105763573 A CN105763573 A CN 105763573A
- Authority
- CN
- China
- Prior art keywords
- web server
- scanner unit
- taps
- main frame
- detected
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a TAPS optimizing method for reducing the false drop rate of a WEB server.The method comprises the steps that firstly, the specific value or inverse ratio of an IP to a port of a host to be detected is calculated and then compared with a threshold value, the rate value of each source IP address is calculated under two conditions, then the rate values are compared with a threshold value, and a suspected scanner set is extracted; finally, the WEB server is screened out of the suspected scanner set, and a new scanner set is obtained.The method is mainly used for solving the problem that in an existing TAPS method, the WEB server can be considered as a scanning host by mistake.It is verified through experiments that in the TAPS method, the WEB server can be considered as the scanning host by mistake, meanwhile, the WEB server can be fast detected out through the method, and therefore the falser drop rate is reduced.
Description
Technical field
The present invention relates to a kind of Network scan detection method, be specifically mainly a kind of TAPS optimization method reducing WEB server false drop rate.
Background technology
Along with defense function from strength to strength, the change of network scanning method is also more and more diversified, the TCP detection technique of traditional, simple, low level, can not meet requirement, be difficult to correct, detect TCP behavior efficiently, so flow and packet feature when needing normal network traffics and packet feature and scanning behavior occurs carry out more deep relative analysis.But, detection port base line can be disturb by normal network behavior, occurs the situation of flase drop also can exist.Now, how improving the accuracy that detection port base line is, the false drop rate that reduction detection port base line is becomes particularly important.
Current TAPS method there is also a very general shortcoming, that is, in the IP address detected, it may appear that substantial amounts of flase drop situation, analyzes and draw in the IP address of flase drop, and many WEB server have been mistakened as into scanning main frame.It is known that in most of the cases, WEB server can by the client-access of only a few, and this purpose IP number of addresses resulting in WEB server is only small.Meanwhile, the browser of most clients, when accessing website, can use multiple source port number to initiate concurrently to connect simultaneously, which results in the destination interface number of WEB server a lot.Its destination interface number and purpose IP number of addresses ratio are also significantly high, so having a lot of WEB server to be misidentified as scanner unit.
Summary of the invention
It is an object of the invention to provide the TAPS optimization method of a kind of reduction WEB server false drop rate that can be correctly detected out WEB server.
The object of the present invention is achieved like this:
First calculate the IP of main frame to be detected and the ratio of port or inverse ratio, then pass through and compare with threshold value, carry out the calculating of the rate value of each source IP address in two kinds of situation, then rate value and threshold value are compared, extract the set of doubtful scanner unit;Finally in the set of doubtful scanner unit, filter out WEB server, obtain new scanner unit set.
The present invention can also include:
1, the set extracting doubtful scanner unit described in specifically includes: if the two has one more than threshold value, so calculate the conditional probability that hypothesis is scanner unit, and updating the rate value of source host, computing formula is assume it is the conditional probability of the scanner unit rate value that is multiplied by the last time;If both of which is less than or equal to threshold value, then calculate and assume it is the conditional probability of optimum main frame, and update the rate value of source host, computing formula is assume it is the conditional probability of the optimum main frame rate value that is multiplied by the last time.
2, filtering out WEB server described in specifically include: first determine whether in a period of time, whether the inbound connection number of main frame to be detected is far longer than departures connects number, if so, carries out following judgement;Then judge that multiple IP address accesses the time of main frame to be detected, if present certain regularity, if so, carry out following judgement;Finally judge that main frame to be detected is for whether fixing seldom several of the port number that communicates, is if so, then that WEB server is rejected, obtains new scanner unit set.
Compared with prior art, the present invention has following beneficial effect:
The present invention is directed to existing TAPS method and WEB server can be mistakened as into scanning main frame, propose a kind of TAPS optimization method reducing WEB server false drop rate, TAPS and WEB server are detected and combines, in the set of doubtful scanner unit, filter out WEB server, obtain new scanner unit set.Demonstrating TAPS method by experiment and WEB server can be mistakened as into scanning main frame, what the present invention can be correct simultaneously detects WEB server, thus reducing false drop rate.
Accompanying drawing explanation
Fig. 1 is TAPS method flow diagram.
Fig. 2 is the TAPS optimization method frame diagram reducing WEB server false drop rate.
Fig. 3 is the experimental result comparison diagram of TAPS method and the present invention.
Detailed description of the invention
Below in conjunction with specific embodiment, the present invention is described in detail.
The TAPS optimization method of the reduction WEB server false drop rate of the present invention, specifically includes following steps:
Step 1: extract the set of doubtful scanner unit;
Step 2: screening WEB server;
Described step 1 mainly comprises the following steps:
Step 11, calculates the purpose IP number of addresses of main frame to be detected and the ratio of destination interface number or inverse ratio in a period of time.
Step 12, compares ratio and threshold value.If having one more than threshold value, then calculate and assume it is the conditional probability of scanner unit, and update the rate value of source host, computing formula is assume it is the conditional probability of the scanner unit rate value that is multiplied by the last time.If both of which is less than or equal to threshold value, then calculate and assume it is the conditional probability of optimum main frame, and update the rate value of source host, computing formula is assume it is the conditional probability of the optimum main frame rate value that is multiplied by the last time.
Step 13, compares rate value and threshold value, if rate value is more than η1, then this IP address is joined in the middle of scanner unit sequence;If its value is less than η0, this IP address is deleted.Wherein, η0And η1Represent constant, η0It is 0.01, η1It is 99.
Described step 2 mainly comprises the following steps:
Step 21, takes the packet of main frame to be detected in a period of time and is analyzed, and the inbound connection number obtained within this period of time is connected number with departures, and their ratio compares with the threshold value set, if more than threshold value, then carries out step 22.
Step 22, sees in every day, and the number of network connections order of main frame to be detected is much the same.Now needing to set the percentage threshold of its difference, namely when the linking number of two days differs less than threshold value, being namely considered as in every day the number of network connections of main frame to be detected is substantially the same, and carries out step 23.
Step 23, was divided into 24 time periods by one day, then the network on the same day recorded respectively by current time in the integral point moment of every day connects sum.Then calculating by current time, all integral point moment connect the standard deviation of sum.If every day, mutually standard deviation in the same time all differed less than threshold value, then carry out step 24.
Step 24, compared with being carried out with the COM1 number that it is used by the main frame to be detected inbound connection number within a period of time, the ratio obtained and threshold value compare, if more than threshold value, then main frame to be detected is WEB server.Weeding out the scanner unit set after WEB server is final testing result.
The effect of the present invention is verified below in conjunction with specific embodiment:
(1) experimental situation
This experiment is to develop by C language under linux, needs to install libpcap and libnids bag in Linux simultaneously.
Present invention data used in an experiment are derived from the experimental data of the LINCOLN laboratory of Massachusetts Institute Technology.We select and use the experimental data compared 1999 widely.Experimental data comprises two parts, and one is training dataset, and another is test data set.DARPA intrusion detection in 1999 provides the experimental data of five weeks altogether, and wherein first three week is as training dataset, and the training dataset of first week and the 3rd week does not have any attack information, and intruding detection system can be trained by these data of two weeks.Containing Network Intrusion in the data set of second week, attack type not only includes some attack types in 1998, is also added into new attack type.How main purpose is exactly for going to report that these attack offer example.The 4th week data of the 5th week are test data set.Time is from JIUYUE in 1999 on October 1st, 16 days 1.This contains 56 kinds of attack types for two weeks altogether, and the details of concrete attack also provide.
(2) experimental result and analysis
The present invention selects the experimental data of five days altogether, respectively the week, the data of every day all select intranet data to test, have 5 files, each file is to provide with the form of tcpdump, here need the file by tcpdump form to be converted to pcap file, then extract tcp packet and carry out subsequent analysis.
Real scanning source IP address is 34.For the judgment criteria of testing result, using verification and measurement ratio and false drop rate to pass judgment on, verification and measurement ratio is the correct result and the real ratio attacking number that detect, and false drop rate is the IP address number ratio with the doubtful scanner unit set detected of flase drop.
TAPS method detects scanner unit IP address number 31 altogether, is 6 times including IP number of flase drop.As can be seen here, verification and measurement ratio is 25/34=73.5%, and false drop rate is 6/ (6+25)=19.3%.
Next the TAPS doubtful scanner unit IP address set detected is analyzed further.By these 31 IP addresses in the detection carrying out WEB server.By experiment, 3 WEB server are detected altogether.So false drop rate becomes 3/ (3+25)=10.7%.It is experimentally confirmed false drop rate really to reduce.
Claims (3)
1. the TAPS optimization method reducing WEB server false drop rate, it is characterized in that: first calculate the IP of main frame to be detected and the ratio of port or inverse ratio, then pass through and compare with threshold value, carry out the calculating of the rate value of each source IP address in two kinds of situation, again rate value and threshold value are compared, extract the set of doubtful scanner unit;Finally in the set of doubtful scanner unit, filter out WEB server, obtain new scanner unit set.
2. the TAPS optimization method of reduction WEB server false drop rate according to claim 1, the set extracting doubtful scanner unit described in it is characterized in that specifically includes: if the two has one more than threshold value, so calculate the conditional probability that hypothesis is scanner unit, and updating the rate value of source host, computing formula is assume it is the conditional probability of the scanner unit rate value that is multiplied by the last time;If both of which is less than or equal to threshold value, then calculate and assume it is the conditional probability of optimum main frame, and update the rate value of source host, computing formula is assume it is the conditional probability of the optimum main frame rate value that is multiplied by the last time.
3. the TAPS optimization method of reduction WEB server false drop rate according to claim 1 and 2, filter out WEB server described in it is characterized in that to specifically include: first determine whether in a period of time, whether the inbound connection number of main frame to be detected is far longer than departures connects number, if so, following judgement is carried out;Then judge that multiple IP address accesses the time of main frame to be detected, if present certain regularity, if so, carry out following judgement;Finally judge that main frame to be detected is for whether fixing seldom several of the port number that communicates, is if so, then that WEB server is rejected, obtains new scanner unit set.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610297845.0A CN105763573A (en) | 2016-05-06 | 2016-05-06 | TAPS optimizing method for reducing false drop rate of WEB server |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610297845.0A CN105763573A (en) | 2016-05-06 | 2016-05-06 | TAPS optimizing method for reducing false drop rate of WEB server |
Publications (1)
Publication Number | Publication Date |
---|---|
CN105763573A true CN105763573A (en) | 2016-07-13 |
Family
ID=56323579
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610297845.0A Pending CN105763573A (en) | 2016-05-06 | 2016-05-06 | TAPS optimizing method for reducing false drop rate of WEB server |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105763573A (en) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6237032B1 (en) * | 1998-09-30 | 2001-05-22 | Hewlett-Packard Company | Network scan server ready state recovery method |
CN1838588A (en) * | 2006-04-26 | 2006-09-27 | 南京大学 | Invasion detecting method and system based on high-speed network data processing platform |
US20080295172A1 (en) * | 2007-05-22 | 2008-11-27 | Khushboo Bohacek | Method, system and computer-readable media for reducing undesired intrusion alarms in electronic communications systems and networks |
CN101589595A (en) * | 2007-01-23 | 2009-11-25 | 阿尔卡特朗讯公司 | A containment mechanism for potentially contaminated end systems |
US7908655B1 (en) * | 2005-08-16 | 2011-03-15 | Sprint Communications Company L.P. | Connectionless port scan detection on a network |
CN104836702A (en) * | 2015-05-06 | 2015-08-12 | 华中科技大学 | Host network abnormal behavior detection and classification method under large flow environment |
-
2016
- 2016-05-06 CN CN201610297845.0A patent/CN105763573A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6237032B1 (en) * | 1998-09-30 | 2001-05-22 | Hewlett-Packard Company | Network scan server ready state recovery method |
US7908655B1 (en) * | 2005-08-16 | 2011-03-15 | Sprint Communications Company L.P. | Connectionless port scan detection on a network |
CN1838588A (en) * | 2006-04-26 | 2006-09-27 | 南京大学 | Invasion detecting method and system based on high-speed network data processing platform |
CN101589595A (en) * | 2007-01-23 | 2009-11-25 | 阿尔卡特朗讯公司 | A containment mechanism for potentially contaminated end systems |
US20080295172A1 (en) * | 2007-05-22 | 2008-11-27 | Khushboo Bohacek | Method, system and computer-readable media for reducing undesired intrusion alarms in electronic communications systems and networks |
CN104836702A (en) * | 2015-05-06 | 2015-08-12 | 华中科技大学 | Host network abnormal behavior detection and classification method under large flow environment |
Non-Patent Citations (2)
Title |
---|
AVINASH SRIDHARAN等: "Connectionless port scan detection on the backbone", 《2006 IEEE INTERNATIONAL PERFORMANCE COMPUTING AND COMMUNICATIONS CONFERENCE》 * |
WEIJIE WANG等: "Detecting Subtle Port Scans Through Characteristics Based on Interactive Visualization", 《RIIT "14 PROCEEDINGS OF THE 3RD ANNUAL CONFERENCE ON RESEARCH IN INFORMATION TECHNOLOGY》 * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108200054B (en) | Malicious domain name detection method and device based on DNS (Domain name Server) resolution | |
CN107483455B (en) | Flow-based network node anomaly detection method and system | |
US20200374306A1 (en) | Network traffic anomaly detection method, apparatus, computer device and storage medium | |
Lee et al. | Effective value of decision tree with KDD 99 intrusion detection datasets for intrusion detection system | |
RU2019103228A (en) | SYSTEM AND METHODS FOR DETECTING NETWORK FRAUD | |
CN109257329A (en) | A kind of website risk index computing system and method based on magnanimity Web log | |
Vengatesan et al. | Anomaly based novel intrusion detection system for network traffic reduction | |
CN111143175A (en) | Risk behavior detection method, device, equipment and computer storage medium | |
Seif et al. | Foreshocks and their potential deviation from general seismicity | |
CN106534146A (en) | Safety monitoring system and method | |
CN104601573A (en) | Verification method and device for Android platform URL (Uniform Resource Locator) access result | |
CN105072214A (en) | C&C domain name identification method based on domain name feature | |
Allodi | The heavy tails of vulnerability exploitation | |
CN105959290A (en) | Detection method and device of attack message | |
CN109257393A (en) | XSS attack defence method and device based on machine learning | |
CN106534042A (en) | Server invasion identifying method and apparatus based on data analysis and cloud safety system | |
EP3913888A1 (en) | Detection method for malicious domain name in domain name system and detection device | |
CN110781876B (en) | Method and system for detecting light weight of counterfeit domain name based on visual characteristics | |
WO2017063274A1 (en) | Method for automatically determining malicious-jumping and malicious-nesting offensive websites | |
CN105635064A (en) | CSRF attack detection method and device | |
CN105959321A (en) | Passive identification method and apparatus for network remote host operation system | |
CN111031025B (en) | Method and device for automatically detecting and verifying Webshell | |
CN102982048A (en) | Method and device for assessing junk information mining rule | |
CN104021348A (en) | Real-time detection method and system of dormant P2P (Peer to Peer) programs | |
US10645098B2 (en) | Malware analysis system, malware analysis method, and malware analysis program |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160713 |