Research for scan detection algorithm of high-speed links based on honeypot

Abstract

In order to effectively detect the scan attack on high-speed links, this paper improves the commonly used scan detection algorithm TRW (Threshold Random Walk) based on honeypot, and makes a detailed analysis on its performance. The analysis shows that the improved algorithm has better performance on the speed of identifying the scan source and can finish the real-time detection of high-speed link scan. Meanwhile, on the basis of selective system sample, this paper focuses on the analysis of the anomaly detection accuracy of three scan detection algorithms: Snort, TRW, TRWHP (Threshold Random Walk Based on Honeypot). The experimental results show that, at the same sampling ratio, the false positive rates of TRWHP and TRW algorithm are almost the same, however, the false negative rate of TRWHP algorithm can make a remarkable improvement and obtain the better detection performance.