TCP/IP illustrated (vol. 1): the protocols
TCP/IP illustrated (vol. 1): the protocols
ACM Transactions on Information and System Security (TISSEC)
Practical automated detection of stealthy portscans
Journal of Computer Security
Internet intrusions: global characteristics and prevalence
SIGMETRICS '03 Proceedings of the 2003 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Characteristics of internet background radiation
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
An Experimental Evaluation to Determine if Port Scans are Precursors to an Attack
DSN '05 Proceedings of the 2005 International Conference on Dependable Systems and Networks
Inferring Internet denial-of-service activity
ACM Transactions on Computer Systems (TOCS)
Scan Detection on Very Large Networks Using Logistic Regression Modeling
ISCC '06 Proceedings of the 11th IEEE Symposium on Computers and Communications
Co-ordinated port scans: a model, a detector and an evaluation methodology
Co-ordinated port scans: a model, a detector and an evaluation methodology
Proceedings of the 7th ACM SIGCOMM conference on Internet measurement
Detecting low-profile scans in TCP anomaly event data
Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services
Internet traffic behavior profiling for network security monitoring
IEEE/ACM Transactions on Networking (TON)
Internet traffic classification demystified: myths, caveats, and the best practices
CoNEXT '08 Proceedings of the 2008 ACM CoNEXT Conference
Network scanning detection strategies for enterprise networks
Network scanning detection strategies for enterprise networks
One-way traffic monitoring with iatmon
PAM'12 Proceedings of the 13th international conference on Passive and Active Measurement
Classifying internet one-way traffic
Proceedings of the 2012 ACM conference on Internet measurement conference
Collaborative behavior visualization and its detection by observing darknet traffic
CSS'12 Proceedings of the 4th international conference on Cyberspace Safety and Security
A systematic approach for detecting and clustering distributed cyber scanning
Computer Networks: The International Journal of Computer and Telecommunications Networking
A grand spread estimator using a graphics processing unit
Journal of Parallel and Distributed Computing
| Hi-index | 0.00 |
Internet traffic is neither well-behaved nor well-understood, which makes it difficult to detect malicious activities such as scanning. A large portion of scanning activity is of a slow scan type and is not currently detectable by security appliances. In this proof-of-concept study, a new scan detection technique is demonstrated that also improves our understanding of Internet traffic. Sessions are created using models of the behavior of packet-level data between host pairs, and activities are identified by grouping sessions based on patterns in the type of session, the IP addresses, and the ports. In a 24-h data set of nearly 10 million incoming sessions, a prodigious 78% were identified as scan probes. Of the scans, 80% were slower than basic detection methods can identify. To manage the large volume of scans, a prioritization method is introduced wherein scans are ranked based on whether a response was made and on the periodicity of the probes in the scan. The data is stored in an efficient manner, allowing activity information to be retained for very long periods of time. This technique provides insight into Internet traffic by classifying known activities, giving visibility to threats to the network through scan detection, while also extending awareness of the activities occurring on the network.