Abstract
The wide spread of worms, DDOS attacks and scan activities have greatly affected the network infrastructure security. For scan detection, traditionally most detection methods are flow based, thus undesirable for gigabits or multi-gigabits networks. To deal with this scalability problem, in this paper, a novel scan detection method is proposed, in which no flow record is required to maintain. Based on the observation that scans will generally generate a large volume of return RST packets, a hypothesis testing based approach is proposed. Experiments in practical network and on the DARPA 1998 datasets indicate that this algorithm is effective.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Moore, D., Voelker, G., Savage, S.: Inferring internet denial of service activity. In: USENIX Security Symposium (2001)
Roesch, M.: Snort, http://www.snort.org
Paxson, V.: Bro: A system for detecting network intruders in real-time. Computer Networks 31(23-24), 2435–2463 (1999)
Fyodor: nmap manual page, http://www.insecure.org/nmap/
Barford, P., Kline, J., Plonka, D., Ron, A.: A signal analysis of network traffic anomalies. In: Proceedings of ACM SIGCOMM Internet Measurement Workshop (November 2002)
Krishnamurthy, B., Sen, S., Zhang, Y., Chen, Y.: Sketch-based change detection: methods, evaluation, and applications. In: Proceedings of the conference on Internet measurement conference, pp. 234–247. ACM Press, New York (2003)
Staniford, S.J.: Containment of scanning worms in enterprise networks. Journal of Computer Security (November 2003)
Gill, T.M., Poletto, M.: MULTOPS: a data-structure for bandwidth attack detection. In: USENIX Security Symposium (2001)
Heberlein, L.T., Dias, G.V., Levitt, K.N., Mukherjee, B., Wood, J., Wolber, D.: A network security monitor. In: Proc. IEEE Symposium on Research in Security and Privacy, pp. 296–304 (1990)
Jung, J., Paxson, V., Berger, A., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: Proceedings of IEEE Symposium on Security and Privacy (2004)
Leckie, C., Kotagiri, R.: A probabilistic approach to detecting network scans. In: Proceedings of the Eight IEEE Network Operations and Management Symposium (April 2002)
Staniford, S., Hoagland, J.A., McAlerney, J.M.: Practical automated detection of stealthy portscans. In: Proceedings of the 7th ACM Conference on Computer and Communications Security (2000)
Yaar, A., Perrig, A., Song, D.: Pi: A path identification mechansim to defend against ddos attacks. In: Proceedings of the IEEE Symposium on Security and Privacy (2003)
Kompella, R.R., Singh, S., Varghese, G.: On Scalable Attack Detection in the Network. In: ACM SIGCOMM (2004)
Casella, G., Berger, R.L.: Statistical Inference, pp. 467–511. Duxbury, Boston (2002)
Schuba, C., Krsul, I., Kuhn, M., Spafford, E., Sundaram, A., Zamboni, D.: Analysis of a denial of service attack on tcp. In: Proceedings of IEEE Symposium on Security and Privacy (May 1997)
Hyperion hyperion@hacklab.com: Watcher, Phrack53-11
Solar designer solar@false.com: Designing and Attacking Port Scan Detection Tools, phrack53-13
DARPA: Intrusion Detection Evaluation datasets, http://www.ll.mit.edu/IST/ideval/index.html
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Zhang, Q., Li, X. (2006). A Hypothesis Testing Based Scalable TCP Scan Detection. In: Chong, I., Kawahara, K. (eds) Information Networking. Advances in Data Communications and Wireless Networks. ICOIN 2006. Lecture Notes in Computer Science, vol 3961. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11919568_78
Download citation
DOI: https://doi.org/10.1007/11919568_78
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-48563-6
Online ISBN: 978-3-540-48564-3
eBook Packages: Computer ScienceComputer Science (R0)