Scan is the most common technical means used by hackers to identify site vulnerabilities as an attack entry to a website. Local and lightweight scan can often avoid the detection for network layer security protection. The establishment of detection algorithms against such hidden abnormal scan can enable timely identification of the vulnerability of an application site so to establish a precise active protection strategy. Through the comparison on the access behaviors of various users based on the behavioral characteristics of abnormal scan summarized and the clustering algorithm of the subdomain of the site, the occurrence time of abnormal scan and the location of the subdomain can be detected. The results show that the higher the degree of overlap of characteristic operation indexes, the higher the probability of being an abnormal scan behavior. This helps greatly reduce false positives during the overall detection of the website.
Based on the output of the clustering-based detection model, it provides a strong basis for enhancing the protection of the application system and repairing security vulnerabilities caused by the inherent logic errors and the incomplete system functionality.