Author Login Editor-in-Chief Peer Review Editor Work Office Work

Computer Engineering ›› 2021, Vol. 47 ›› Issue (1): 117-122. doi: 10.19678/j.issn.1000-3428.0056888

• Cyberspace Security • Previous Articles     Next Articles

Shodan Traffic Identification Based on Load Characteristics and Statistical Characteristics

LIAN Xiaowei, MA Yao, CHEN Yongle, ZHANG Zhuangzhuang, WANG Jianhua   

  1. College of Information and Computer, Taiyuan University of Technology, Taiyuan 030024, China
  • Received:2019-12-12 Revised:2020-01-15 Published:2020-02-11

基于载荷特征与统计特征的Shodan流量识别

连晓伟, 马垚, 陈永乐, 张壮壮, 王建华   

  1. 太原理工大学 信息与计算机学院, 太原 030024
  • 作者简介:连晓伟(1994-),男,硕士研究生,主研方向为物联网安全;马垚,讲师、博士;陈永乐,副教授、博士;张壮壮、王建华,硕士研究生。
  • 基金资助:
    山西省自然科学基金(201701D111002,201601D021074)。

Abstract: To address the security risk caused by Shodan scanning traffic in industrial control systems,this paper proposes a traffic recognition DFA-SVM model combining Deterministic Finite Automata(DFA) and Support Vector Machine(SVM) based on the load characteristics and statistical characteristics.By analyzing the traffic characteristics of the application layer,the model extracts the protocol function code sequence as the load feature,and combines the traditional statistical characteristics of traffic to identify it.Six distributed honeypot systems are deployed by VPS to identify the Shodan traffic in 32 522 samples.The experimental results show that compared with the model that only uses a single feature,the proposed model can effectively identify 27 Shodan scanner IPs from Shodan scanning traffic,with a recognition accuracy of 99.38%.

Key words: load characteristics, statistical characteristics, Deterministic Finite Automation(DFA), Support Vector Machine (SVM), Shodan traffic

摘要: 针对Shodan扫描流量对工业控制系统产生的不安全问题,结合载荷特征与统计特征,构建一种将确定性有限自动机(DFA)与支持向量机(SVM)相结合的流量识别DFA-SVM模型。通过分析应用层的流量特征,以提取协议功能码序列作为载荷特征,并结合传统的流量统计特征对流量进行识别。采用VPS部署6个分布式蜜罐系统对处理后的32 522个样本进行Shodan流量识别。实验结果表明,相比仅使用单一特征的模型,该模型可有效识别出27个Shodan扫描器IP,识别精度达到99.38%。

关键词: 载荷特征, 统计特征, 确定性有限自动机, 支持向量机, Shodan流量

CLC Number: