Probabilistic counting algorithms for data base applications
Journal of Computer and System Sciences
Internet intrusions: global characteristics and prevalence
SIGMETRICS '03 Proceedings of the 2003 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Bitmap algorithms for counting active flows on high speed links
Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
Characteristics of internet background radiation
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Profiling internet backbone traffic: behavior models and applications
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Resource allocation and cross-layer control in wireless networks
Foundations and Trends® in Networking
Joint data streaming and sampling techniques for detection of super sources and destinations
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Reducing unwanted traffic in a backbone network
SRUTI'05 Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop
Autograph: toward automated, distributed worm signature detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Idle port scanning and non-interference analysis of network protocol stacks using model checking
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Revisiting network scanning detection using sequential hypothesis testing
Security and Communication Networks
Hi-index | 0.00 |
Port scanning is the usual precursor to malicious attacks on today's Internet. Although many algorithms have been proposed for different aspects of the scan detection problem, their focused designed space is enterprise gateway level Intrusion Detection. Furthermore, we find few studies that track scanner behaviors over an extended period of time. Operating from a unique vantage point, the IP backbone, we put all the pieces together in designing and implementing a fast and accurate online port scan detection and tracking system. We introduce our flexible architecture, discuss trade-offs and design choices. Specifically, we go in depth to two design choices: the distinct counter data structure and the buffer size tuning. Our choice of a probabilistic counter is proved to have a low average error of 3.5%. The buffer size is derived using Lyapunov drift techniques on an equivalent queuing model. Our initial scanner tracking results show that the scanners' timing behavior follows a 90-10 curve. That is, 90% of scanners are active for a short time, with low scanning rates, while 10% are long term and fast scanners, with a few super-scanners lasting the entire duration of monitoring.