CN112187775B - Port scanning detection method and device - Google Patents
Port scanning detection method and device Download PDFInfo
- Publication number
- CN112187775B CN112187775B CN202011012504.7A CN202011012504A CN112187775B CN 112187775 B CN112187775 B CN 112187775B CN 202011012504 A CN202011012504 A CN 202011012504A CN 112187775 B CN112187775 B CN 112187775B
- Authority
- CN
- China
- Prior art keywords
- data packets
- data packet
- determining
- packet
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
Abstract
The application discloses a detection method and a detection device for port scanning, which are used for improving the detection accuracy of the port scanning. The method comprises the following steps: in the operation process of the equipment in the group, acquiring data packets received by all the equipment in the group; judging whether the data packet is a data packet corresponding to port scanning according to the multiple parameters of the data packet; and when the data packet is a data packet corresponding to the port scanning, displaying the source address of the data packet corresponding to the port scanning. By adopting the scheme provided by the application, the data packets received by all the devices in the group can be acquired, so that the port scanning detection can be carried out according to the data packets received by all the devices in the group, the missing report is avoided, secondly, whether the data packets correspond to the port scanning is judged according to a plurality of parameters of the data packets, the problem that the detection precision of the port scanning is low due to the fact that only the number of the data packets is counted is avoided, and the detection precision of the port scanning is improved.
Description
Technical Field
The present application relates to the field of network security, and in particular, to a method and an apparatus for detecting port scanning.
Background
Port scanning refers to some malicious person sending a set of port scanning messages in an attempt to hack into a computer and learn about the types of computer network services (which are related to port numbers) that they provide. Often in the early stages of osmotic attack.
The existing port scanning attack is detected by counting the number of data packets sent in a short period of time according to the principle of the existing port scanning attack, and other factors are not considered, so that two main problems exist in the detection process: 1. missing report: the traditional port scanning is full port scanning on a single target, the recent port scanning is often single port scanning on a group of targets, and the existing detection method cannot detect the scanning. 2. False alarm: the existing detection method can generate false alarms for some applications which can generate a large number of data packets in a short time, such as: P2P download, etc. False alarms may also be generated for certain types of IP, such as network egress from a networking area, and a large number of packets may also be generated in a short period of time due to the large number of users behind such IP. Because the existing detection method can generate false negative report and false positive, and the existing detection method has low detection precision for port scanning, how to provide a detection method for port scanning to improve the detection precision of port scanning is a technical problem to be solved urgently.
Disclosure of Invention
An object of the embodiments of the present application is to provide a method and an apparatus for detecting port scanning, so as to improve the detection accuracy of port scanning.
In order to solve the technical problem, the embodiment of the application adopts the following technical scheme: a detection method of port scanning comprises the following steps:
in the operation process of the equipment in the group, acquiring data packets received by all the equipment in the group;
judging whether the data packet is a data packet corresponding to port scanning according to the multiple parameters of the data packet;
and when the data packet is a data packet corresponding to the port scanning, displaying the source address of the data packet corresponding to the port scanning.
The beneficial effect of this application lies in: can acquire all equipment received data packets in the group to can carry out the detection that the port scanned according to all equipment received data packets in the group, avoid missing reporting, secondly, judge through the multinomial parameter of data packet whether the data packet is the data packet that the port scan corresponds, avoid only counting up data packet quantity and result in the problem that the detection precision that the port scanned is low, promote the detection precision that the port scanned.
In one embodiment, the determining whether the packet is a packet corresponding to port scanning according to multiple parameters of the packet includes:
determining an untrusted data packet according to a source address corresponding to the data packet;
determining candidate data packets in the non-trusted data packets according to the effective sending frequency of the non-trusted data packets from the same source address;
and selecting a port from the candidate data packets according to a first preset rule to scan the corresponding data packet.
In one embodiment, the determining the untrusted data packet according to the source address corresponding to the data packet includes:
determining a trusted address according to a second preset rule;
and determining that other data packets except the data packet corresponding to the trusted address in the data packets received by all the devices in the group are non-trusted data packets.
In one embodiment, the determining the trusted address according to the second preset rule includes:
capturing ranking information of global domain names from a website corresponding to a domain name information query service;
determining the domain names higher than a preset rank in the ranking information as trusted addresses;
and/or
Acquiring a local pre-stored address white list;
determining that the address in the address white list is a trusted address;
and/or
And determining the address of the server providing the preset service as a trusted address.
In one embodiment, determining candidate ones of the untrusted packets based on the effective transmission frequency of the untrusted packets from the same source address comprises:
counting whether the number of effective data packets sent by a source address corresponding to an untrusted data packet of the same source address in a preset time period is greater than a preset number, wherein the effective data packets are data packets with different destination addresses and destination ports;
and when the number of the non-credible data packets is larger than the preset number, determining the non-credible data packets as candidate data packets.
In one embodiment, when the source address corresponding to the candidate packet is one, selecting a port from the candidate packet according to a first preset rule to scan the corresponding packet includes:
judging whether the candidate data packets are all smaller than a preset byte number;
and when the candidate data packets are all smaller than the preset byte number, determining the candidate data packets as the data packets corresponding to the port scanning.
In one embodiment, when a plurality of source addresses corresponding to the candidate data packets are provided, selecting a port from the candidate data packets according to a first preset rule to scan the corresponding data packet includes:
selecting a candidate selected data packet which corresponds to the same source address and has the largest order of magnitude as a target data packet from the candidate data packets corresponding to the source addresses;
judging whether the target data packets are all smaller than a preset byte number;
and when the target data packets are all smaller than the preset byte number, determining the target data packets as the data packets corresponding to the port scanning.
In one embodiment, the displaying, when the packet is a packet corresponding to a port scan, a source address of the packet corresponding to the port scan includes:
when the data packet is a data packet corresponding to port scanning, storing the address of the data packet corresponding to the port scanning in an early warning list;
and acquiring and displaying the address of the data packet corresponding to the port scanning from the early warning list.
The present embodiment further provides a port scanning detection apparatus, including:
the acquisition module is used for acquiring data packets received by all the devices in the group in the operation process of the devices in the group;
the judging module is used for judging whether the data packet is a data packet corresponding to port scanning according to the multiple parameters of the data packet;
and the display module is used for displaying the source address of the data packet corresponding to the port scanning when the data packet is the data packet corresponding to the port scanning.
In one embodiment, the determining module includes:
the first determining submodule is used for determining the non-credible data packet according to the source address corresponding to the data packet;
the second determining submodule is used for determining candidate data packets in the non-trusted data packets according to the effective sending frequency of the non-trusted data packets from the same source address;
and the selection submodule is used for selecting a port from the candidate data packets to scan the corresponding data packet according to a first preset rule.
In one embodiment, the first determining sub-module is configured to:
determining a trusted address according to a second preset rule;
and determining that other data packets except the data packet corresponding to the trusted address in the data packets received by all the devices in the group are non-trusted data packets.
In one embodiment, the determining the trusted address according to the second preset rule includes:
capturing ranking information of global domain names from a website corresponding to a domain name information query service;
determining the domain names higher than a preset rank in the ranking information as trusted addresses;
and/or
Acquiring a local pre-stored address white list;
determining that the address in the address white list is a trusted address;
and/or
And determining the address of the server providing the preset service as a trusted address.
In one embodiment, the second determination submodule is to:
counting whether the number of effective data packets sent by a source address corresponding to an untrusted data packet of the same source address in a preset time period is greater than a preset number, wherein the effective data packets are data packets with different destination addresses and destination ports;
and when the number of the non-credible data packets is larger than the preset number, determining the non-credible data packets as candidate data packets.
In an embodiment, when the source address corresponding to the candidate packet is one, the selecting sub-module is configured to:
judging whether the candidate data packets are all smaller than a preset byte number;
and when the candidate data packets are all smaller than the preset byte number, determining the candidate data packets as the data packets corresponding to the port scanning.
In an embodiment, when the source addresses corresponding to the candidate data packets are multiple, the selecting sub-module is configured to:
selecting a candidate selected data packet which corresponds to the same source address and has the largest order of magnitude as a target data packet from the candidate data packets corresponding to the source addresses;
judging whether the target data packets are all smaller than a preset byte number;
and when the target data packets are all smaller than the preset byte number, determining the target data packets as the data packets corresponding to the port scanning.
In one embodiment, the display module includes:
the storage sub-module is used for storing the address of the data packet corresponding to the port scanning in an early warning list when the data packet is the data packet corresponding to the port scanning;
and the display submodule is used for acquiring and displaying the address of the data packet corresponding to the port scanning from the early warning list.
Drawings
Fig. 1 is a flowchart illustrating a port scanning detection method according to an embodiment of the present application;
FIG. 2 is a flowchart illustrating a method for detecting port scanning according to another embodiment of the present application;
FIG. 3 is a block diagram of a port scanning detection apparatus according to an embodiment of the present application;
fig. 4 is a block diagram of a detection apparatus for port scanning according to another embodiment of the present application.
Detailed Description
Various aspects and features of the present application are described herein with reference to the drawings.
It will be understood that various modifications may be made to the embodiments of the present application. Accordingly, the foregoing description should not be construed as limiting, but merely as exemplifications of embodiments. Those skilled in the art will envision other modifications within the scope and spirit of the application.
The accompanying drawings, which are incorporated in and constitute a part of the specification, illustrate embodiments of the application and, together with a general description of the application given above and the detailed description of the embodiments given below, serve to explain the principles of the application.
These and other characteristics of the present application will become apparent from the following description of preferred forms of embodiment, given as non-limiting examples, with reference to the attached drawings.
It should also be understood that, although the present application has been described with reference to some specific examples, a person of skill in the art shall certainly be able to achieve many other equivalent forms of application, having the characteristics as set forth in the claims and hence all coming within the field of protection defined thereby.
The above and other aspects, features and advantages of the present application will become more apparent in view of the following detailed description when taken in conjunction with the accompanying drawings.
Specific embodiments of the present application are described hereinafter with reference to the accompanying drawings; however, it is to be understood that the disclosed embodiments are merely exemplary of the application, which can be embodied in various forms. Well-known and/or repeated functions and constructions are not described in detail to avoid obscuring the application of unnecessary or unnecessary detail. Therefore, specific structural and functional details disclosed herein are not to be interpreted as limiting, but merely as a basis for the claims and as a representative basis for teaching one skilled in the art to variously employ the present application in virtually any appropriately detailed structure.
The specification may use the phrases "in one embodiment," "in another embodiment," "in yet another embodiment," or "in other embodiments," which may each refer to one or more of the same or different embodiments in accordance with the application.
Fig. 1 is a flowchart of a port scanning detection method according to an embodiment of the present application, where the method includes the following steps S11-S13:
in step S11, in the operation process of the devices in the group, the data packets received by all the devices in the group are acquired;
in step S12, determining whether the packet is a packet corresponding to the port scan according to the multiple parameters of the packet;
in step S13, when the packet is a port scan corresponding packet, the display port scans the source address of the corresponding packet.
The method and the device can be used for providing the background server corresponding to the application of the network security service, and acquiring the data packets received by all the devices in the group in the operation process of the devices in the group; specifically, the in-group device may refer to a data packet generated by interaction between all devices sharing the same network outlet or between the devices and an external device, for example, all devices in some networking areas, for example, an office networking area, share one network outlet, and some networking areas, for example, some or all devices in a home networking area, may use the same network outlet.
Judging whether the data packet is a data packet corresponding to port scanning according to a plurality of parameters of the data packet; the multiple parameters of the data packet may refer to parameters such as a source address corresponding to the data packet, an effective transmission frequency of the data packet, and a size of the data packet. And comprehensively judging whether the data packet is a data packet corresponding to port scanning or not through a plurality of parameters.
Specifically, data packets sent by a trusted address can be filtered, after filtering is performed based on the trusted address, data packets corresponding to other addresses except the trusted address are untrusted data packets, and the data packets need to be further judged to determine whether the data packets are data packets corresponding to port scanning, specifically, whether the number of valid data packets sent from a source address corresponding to an untrusted data packet of the same source address in a preset time period is greater than a preset number is counted, wherein the valid data packets are data packets with different destination addresses and destination ports; and when the number of the data packets is larger than the preset number, determining the non-credible data packets as candidate data packets. In general, port scanning requires sending a large amount of port scanning information to a device to be invaded to know the specific situation of a computer, so the frequency of sending data packets by port scanning is very high, and in general, the number of data packets sent per minute reaches hundreds of thousands of levels, so in the application, the number of valid data packets sent by a source address corresponding to an untrusted data packet counted from the same source address in one minute reaches hundreds of thousands of levels, wherein the valid data packets refer to data packets with different destination addresses and destination ports of the data packets; that is, the data packet needs to be sent to different devices or different ports of the same device, and when the number of valid data packets reaches hundreds of levels, the untrusted data packet is determined to be a candidate data packet.
And finally, if the data packet is judged to be the data packet corresponding to the port scanning, displaying the source address of the data packet corresponding to the port scanning.
The beneficial effect of this application lies in: can acquire all equipment received data packets in the group to can carry out the detection that the port scanned according to all equipment received data packets in the group, avoid missing reporting, secondly, judge whether the data packet is the data packet that the port scanned and corresponds through the multinomial parameter of data packet, avoid only counting data packet quantity and lead to the problem that the detection precision that the port scanned is low, promote the detection precision that the port scanned.
In one embodiment, as shown in FIG. 2, the above step S12 can be implemented as the following steps S21-S23:
in step S21, determining an untrusted packet according to a source address corresponding to the packet;
in step S22, determining candidate packets in the untrusted packets according to the effective transmission frequency of the untrusted packets from the same source address;
in step S23, a port is selected from the candidate packets according to a first preset rule to scan the corresponding packet.
Judging whether the data packet is a data packet corresponding to port scanning according to a plurality of parameters of the data packet; the multiple parameters of the data packet may refer to parameters such as a source address corresponding to the data packet, an effective transmission frequency of the data packet, and a size of the data packet. And comprehensively judging whether the data packet is a data packet corresponding to port scanning or not through a plurality of parameters.
Specifically, data packets sent by a trusted address can be filtered out according to a source address corresponding to the data packet, after filtering is performed based on the trusted address, data packets corresponding to other addresses except the trusted address are non-trusted data packets, and then the non-trusted data packets need to be further judged to determine whether the data packets are data packets corresponding to port scanning, specifically, whether the number of effective data packets sent by the source address corresponding to the non-trusted data packet with the same source address in a preset time period is greater than a preset number is counted, wherein the effective data packets are data packets with different destination addresses and different destination ports; and when the number of the data packets is larger than the preset number, determining the non-credible data packets as candidate data packets.
In addition, since the data packet corresponding to the port scan does not generate data interaction with the device, it is usually small, and therefore, it is possible to determine whether the candidate data packet is the data packet corresponding to the port scan by determining the size of the candidate data packet corresponding to the same source address.
It will be appreciated that in some special cases, the port scan corresponding packet may also be larger, for example, to avoid the detection mechanism that determines the port scan by the packet size, a small number of larger packets are included in the port scan corresponding packet and sent to the device. Therefore, when detecting the candidate data packet, the present application may also determine whether the candidate data packet is a data packet corresponding to the port scan based on the ratio of the candidate data packet less than the preset number of bytes to the total number of all candidate data packets corresponding to the same source address, for example, when the ratio of the candidate data packet less than the preset number of bytes to the total number of all candidate data packets corresponding to the same source address is greater than the preset ratio, determine that the candidate data packet is a data packet corresponding to the port scan.
In one embodiment, the above step S21 can be implemented as the following steps A1-A2:
in step a1, determining a trusted address according to a second preset rule;
in step a2, it is determined that, of the packets received by all the devices in the group, the packets other than the packet corresponding to the trusted address are non-trusted packets.
Specifically, the data packets sent by the trusted address may be filtered, and after filtering is performed based on the trusted address, the data packets corresponding to other addresses except the trusted address are the untrusted data packets.
In one embodiment, the above step A1 may be implemented as the following steps B1-B2 and/or B3-B4 and/or B5:
in step B1, capturing ranking information of the global domain name from a website corresponding to the domain name information query service;
in step B2, determining the domain name with the ranking higher than the preset ranking in the ranking information as a trusted address;
in step B3, a local pre-stored address white list is obtained;
in step B4, determining that the address in the address white list is a trusted address;
in step B5, the address of the server providing the predetermined service is determined to be a trusted address.
In this embodiment, three schemes for determining a trusted address are provided, specifically as follows:
in a first mode
Capturing ranking information of global domain names from a website corresponding to a domain name information query service;
and determining the domain names higher than the preset rank in the ranking information as the credible addresses.
In the above manner, the ranking information of the global domain name may be captured from a website (e.g., Alex) corresponding to the domain name information query service, and the domain name higher than the preset ranking in the ranking information is determined to be the trusted address. For example, the top-ranked domain name is a trusted address.
Mode two
Acquiring a local pre-stored address white list;
and determining the address in the address white list as a trusted address.
A white list may be preset, and the white list stores locally screened trusted addresses based on various rules, so that as long as the address corresponding to the data packet is the address stored in the white list, the address corresponding to the data packet is determined to be the trusted address.
Mode III
And determining the address of the server providing the preset service as a trusted address.
Some services cannot scan the address corresponding to the data packet by the port due to the particularity of the type of the services, for example, the addresses of the types of the gateway and the search engine, and therefore, the addresses of the types of the gateway and the search engine are determined to be the trusted addresses.
In one embodiment, the above step S22 can be implemented as the following steps C1-C2:
in step C1, it is counted whether the number of valid packets sent from the source address corresponding to the untrusted packets of the same source address within a preset time period is greater than a preset number, where the valid packets are packets with different destination addresses and different destination ports;
in step C2, when the number is greater than the preset number, the untrusted packet is determined to be a candidate packet.
In this embodiment, after determining the untrusted data packets, it is necessary to further determine the untrusted data packets to determine whether the untrusted data packets are data packets corresponding to port scanning, specifically, it is counted whether the number of valid data packets sent from a source address corresponding to the untrusted data packets of the same source address in a preset time period is greater than a preset number, where the valid data packets are data packets with different destination addresses and different destination ports; and when the number of the data packets is larger than the preset number, determining the non-credible data packets as candidate data packets.
In general, port scanning requires sending a large amount of port scanning information to a device to be invaded to know the specific situation of a computer, so the frequency of sending data packets by port scanning is also very high, and in general, the number of data packets sent per minute reaches hundreds of thousands of levels, so in the application, whether the number of valid data packets sent from a source address corresponding to an untrusted data packet of the same source address in one minute reaches hundreds of thousands of levels is counted, wherein the valid data packets refer to data packets with different destination addresses and destination ports of the data packets; that is, the data packet needs to be sent to different devices or different ports of the same device, and when the number of valid data packets reaches hundreds of levels, the untrusted data packet is determined to be a candidate data packet.
In one embodiment, when the source address corresponding to the candidate packet is one, the above step S23 can be implemented as the following steps D1-D2:
in step D1, determining whether all the candidate packets are smaller than a preset number of bytes;
in step D2, when the candidate packets are all smaller than the preset number of bytes, the candidate packets are determined to be the packets corresponding to the port scan.
In this embodiment, it is determined whether all the candidate data packets are smaller than a preset number of bytes; and when the candidate data packets are all smaller than the preset byte number, determining the candidate data packets as the data packets corresponding to the port scanning. Specifically, since the data packet corresponding to the port scan does not generate data interaction with the device, it is usually smaller than 1K, and therefore, it can be determined whether the candidate data packet is the data packet corresponding to the port scan by determining whether the size of the candidate data packet corresponding to the same source address is smaller than 1K.
It is understood that in some special cases, the port scan corresponding packet may also be larger than 1K, for example, to avoid the detection mechanism that determines the port scan according to the size of the packet, a few packets larger than 1K are included in the port scan corresponding packet and sent to the device. Therefore, when detecting the candidate data packet, the present application may also determine whether the candidate data packet is a data packet corresponding to the port scan based on the ratio of the candidate data packet with the number of bytes less than the preset number of bytes to the total number of all candidate data packets corresponding to the same source address, for example, when the ratio of the candidate data packet with the number of bytes less than the preset number of bytes to the total number of all candidate data packets corresponding to the same source address is greater than 90%, it is determined that the candidate data packet is a data packet corresponding to the port scan.
In one embodiment, when the candidate packet has a plurality of source addresses, the above step S23 can be implemented as the following steps E1-E3:
in step E1, selecting a candidate selected data packet corresponding to the same source address and having the largest magnitude as a target data packet from the candidate data packets corresponding to the plurality of source addresses;
in step E2, determining whether the target packets are all smaller than a preset number of bytes;
in step E3, when the target packets are all smaller than the preset number of bytes, the target packets are determined to be the corresponding packets of the port scan.
When the source addresses corresponding to the candidate data packets are multiple, selecting the candidate selected data packet which corresponds to the same source address and has the largest order of magnitude as a target data packet from the candidate data packets corresponding to the multiple source addresses; for example, the source addresses corresponding to the candidate packets are A, B and C, respectively, where the number of packets corresponding to the source address a is 3180, the number of packets corresponding to the source address B is 5100, and the number of packets corresponding to the source address C is 11000, and then, if the candidate packets corresponding to the same source address and having the largest magnitude of order are the packets corresponding to the source address C, it is determined that the packets corresponding to the source address C are target packets, and it is determined whether all the target packets are smaller than the preset number of bytes; and when the target data packets are all smaller than the preset byte number, determining the target data packets as the data packets corresponding to the port scanning.
In one embodiment, the above step S13 can be implemented as the following steps F1-F2:
in step F1, when the packet is a packet corresponding to the port scan, storing the address of the packet corresponding to the port scan in the early warning list;
in step F2, the address of the packet corresponding to the port scan is obtained from the early warning list and displayed.
In this embodiment, when the data packet is a data packet corresponding to port scanning, the address of the data packet corresponding to port scanning is stored in the early warning list; the early warning list can be displayed on a screen, so that the addresses of the data packets corresponding to the specific port scanning can be visually displayed on the screen.
Fig. 3 is a block diagram of a detection apparatus for port scanning according to an embodiment of the present application, which specifically includes the following modules:
the acquiring module 31 is configured to acquire data packets received by all devices in a group during the operation of the devices in the group;
the judging module 32 is configured to judge whether the data packet is a data packet corresponding to the port scan according to the multiple parameters of the data packet;
the display module 33 is configured to display the source address of the port scan corresponding data packet when the data packet is the port scan corresponding data packet.
In one embodiment, as shown in fig. 4, the determining module 32 includes:
a first determining submodule 41, configured to determine an untrusted data packet according to a source address corresponding to the data packet;
a second determining submodule 42, configured to determine candidate data packets in the untrusted data packets according to an effective sending frequency of the untrusted data packets from the same source address;
and the selecting submodule 43 is configured to select a port from the candidate data packets to scan a corresponding data packet according to a first preset rule.
In one embodiment, a first determination submodule to:
determining a trusted address according to a second preset rule;
and determining that the other data packets except the data packet corresponding to the trusted address in the data packets received by all the devices in the group are non-trusted data packets.
In one embodiment, determining the trusted address according to the second preset rule includes:
capturing ranking information of global domain names from a website corresponding to a domain name information query service;
determining the domain names higher than the preset rank in the ranking information as credible addresses;
and/or
Acquiring a local pre-stored address white list;
determining addresses in the address white list as trusted addresses;
and/or
And determining the address of the server providing the preset service as a trusted address.
In one embodiment, the second determination submodule is to:
counting whether the number of effective data packets sent by a source address corresponding to an untrusted data packet of the same source address in a preset time period is greater than a preset number, wherein the effective data packets are data packets with different destination addresses and destination ports;
and when the number of the data packets is larger than the preset number, determining the non-credible data packets as candidate data packets.
In one embodiment, when the source address corresponding to the candidate packet is one, the selecting sub-module is configured to:
judging whether the candidate data packets are all smaller than a preset byte number;
and when the candidate data packets are all smaller than the preset byte number, determining the candidate data packets as the data packets corresponding to the port scanning.
In one embodiment, when the source addresses corresponding to the candidate data packets are multiple, the sub-module is selected to:
selecting a candidate data packet which corresponds to the same source address and has the largest order of magnitude as a target data packet from candidate data packets corresponding to a plurality of source addresses;
judging whether the target data packets are all smaller than a preset byte number;
and when the target data packets are all smaller than the preset byte number, determining the target data packets as the data packets corresponding to the port scanning.
In one embodiment, a display module includes:
the storage sub-module is used for storing the address of the data packet corresponding to the port scanning in the early warning list when the data packet is the data packet corresponding to the port scanning;
and the display submodule is used for acquiring and displaying the address of the data packet corresponding to the port scanning from the early warning list.
The above embodiments are only exemplary embodiments of the present application, and are not intended to limit the present application, and the protection scope of the present application is defined by the claims. Various modifications and equivalents may be made by those skilled in the art within the spirit and scope of the present application and such modifications and equivalents should also be considered to be within the scope of the present application.
Claims (7)
1. A method for detecting port scanning, comprising:
in the operation process of the equipment in the group, acquiring data packets received by all the equipment in the group;
judging whether the data packet is a data packet corresponding to port scanning according to the multiple parameters of the data packet; the method specifically comprises the following steps:
determining an untrusted data packet according to a source address corresponding to the data packet;
determining candidate data packets in the untrusted data packets according to the effective sending frequency of the untrusted data packets from the same source address, specifically: counting whether the number of effective data packets sent by a source address corresponding to an untrusted data packet of the same source address in a preset time period is greater than a preset number, wherein the effective data packets are data packets with different destination addresses and destination ports; when the number of the non-credible data packets is larger than the preset number, determining the non-credible data packets as candidate data packets;
selecting a port from the candidate data packets according to a first preset rule to scan the corresponding data packet;
and when the data packet is a data packet corresponding to the port scanning, displaying the source address of the data packet corresponding to the port scanning.
2. The method of claim 1, wherein determining the untrusted packet based on a source address corresponding to the packet comprises:
determining a trusted address according to a second preset rule;
and determining that other data packets except the data packet corresponding to the trusted address in the data packets received by all the devices in the group are non-trusted data packets.
3. The method of claim 2, wherein the determining the trusted address according to the second preset rule comprises:
capturing ranking information of global domain names from a website corresponding to a domain name information query service;
determining the domain names higher than a preset rank in the ranking information as trusted addresses;
and/or
Acquiring a local pre-stored address white list;
determining that the address in the address white list is a trusted address;
and/or
And determining the address of the server providing the preset service as a trusted address.
4. The method of claim 1, wherein when the candidate packet has one corresponding source address, selecting a port from the candidate packet according to a first predetermined rule to scan for a corresponding packet comprises:
judging whether the candidate data packets are all smaller than a preset byte number;
and when the candidate data packets are all smaller than the preset byte number, determining the candidate data packets as the data packets corresponding to the port scanning.
5. The method of claim 1, wherein when a plurality of source addresses correspond to candidate packets, selecting a port from the candidate packets according to a first preset rule to scan the corresponding packet comprises:
selecting a candidate selected data packet which corresponds to the same source address and has the largest order of magnitude as a target data packet from the candidate data packets corresponding to the source addresses;
judging whether the target data packets are all smaller than a preset byte number;
and when the target data packets are all smaller than the preset byte number, determining the target data packets as the data packets corresponding to the port scanning.
6. The method of claim 1, wherein displaying the source address of the port scan corresponding packet when the packet is the port scan corresponding packet comprises:
when the data packet is a data packet corresponding to port scanning, storing the address of the data packet corresponding to the port scanning in an early warning list;
and acquiring and displaying the address of the data packet corresponding to the port scanning from the early warning list.
7. A port scan detection apparatus, comprising:
the acquisition module is used for acquiring data packets received by all the devices in the group in the operation process of the devices in the group;
the judging module is used for judging whether the data packet is a data packet corresponding to port scanning according to the multiple parameters of the data packet; the judging module comprises:
the first determining submodule is used for determining the non-credible data packet according to the source address corresponding to the data packet;
the second determining submodule is used for determining candidate data packets in the non-trusted data packets according to the effective sending frequency of the non-trusted data packets from the same source address; the second determining submodule is specifically configured to: counting whether the number of effective data packets sent by a source address corresponding to an untrusted data packet of the same source address in a preset time period is greater than a preset number, wherein the effective data packets are data packets with different destination addresses and destination ports; when the number of the non-credible data packets is larger than the preset number, determining the non-credible data packets as candidate data packets;
the selecting submodule is used for selecting a port from the candidate data packets to scan the corresponding data packet according to a first preset rule;
and the display module is used for displaying the source address of the data packet corresponding to the port scanning when the data packet is the data packet corresponding to the port scanning.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011012504.7A CN112187775B (en) | 2020-09-23 | 2020-09-23 | Port scanning detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011012504.7A CN112187775B (en) | 2020-09-23 | 2020-09-23 | Port scanning detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112187775A CN112187775A (en) | 2021-01-05 |
| CN112187775B true CN112187775B (en) | 2021-09-03 |
Family
ID=73956959
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011012504.7A Active CN112187775B (en) | 2020-09-23 | 2020-09-23 | Port scanning detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112187775B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1838588A (en) * | 2006-04-26 | 2006-09-27 | 南京大学 | Invasion detecting method and system based on high-speed network data processing platform |
| CN103561048A (en) * | 2013-09-02 | 2014-02-05 | 北京东土科技股份有限公司 | Method for determining TCP port scanning and device thereof |
| CN104601557A (en) * | 2014-12-29 | 2015-05-06 | 广东顺德中山大学卡内基梅隆大学国际联合研究院 | Method and system for defending malicious websites based on software-defined network |
| CN108418835A (en) * | 2018-04-08 | 2018-08-17 | 北京明朝万达科技股份有限公司 | A kind of Port Scan Attacks detection method and device based on Netflow daily record datas |
| CN108900486A (en) * | 2018-06-19 | 2018-11-27 | 杭州默安科技有限公司 | A kind of scanner fingerprint identification method and its system |
| CN109729098A (en) * | 2019-03-01 | 2019-05-07 | 国网新疆电力有限公司信息通信公司 | Automatically the method for malice port scan is blocked in dns server |
| CN111092900A (en) * | 2019-12-24 | 2020-05-01 | 北京北信源软件股份有限公司 | Method and device for monitoring abnormal connection and scanning behavior of server |
| CN111343136A (en) * | 2018-12-19 | 2020-06-26 | 福建雷盾信息安全有限公司 | Network abnormal behavior analysis and detection method based on flow behavior characteristics |
| CN111478925A (en) * | 2020-05-21 | 2020-07-31 | 四川英得赛克科技有限公司 | Port scanning detection method and system applied to industrial control environment |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100414901C (en) * | 2003-12-26 | 2008-08-27 | 上海艾泰科技有限公司 | Method for solving port scanning and attack rejection in NAT environment |
| US7623466B2 (en) * | 2006-04-20 | 2009-11-24 | Alcatel Lucent | Symmetric connection detection |
| US7962957B2 (en) * | 2007-04-23 | 2011-06-14 | International Business Machines Corporation | Method and apparatus for detecting port scans with fake source address |
| CN105681353B (en) * | 2016-03-22 | 2019-06-11 | 浙江宇视科技有限公司 | Defend the method and device of port scan invasion |
| CN107786575B (en) * | 2017-11-11 | 2020-07-10 | 北京信息科技大学 | DNS flow-based self-adaptive malicious domain name detection method |
| CN109936475B (en) * | 2019-02-25 | 2022-04-22 | 北京奇艺世纪科技有限公司 | Anomaly detection method and device |
-
2020
- 2020-09-23 CN CN202011012504.7A patent/CN112187775B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1838588A (en) * | 2006-04-26 | 2006-09-27 | 南京大学 | Invasion detecting method and system based on high-speed network data processing platform |
| CN103561048A (en) * | 2013-09-02 | 2014-02-05 | 北京东土科技股份有限公司 | Method for determining TCP port scanning and device thereof |
| CN104601557A (en) * | 2014-12-29 | 2015-05-06 | 广东顺德中山大学卡内基梅隆大学国际联合研究院 | Method and system for defending malicious websites based on software-defined network |
| CN108418835A (en) * | 2018-04-08 | 2018-08-17 | 北京明朝万达科技股份有限公司 | A kind of Port Scan Attacks detection method and device based on Netflow daily record datas |
| CN108900486A (en) * | 2018-06-19 | 2018-11-27 | 杭州默安科技有限公司 | A kind of scanner fingerprint identification method and its system |
| CN111343136A (en) * | 2018-12-19 | 2020-06-26 | 福建雷盾信息安全有限公司 | Network abnormal behavior analysis and detection method based on flow behavior characteristics |
| CN109729098A (en) * | 2019-03-01 | 2019-05-07 | 国网新疆电力有限公司信息通信公司 | Automatically the method for malice port scan is blocked in dns server |
| CN111092900A (en) * | 2019-12-24 | 2020-05-01 | 北京北信源软件股份有限公司 | Method and device for monitoring abnormal connection and scanning behavior of server |
| CN111478925A (en) * | 2020-05-21 | 2020-07-31 | 四川英得赛克科技有限公司 | Port scanning detection method and system applied to industrial control environment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112187775A (en) | 2021-01-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11516241B2 (en) | Rule-based network-threat detection | |
| US10505932B2 (en) | Method and system for tracking machines on a network using fuzzy GUID technology | |
| US11770400B2 (en) | Presenting, at a graphical user interface, device photos and risk categories associated with devices in a network | |
| US10742687B2 (en) | Determining a device profile and anomalous behavior associated with a device in a network | |
| US9729558B2 (en) | Network maliciousness susceptibility analysis and rating | |
| US8806632B2 (en) | Systems, methods, and devices for detecting security vulnerabilities in IP networks | |
| US20170257339A1 (en) | Logical / physical address state lifecycle management | |
| EP3206364A1 (en) | Message authenticity and risk assessment | |
| US20100235915A1 (en) | Using host symptoms, host roles, and/or host reputation for detection of host infection | |
| CN107124434B (en) | Method and system for discovering DNS malicious attack traffic | |
| US20100125663A1 (en) | Systems, methods, and devices for detecting security vulnerabilities in ip networks | |
| Bryant et al. | Improving SIEM alert metadata aggregation with a novel kill-chain based classification model | |
| US20150312269A1 (en) | Methods and apparatus to identify an internet protocol address blacklist boundary | |
| CN110061998B (en) | Attack defense method and device | |
| CN114301700B (en) | Method, device, system and storage medium for adjusting network security defense scheme | |
| WO2017023580A1 (en) | Parallel detection of updates to a domain name system record system using a common filter | |
| Feng et al. | A behavior-based method for detecting distributed scan attacks in darknets | |
| CN112583827B (en) | Data leakage detection method and device | |
| CN112187775B (en) | Port scanning detection method and device | |
| EP4044505B1 (en) | Detecting botnets | |
| KR100613904B1 (en) | Apparatus and method for defeating network attacks with abnormal IP address | |
| Zulkarneev et al. | New Approaches of Multi-agent Vulnerability Scanning Process | |
| Zhai et al. | Network intrusion early warning model based on DS evidence theory | |
| KR100738550B1 (en) | Network intrusion detection system using genetic algorithm and method thereof | |
| Alsaleh et al. | Improving security visualization with exposure map filtering |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |