Archetypal behavior in computer security
Journal of Systems and Software
An evaluation of connection characteristics for separating network attacks
International Journal of Security and Networks
Evolving TCP/IP packets: a case study of port scans
CISDA'09 Proceedings of the Second IEEE international conference on Computational intelligence for security and defense applications
Filesystem activity following a SSH compromise: an empirical study of file sequences
ICISC'07 Proceedings of the 10th international conference on Information security and cryptology
Security of internet-connected computer networks
International Journal of Internet Technology and Secured Transactions
Optimal information security investment with penetration testing
GameSec'10 Proceedings of the First international conference on Decision and game theory for security
Joint network-host based malware detection using information-theoretic tools
Journal in Computer Virology
Set-up and deployment of a high-interaction honeypot: experiment and lessons learned
Journal in Computer Virology
A network activity classification schema and its application to scan detection
IEEE/ACM Transactions on Networking (TON)
Using code bloat to obfuscate evolved network traffic
EvoCOMNET'10 Proceedings of the 2010 international conference on Applications of Evolutionary Computation - Volume Part II
Networking Recon: Network reconnaissance
Network Security
Incident Response: Technological alternatives in incident response
Network Security
Revisiting network scanning detection using sequential hypothesis testing
Security and Communication Networks
A novel threshold-based scan detection method using genetic algorithm
Proceedings of the 6th International Conference on Security of Information and Networks
| Hi-index | 0.00 |
This paper describes an experimental approach to determine the correlation between port scans and attacks. Discussions in the security community often state that port scans should be considered as precursors to an attack. However, very few studies have been conducted to quantify the validity of this hypothesis. In this paper, attack data were collected using a test-bed dedicated to monitoring attackers. The data collected consist of port scans, ICMP scans, vulnerability scans, successful attacks and management traffic. Two experiments were performed to validate the hypothesis of linking port scans and vulnerability scans to the number of packets observed per connection. Customized scripts were then developed to filter the collected data and group them on the basis of scans and attacks between a source and destination IP address pair. The correlation of the filtered data groups was assessed. The analyzed data consists of forty-eight days of data collection for two target computers on a heavily utilized subnet.