Practical automated detection of stealthy portscans
Journal of Computer Security
Properties and prediction of flow statistics from sampled packet streams
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
Flow sampling under hard resource constraints
Proceedings of the joint international conference on Measurement and modeling of computer systems
Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
Profiling internet backbone traffic: behavior models and applications
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Reducing unwanted traffic in a backbone network
SRUTI'05 Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop
Inter-domain stealthy port scan detection through complex event processing
EWDC '11 Proceedings of the 13th European Workshop on Dependable Computing
An event-based platform for collaborative threats detection and monitoring
Information Systems
| Hi-index | 0.00 |
Portscanning is a common activity of considerable importance. It is often used by computer attackers to characterize hosts or networks which they are considering hostile activity against. Thus it is useful for system administrators and other network defenders to detect portscans as possible preliminaries to a more serious attack. Thus it is of considerable interest to attackers to determine whether or not the defenders of a network are portscanning it regularly. A major difficulty with detecting these portscans on a high-speed monitoring point is that the traffic volume on high speed links can be tens of gigabits per second and can contain millions of flow and high volume of traffic. Our purpose is to detect portscans based on the flow records on the internet. This data set is sometimes too large for us. Fortunately, we have an approach to detect some specific portscan. First, filter out any web traffic on port 80 and other non-TCP flows. So the data sets are reduced significantly. However, the data sets still are too large for us. Then employ sampling on the data sets. There had been many alternative sampling methods. In this paper, we used simple random sampling, considering this method could select flow records uniformly. Finally, with the sampled data, we introduce a new way to identify ports scanners. As the host which scan large number of different destination IP addresses and ports is probably a ports scanners we can compute the entropy of each host, which reflect the distribution of its destination IP addresses and ports. In theory, simple random sampling has minimal impact on the result of entropy of each host. Therefore the estimation of entropy will be more precise. The experimental results show that datum from the sample also can tell which hosts are port scanners accurately. We will see that the attackers' entropy for destination IP address is bigger than others clearly. So entropy-based SYN detection can help us find out scanners effectively.