关键词: 有限状态机, Web扫描器, 漏洞, 行为特征, 余弦相似度

Abstract: The traditional keywordbased method to identify Web vulnerability scanner is easy to be cheated by attackers. Aiming at this problem, a new recognition method based on Finitestate machine is proposed. The scanning data of the attacker is processed and the recognition model could be constructed using the scan behavior of scanners as transition conditions. The model state transition process is abstracted as multidimensional vector, and then the cosine similarity formula is used to calculate the similarity. Combined with the set threshold, the type of scanner can be determined.The experimental results show that the identification method based on finite state machine can identify the scanner more effectively when the attackers intentionally masquerade.

Key words: wordsfinitestate machine, Web scanner, vulnerability, behavioral characteristics, cosine similarity