Surveying Port Scans and Their Detection Methodologies

Bhuyan, Monowar H.; Bhattacharyya, Dhruba K.; Kalita, Jugal

doi:10.1093/comjnl/bxr035

Cited by 125 publications

(67 citation statements)

References 48 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A wide variety of scan detection methods have been surveyed in [2]. Perhaps the most influential and significant of those is that of [1], in which the TRW method is proposed.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Evasion-resistant network scan detection

Harang

Mell

2015

Secur Inform

View full text Add to dashboard Cite

Popular network scan detection algorithms operate through evaluating external sources for unusual connection patterns and traffic rates. Research has revealed evasive tactics that enable full circumvention of existing approaches (specifically the widely cited Threshold Random Walk algorithm). To prevent use of these circumvention techniques, we propose a novel approach to network scan detection that evaluates the behavior of internal network nodes, and combine it with other established techniques of scan detection. By itself, our algorithm is an efficient, protocol-agnostic, completely unsupervised method that requires no a priori knowledge of the network being defended beyond which hosts are internal and which hosts are external to the network, and is capable of detecting network scanning attempts regardless of the rate of the scan (working even with connectionless protocols). We demonstrate the effectiveness of our method on both live data from an enterprise-scale network and on simulated scan data, finding a false positive rate of just 0.000034% with respect to the number of inbound flows. When combined with both Threshold Random Walk and simple rate-limiting detection, we achieve an overall detection rate of 94.44%.

show abstract

“…A wide variety of scan detection methods have been surveyed in [2]. Perhaps the most influential and significant of those is that of [1], in which the TRW method is proposed.…”

Section: Related Workmentioning

confidence: 99%

“…A highly effective and widely cited method for detecting scanners is the Threshold Random Walk (TRW) algorithm [2]. TRW can often detect single source scanning after only 4 or 5 connection attempts.…”

Section: Introductionmentioning

confidence: 99%

Evasion-resistant network scan detection

Harang

Mell

2015

Secur Inform

View full text Add to dashboard Cite

show abstract

“…These techniques are further divided into sub categories like threshold based, algorithmic based, soft computing based or rule based etc. [8]. TRW and TAPS are two main two port scan detection techniques.…”

Section: Port Scan Detectionmentioning

confidence: 99%

Two Pass Port Scan Detection Technique Based on Connection Pattern and Status on Sampled Data

Kumar¹,

Dutta²,

Asati³

2015

JCC

View full text Add to dashboard Cite

Anomaly detection is now very important in the network because the increasing use of the internet and security of a network or user is a main concern of any network administrator. As the use of the internet increases, so the chances of having a threat or attack in the network are also increasing day by day and traffic in the network is also increasing. It is very difficult to analyse all the traffic data in network for finding the anomaly in the network and sampling provides a way to analyse the anomalies in network with less traffic data. In this paper, we propose a port scan detection approach called CPST uses connection status and pattern of the connections to detect a particular source is scanner or benign host. We also show that this approach works efficiently under different sampling methods.

show abstract

“…These scans can be detected by interpreting access logs or analysing network traffic [24]. Port scanning and vulnerability scan determination have a high accuracy rate.…”

Section: Attack Mechanism Determinationmentioning

confidence: 99%

Human Perception of the Measurement of a Network Attack Taxonomy in Near Real-Time

Heerden

Malan

Mouton

et al. 2014

IFIP Advances in Information and Communication Technology

View full text Add to dashboard Cite

Abstract. This paper investigates how the measurement of a network attack taxonomy can be related to human perception. Network attacks do not have a time limitation, but the earlier its detected, the more damage can be prevented and the more preventative actions can be taken. This paper evaluate how elements of network attacks can be measured in near real-time(60 seconds). The taxonomy we use was developed by van Heerden et al (2012) with over 100 classes. These classes present the attack and defenders point of view. The degree to which each class can be quantified or measured is determined by investigating the accuracy of various assessment methods. We classify each class as either defined, high, low or not quantifiable. For example, it may not be possible to determine the instigator of an attack (Aggressor), but only that the attack has been launched by a Hacker (Actor). Some classes can only be quantified with a low confidence or not at all in a sort (near real-time) time. The IP address of an attack can easily be faked thus reducing the confidence in the information obtained from it, and thus determining the origin of an attack with a low confidence. This determination itself is subjective. All the evaluations of the classes in this paper is subjective, but due to the very basic grouping (High, Low or Not Quantifiable) a subjective value can be used. The complexity of the taxonomy can be significantly reduced if classes with only a high perceptive accuracy is used.

show abstract

Surveying Port Scans and Their Detection Methodologies

Cited by 125 publications

References 48 publications

Evasion-resistant network scan detection

Evasion-resistant network scan detection

Two Pass Port Scan Detection Technique Based on Connection Pattern and Status on Sampled Data

Human Perception of the Measurement of a Network Attack Taxonomy in Near Real-Time

Contact Info

Product

Resources

About