Adaptive detection of local scanners

  • Authors:
  • Ahren Studer;Chenxi Wang

  • Affiliations:
  • Carnegie Mellon University;Carnegie Mellon University

  • Venue:
  • ACNS'06 Proceedings of the 4th international conference on Applied Cryptography and Network Security
  • Year:
  • 2006
  • SWorD: a simple worm detection scheme

    OTM'07 Proceedings of the 2007 OTM confederated international conference on On the move to meaningful internet systems: CoopIS, DOA, ODBASE, GADA, and IS - Volume Part II

Quantified Score

Hi-index 0.00

Visualization

Abstract

Network attacks often employ scanning to locate vulnerable hosts and services. Fast and accurate detection of local scanners is key to containing an epidemic in its early stage. Existing scan detection schemes use statically determined detection criteria, and as a result do not respond well to traffic perturbations. We present two adaptive scan detection schemes, Success Based (SB) and Failure Based (FB), which change detection criteria based on traffic statistics. We evaluate the proposed schemes analytically and empirically using network traces. Against fast scanners, the adaptive schemes render detection precision similar to the traditional static schemes. For slow scanners, the adaptive schemes are much more effective, both in terms of detection precision and speed. SB and FB have non-linear properties not present in other schemes. These properties permit a lower Sustained Scanning Threshold and a robustness against perturbations in the background traffic.