|
|
Analysis of Internet scanning behavior based on dynamic dark network |
Qiu-yun WU(),Wei DING*() |
College of Cyberspace Security, Southeast University, Nanjing 211189, China |
|
|
Abstract A real-time Internet background radiation (IBR) traffic acquisition algorithm based on the dynamic dark network was used to collect IBR traffic and the collected IBR traffic was analyzed, in order to observe the scanning behavior on the Internet. An algorithm was designed to filter out the scanning traffic to observe the port-oriented scanning behavior. The dynamic dark network is relatively stable and scattered, thus it is not easily to be located. The IBR traffic obtained through it is a reliable data source for scanning analysis. IBR traffic is mainly composed of transmission control protocol (TCP), user datagram protocol (UDP) and Internet control message protocol (ICMP) protocols, of which TCP traffic accounts for more than 90%. It is different from the distribution of the three protocols in normal traffic. The TCP, UDP and ICMP traffic obtained by IBR traffic are mainly scanning traffic, of which horizontal scanning is widely used. The popular scanning ports for both TCP and UDP are dangerous ports, which proves that the port-oriented scanning behavior analysis plays an important role in discovering new vulnerabilities on the Internet. The TCP port scanning behavior is more dispersed, while the UDP port scanning behavior is more concentrated.
|
Received: 20 September 2019
Published: 28 August 2020
|
|
Corresponding Authors:
Wei DING
E-mail: qywu@njnet.edu.cn;wding@njnet.edu.cn
|
基于动态暗网的互联网扫描行为分析
为了对互联网上的扫描行为进行观测,采用基于动态暗网的互联网背景辐射(IBR)流量实时采集算法实现对IBR流量的采集,并对采集到的IBR流量进行分析;设计算法过滤出扫描流量,进行面向端口的扫描行为观测. 该动态暗网是相对稳定且分散的,不易被定位,通过其获取到的IBR流量是进行扫描分析的可靠数据源. IBR流量主要由传输控制协议(TCP)、用户数据报协议(UDP)、Internet控制消息协议(ICMP)这3种协议组成,其中TCP流量占90%以上,与正常流量中3种协议的分布不同. IBR流量得到的TCP、UDP、ICMP流量都以扫描流量为主,且广泛采用水平扫描的形式. TCP、UDP的热门扫描端口都是危险端口,证明面向端口的扫描行为分析对于发现互联网中新出现的漏洞有重要作用. TCP端口扫描行为较分散,UDP端口扫描行为较集中.
关键词:
互联网背景辐射(IBR),
暗网,
扫描检测,
扫描行为分析,
端口扫描
|
|
[1] |
WUSTROW E, KARIR M, BAILEY M, et al. Internet background radiation revisited [C]// Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement 2010. Melbourne: ACM, 2010: 62-74.
|
|
|
[2] |
DAINOTTI A, AMMAN R, ABEN E, et al Extracting benefit from harm: using malware pollution to analyze the impact of political and geophysical events on the internet[J]. Acm Sigcomm Computer Communication Review, 2012, 42 (1): 31- 39
doi: 10.1145/2096149.2096154
|
|
|
[3] |
PANG R, YEGNESWARAN V, BARFORD P, et al. Characteristics of Internet background radiation [C]// Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement 2004. Sicily: ACM, 2004: 27-40.
|
|
|
[4] |
GLATZ E, DIMITROPOULOS X Classifying Internet one-way traffic[J]. ACM SIGMETRICS Performance Evaluation Review, 2012, 40 (1): 417
doi: 10.1145/2318857.2254821
|
|
|
[5] |
MOORE D, SHANNON C, VOELKER G M, et al. Network telescopes: technical report [R]. [s.l.]: Proceedings of the Cooperative Association for Internet Data Analysis, 2004.
|
|
|
[6] |
BAILEY M, COOKE E, JAHANIAN F, et al. The Internet motion sensor: a distributed blackhole monitoring system [C]// Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS 2005). San Diego: The Internet Society, 2005.
|
|
|
[7] |
YEGNESWARAN V, BARFORD P, PLONKA D. On the design and use of Internet sinks for network abuse monitoring [C]// Proceedings of the Symposium on Recent Advances in Intrusion Detection (RAID 2004). Berlin: Springer-Verlag, 2004: 146-165.
|
|
|
[8] |
Team cymru darknet project [EB/OL]. (2005) [2019-07-23]. http://www.team-cymru.org/Services/darknets.html.
|
|
|
[9] |
JONKER M, KING A, KRUPP J, et al. Millions of targets under attack: a macroscopic characterization of the DoS ecosystem [C]// Proceedings of the 2017 Internet Measurement Conference. London: ACM, 2017: 100-113.
|
|
|
[10] |
缪丽华, 丁伟, 杨望 运行网络背景辐射的获取与分析[J]. 软件学报, 2015, 26 (3): 663- 679 MIAO Li-Hua, DING Wei, YANG Wang Extracting and analyzing Internet background radiation in live networks[J]. Journal of Software, 2015, 26 (3): 663- 679
|
|
|
[11] |
杨扬. 互联网背景辐射流量的获取与统计分析[D]. 南京: 东南大学, 2016. YANG Yang. Obtaining and analyzing on Internet background radiation [D]. Nanjing: Southeast University, 2016.
|
|
|
[12] |
HARROP W, ARMITAGE G. Greynets: a definition and evaluation of sparsely populated darknets [C]// Proceedings of the 2005 ACM SIGCOMM Workshop on Mining Network Data. Philadelphia: ACM, 2005: 171-172.
|
|
|
[13] |
HARROP W, ARMITAGE G. Defining and evaluating greynets (sparse darknets) [C]// Proceedings of the IEEE Conference on Local Computer Networks 30th Anniversary. Sydney: IEEE Computer Society, 2005: 344-350.
|
|
|
[14] |
王力. 互联网扫描行为研究[D]. 南京: 东南大学, 2018. WANG Li. R esearch of scanning behavior on Internet [D]. Nanjing: Southeast University, 2018.
|
|
|
|
Viewed |
|
|
|
Full text
|
|
|
|
|
Abstract
|
|
|
|
|
Cited |
|
|
|
|
|
Shared |
|
|
|
|
|
Discussed |
|
|
|
|