Policy-Controlled Event Management for Distributed Intrusion Detection
ICDCSW '05 Proceedings of the Fourth International Workshop on Distributed Event-Based Systems (DEBS) (ICDCSW'05) - Volume 04
A scalable application placement controller for enterprise data centers
Proceedings of the 16th international conference on World Wide Web
Plan-based complex event detection across distributed sources
Proceedings of the VLDB Endowment
Proceedings of the 2nd Workshop on High Performance Computational Finance
TCP portscan detection based on single packet flows and entropy
Proceedings of the 2nd International Conference on Interaction Sciences: Information Technology, Culture and Human
SAFECOMP'11 Proceedings of the 30th international conference on Computer safety, reliability, and security
An event-based platform for collaborative threats detection and monitoring
Information Systems
Hi-index | 0.01 |
Large enterprises are nowadays complex interconnected software systems spanning over several domains. This new dimension makes difficult for enterprises the task of enabling efficient security defenses. This paper addresses the problem of detecting inter-domain stealthy port scans and proposes an architecture of an Intrusion Detection System which uses, for such purpose, an open source Complex Event Processing engine named Esper. Esper provides low cost of ownership and high flexibility. The architecture consists of software sensors deployed at different enterprise domains. Each sensor sends events to the Esper event processor for correlation. We implemented an algorithm for the detection of interdomain SYN port scans named Rank-based SYN (R-SYN) port scan detection algorithm. It combines and adapts three detection techniques in order to obtain a unique global statement about the malicious behavior of host activities. An evaluation of the accuracy of our approach has been carried out using several traces, some of which including original traffic dumps, some others altered by injecting packets that simulate port scan activities. Accuracy results show that our algorithm is able to produce a list of scanners characterized by high detection and low false positive rates.