Inter-domain stealthy port scan detection through complex event processing

Authors:
Leonardo Aniello;Giorgia Lodi;Roberto Baldoni
Affiliations:
Università degli Studi di Roma "La Sapienza", Via Ariosto, Roma, Italy;Università degli Studi di Roma "La Sapienza", Via Ariosto, Roma, Italy;Università degli Studi di Roma "La Sapienza", Via Ariosto, Roma, Italy
Venue:
EWDC '11 Proceedings of the 13th European Workshop on Dependable Computing
Year:
2011

Citing 5
Cited 2

Policy-Controlled Event Management for Distributed Intrusion Detection

ICDCSW '05 Proceedings of the Fourth International Workshop on Distributed Event-Based Systems (DEBS) (ICDCSW'05) - Volume 04
A scalable application placement controller for enterprise data centers

Proceedings of the 16th international conference on World Wide Web
Plan-based complex event detection across distributed sources

Proceedings of the VLDB Endowment
Implementing a high-volume, low-latency market data processing system on commodity hardware using IBM middleware

Proceedings of the 2nd Workshop on High Performance Computational Finance
TCP portscan detection based on single packet flows and entropy

Proceedings of the 2nd International Conference on Interaction Sciences: Information Technology, Culture and Human

A collaborative event processing system for protection of critical infrastructures from cyber attacks

SAFECOMP'11 Proceedings of the 30th international conference on Computer safety, reliability, and security
An event-based platform for collaborative threats detection and monitoring

Information Systems

Quantified Score

Hi-index	0.01

Visualization

Abstract

Large enterprises are nowadays complex interconnected software systems spanning over several domains. This new dimension makes difficult for enterprises the task of enabling efficient security defenses. This paper addresses the problem of detecting inter-domain stealthy port scans and proposes an architecture of an Intrusion Detection System which uses, for such purpose, an open source Complex Event Processing engine named Esper. Esper provides low cost of ownership and high flexibility. The architecture consists of software sensors deployed at different enterprise domains. Each sensor sends events to the Esper event processor for correlation. We implemented an algorithm for the detection of interdomain SYN port scans named Rank-based SYN (R-SYN) port scan detection algorithm. It combines and adapts three detection techniques in order to obtain a unique global statement about the malicious behavior of host activities. An evaluation of the accuracy of our approach has been carried out using several traces, some of which including original traffic dumps, some others altered by injecting packets that simulate port scan activities. Accuracy results show that our algorithm is able to produce a list of scanners characterized by high detection and low false positive rates.