Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
Impact of packet sampling on anomaly detection metrics
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Very fast containment of scanning worms
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Detector SherLOCK: Enhancing TRW with Bloom filters under memory and performance constraints
Computer Networks: The International Journal of Computer and Telecommunications Networking
Load shedding in network monitoring applications
ATC'07 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference
Frequent items in streaming data: An experimental evaluation of the state-of-the-art
Data & Knowledge Engineering
Efficient computation of frequent and top-k elements in data streams
ICDT'05 Proceedings of the 10th international conference on Database Theory
Impact of Packet Sampling on Portscan Detection
IEEE Journal on Selected Areas in Communications
Hi-index | 0.00 |
Port scans are continuously used by both worms and human attackers to probe for vulnerabilities in Internet facing systems. In this paper, we present a new method to efficiently detect TCP port scans in very high-speed links. The main idea behind our approach is to early discard those handshake packets that are not strictly needed to reliably detect port scans. We show that with just a couple of Bloom filters to track active servers and TCP handshakes we can easily discard about 85% of all handshake packets with negligible loss in accuracy. This significantly reduces both the memory requirements and CPU cost per packet. We evaluated our algorithm using packet traces and live traffic from 1 and 10 GigE academic networks. Our results show that our method requires less than 1 MB to accurately monitor a 10 Gb/s link, which perfectly fits in the cache memory of nowadays' general-purpose processors.