BotHunter: detecting malware infection through IDS-driven dialog correlation
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
A chipset level network backdoor: bypassing host-based firewall & IDS
Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
Adaptive pattern mining model for early detection of botnet-propagation scale
Security and Communication Networks
| Hi-index | 0.00 |
Current scanning detection algorithms are based on an underlying assumption that scanning activity can be attributed to a meaningful specific source (i.e. the root cause or scan controller). Sophisticated scanning activity including the use of botnets, idle scanning, and throwaway systems violates this assumption. We propose a class of scanning detection algorithms that focus on what is being scanned for instead of who is performing the scanning. We pursue this idea, introduce the concept of exposuremaps, and report on a preliminary proof-of-concept that allows one to: (1) estimate the information or exposures revealed to an adversary as a result of scanning activity; (2) detect sophisticated or targeted scanning activity with a footprint as low as a single packet or event; and (3) discover real-time changes in network exposures that may be indicative of a successful attack.