Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
Probability Models for Computer Science
Probability Models for Computer Science
Practical automated detection of stealthy portscans
Journal of Computer Security
How to Own the Internet in Your Spare Time
Proceedings of the 11th USENIX Security Symposium
IEEE Security and Privacy
Bitmap algorithms for counting active flows on high speed links
Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
On scalable attack detection in the network
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
IEEE Security and Privacy
Joint data streaming and sampling techniques for detection of super sources and destinations
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Very fast containment of scanning worms
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Packet-level traffic measurements from the Sprint IP backbone
IEEE Network: The Magazine of Global Internetworking
A Generalized Bloom Filter to Secure Distributed Network Applications
Computer Networks: The International Journal of Computer and Telecommunications Networking
A practical approach to portscan detection in very high-speed links
PAM'11 Proceedings of the 12th international conference on Passive and active measurement
Hi-index | 0.00 |
Computer worms and bots are significant threats to large networks because they can spread very rapidly and are used for DDoS. The first phase of worms and bots begins by scanning vulnerable hosts. Missing on-going scanning activity can significantly deteriorate network performance. We propose a new scanning detection scheme, SherLOCK, based on the connection attempt success ratio. The proposed scheme can detect scanners with guaranteed false positive and false negative probabilities and with a limited memory size. Detection of scanners at high-speed links requires a high-speed memory and such memory devices are expensive and limited in size. We reduce the memory requirement by applying the Bloom filter. We show how slow scanners can be detected with a guaranteed performance for a given offered traffic load and memory size. This study can help to design the system that satisfies the target performance requirement. The detection performance is guaranteed under the assumption that malicious scanners and benign hosts have distinct behaviors in terms of the connection success ratio. We extend the proposed detector with a sampling mechanism to detect more intelligent scanners with guaranteed performance. These include scanners that use a list of pre-acquired IP addresses. We evaluate the performance of the proposed scheme through experiment using well-known traffic traces.