TCP/IP illustrated (vol. 1): the protocols
TCP/IP illustrated (vol. 1): the protocols
End-to-end Internet packet dynamics
SIGCOMM '97 Proceedings of the ACM SIGCOMM '97 conference on Applications, technologies, architectures, and protocols for computer communication
Automated packet trace analysis of TCP implementations
SIGCOMM '97 Proceedings of the ACM SIGCOMM '97 conference on Applications, technologies, architectures, and protocols for computer communication
ACM Transactions on Information and System Security (TISSEC)
Practical automated detection of stealthy portscans
Journal of Computer Security
Aggregation and Correlation of Intrusion-Detection Alerts
RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Co-ordinated port scans: a model, a detector and an evaluation methodology
Co-ordinated port scans: a model, a detector and an evaluation methodology
A network activity classification schema and its application to scan detection
IEEE/ACM Transactions on Networking (TON)
| Hi-index | 0.00 |
Anomalous connections in TCP traffic can be detected using a finite state machine model that reflects the progression of a TCP connection through a sequence of states via its control flags. Anomalies generated by this model can be associated with scanning activity. By storing these anomalies over time, it is possible to identify the presence of scanning activity by sorting the data with respect to source address, destination address and destination port. In particular, low-profile (slow and/or distributed) scans can be identified. The 1999 DARPA data was used to test the method, with no false negatives. Operational data was injected with crafted slow scan anomalies to test the false negative rate; all were successfully detected, along with numerous real scans. The storage requirements of the system are quite small, giving the ability to store scans for extremely long periods of time.