东南大学学报(自然科学版)2017,Vol.47Issue(z1):25-29,5.DOI:10.3969/j.issn.1001-0505.2017.S1.005
基于IBR的ShadowServer TCP扫描行为分析
Analysis on ShadowServer TCP scanning behavior based on IBR
摘要
Abstract
To distinguish between malicious scanning and non-malicious scanning,a method for fil-tering non-malicious scanning traffic based on white list is proposed.First,a well-known security a-gency ShadowServer Foundation摧s scanning hosts are used as white list and some of the ShadowServ-er scanning hosts from the Shodan search engine are regarded as the initial white list.Then,the TCP scanning traffic is filtered based on the initial white list and the IBR traffic acquired on the CERNET Nanjing master node boundary.Finally,by analyzing the scanning behavior of the scanning traffic, a complete white list acquisition algorithm is designed to find out all the white list hosts.The experi-mental results show that,a total of 229 white list hosts are found and their IP addresses are mainly distributed in 4/26 network segment, in which the three network segments have the continuous ad-dresses and another network segment also has a certain law.In addition,based on the data obtained in the experiment,two cases and their analyses about the scanning for port 30022 and port 445(ex-tortion virus)are provided.关键词
互联网背景辐射/扫描/ShadowServer/勒索病毒Key words
internet background radiation(IBR)/scan/ShadowServer/extortion virus分类
信息技术与安全科学引用本文复制引用
丁伟,王力,武秋韵,夏震..基于IBR的ShadowServer TCP扫描行为分析[J].东南大学学报(自然科学版),2017,47(z1):25-29,5.基金项目
国家自然科学基金资助项目(61602114). (61602114)
