检索规则说明:AND代表“并且”;OR代表“或者”;NOT代表“不包含”;(注意必须大写,运算符两边需空一格)
检 索 范 例 :范例一: (K=图书馆学 OR K=情报学) AND A=范并思 范例二:J=计算机应用与软件 AND (U=C++ OR U=Basic) NOT M=Visual
机构地区:[1]清华大学电子工程系 [2]清华大学计算机系
出 处:《厦门大学学报(自然科学版)》2007年第A02期79-83,共5页Journal of Xiamen University:Natural Science
摘 要:利用网络中未使用IP地址构建扫描检测平台能够有效提高检测准确率,降低虚警率.在扫描检测平台实际构建之前,需要对可控部署地址资源的预计检测效用进行评估,以确定地址资源可达的检测目标以及明确平台构建的必要性.为此,提出一种基于网络分类的扫描检测模型,依据此模型可对扫描检测平台对于随机扫描源和本地优先扫描源的检测效用进行评估,为扫描检测平台部署构建提供理论指导.以法国电信Leurre’com Honeynet Project实际分布式检测平台作为效用评估样例.评估结果表明该检测平台能够有效检测类似Slammer蠕虫的高速随机扫描源和每秒至少发出2个扫描连接的本地优先扫描源,对低速扫描源检测效用低下.实际数据统计结果与仿真实验验证了评估结果的准确性.A scan detection phtform constructed by unused IP addresses will effectively improve detection accuracy and reduce false alarm. Before constructing a real scan detection phfform, we need to evaluate the detection effectiveness of controlled monitoring addresses to predict the detecting tagets and determine the necessity of the phfform deployment. To match these requirements, a new scan detection model based on network classification is presented. According to this model, we can evaluate the detection effectiveness of a scan detection phfform which is used to detect random or local preference scanning sources and provide theory guidance for the phtform construction and deployment. We use the Leurre' com Honeynet Project's distributed scan detection phfform as a practical evaluation instance. Evaluation resttlts show that the phtform can effectively detect high speed random scanning sources like Slammer worm and local preference scanning sources whose average scanning rate is more than 2 scan connections per second. To low speed scanning sources, the detection effectiveness is poor. Statistics of real monitoring data and simttlation resttlts validate the veracity of evaluation resttlts.
分 类 号:TP393.4[自动化与计算机技术—计算机应用技术]
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在链接到云南高校图书馆文献保障联盟下载...
云南高校图书馆联盟文献共享服务平台 版权所有©
您的IP:216.73.216.3
