基于持续增量模型的低速端口扫描检测算法

Port scanning is a common and effective intrusion technique for searching vulnerable Internet hosts and ports. The detection technology of fast port scanning has matured, but the hidden low-speed port scanning detection effect needs to be improved. This paper studies low-speed port scanning. According to the time persistence and feature dispersion of low-speed scanning, a low-speed port scanning detection algorithm based on continuous incremental model is proposed. The conditional entropy is used to evaluate the feature distribution. The experimental results show that the detection rate of the algorithm can reach 99.78%, and the false positive rate is 7%. The algorithm is applicable to a variety of complex network environments, and does not require network prior knowledge. The detection rate has low accuracy on the threshold, and can effectively detect low-speed port scanning behavior.