針對掃描式蠕蟲做準確偵測之適應性接續假設測試

Abstract

早期偵測掃描式蠕蟲的技術，是建立在惡意行為的主機具有較高掃描率的基礎上。此種方法對於秘密的掃描並不適用，且一旦發出警告的掃描率門檻被攻擊者所知悉，便能輕易躲過這種偵測。為了克服這樣的問題，「接續假設測試」便成為一種替代方案。這種方法所需要觀測連線嘗試結果的次數較少，從這個角度看來，它比起基於掃描率的方法，可以更快偵測出掃描式蠕蟲。然而，接續假設測試的方法，對於正常主機與惡意行為主機的第一次連線嘗試的成功機率相當敏感。如果事前不知道此機率，誤判率可能會比理想值高出許多。在這篇論文中，我們提出一個簡單的適應性演算法，可以準確地估計出這些機率。實驗結果顯示，我們提出的適應性估計演算法，對於原本的接續假設性測試法有很大的改善，因為它使原本對於偵測掃描式蠕蟲的方法更加健全完善。

Early detction techniques of scaning worms are based on simple observations of high port/address scanning rates of malicious hosts. Such apporaches are not able to detect stealthy scanners and can be easily evaded once the threshold of scanning rate for generating alerts is known to the attackers. To overcome this problem, sequential hypothesis testing was developed as an alternative detection technique. It was found that the technique based on sequential hypothesis testing can detect scanning worms faster than those based on scanning rates in the sense that it needs fewer observations for the outcomes of connection attempts. However, the performance of the detection technique based on sequential hypothesis testing is sensitve to the probabilities of success for the first-contact connection attempts sent by benign and malicious hosts. The false positive and false negative probabilities could be much larger than the desired values if these probabilities are not known. In this paper, we presnt a simple adpative algorithm which provides accurate estimates of these probabilities. Numerical results show that the proposed adaptive estimation algorithm is an important enhancement of sequential hypothesis testing because it makes the technique robust for detection of scanning worms.