Tracking port scanners on the IP backbone

  • Authors:
  • Avinash Sridharan;Tao Ye

  • Affiliations:
  • University of Southern California;Sprint Burlingame, CA

  • Venue:
  • Proceedings of the 2007 workshop on Large scale attack defense
  • Year:
  • 2007

Quantified Score

Hi-index 0.00

Visualization

Abstract

Port scanning is the usual precursor to malicious attacks on today's Internet. Although many algorithms have been proposed for different aspects of the scan detection problem, their focused designed space is enterprise gateway level Intrusion Detection. Furthermore, we find few studies that track scanner behaviors over an extended period of time. Operating from a unique vantage point, the IP backbone, we put all the pieces together in designing and implementing a fast and accurate online port scan detection and tracking system. We introduce our flexible architecture, discuss trade-offs and design choices. Specifically, we go in depth to two design choices: the distinct counter data structure and the buffer size tuning. Our choice of a probabilistic counter is proved to have a low average error of 3.5%. The buffer size is derived using Lyapunov drift techniques on an equivalent queuing model. Our initial scanner tracking results show that the scanners' timing behavior follows a 90-10 curve. That is, 90% of scanners are active for a short time, with low scanning rates, while 10% are long term and fast scanners, with a few super-scanners lasting the entire duration of monitoring.