Research of a Network Scan Detection Algorithm Based on the FSA Model

Network scan is often the prelude of the network intrusion. Thus precise detection of the network scan plays an important role in the pre-alert of the network intrusion. But the current scan detection technologies are too simple and may be evaded by attackers easily. In this paper, based on the analysis of both the scan and detection technologies, a detection algorithm called SBIPA(FSA-based intrusion pre-alert algorithm) is proposed based on the FSA(finite state automata) model and the key implementation technology is analyzed. The state transfer diagram is used to illustrate the network scan packet series, and three different mechanisms are designed to detect the scan event based on FSA. Experiment reveals that this algorithm not only can detect the single type scan activity more precisely, but also can detect the unobvious scan such as distributed and multi-type mixed scan very well, which can't be detected by other detection technologies. It is believed that it eliminates the limitations of the current scan detection technology and has an important research and practice value.