Abstract
In this paper, we propose an abnormal IP address detection scheme, which is capable of detecting IP spoofing and network scan attacks. Our scheme learns active host information such as incoming interface number, whether or not working as Web server, whether or not working as DNS server, and etc., by collecting and verifying flow information on networks. By using active host information learned, we can check if IP address is normal or abnormal. Through simulation, the performance of the proposed scheme is evaluated. The simulation results show that our scheme is able to detect source IP spoofing attacks that forge using the IP address of subnet that attacker belongs to as well as using the external IP address. And also, they show that our scheme is able to detect network scan attacks with low false alarm rate.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Northcutt, S., Novak, J.: Network Intrusion Detection: An Analyst’s Handbook, 2nd edn. New Riders Publishing, Indianapolis (2000)
Leckie, C., Kotagiri, R.: A Probabilistic Approach to Detecting Network Scans. In: IEEE Network Operations and Management Symposium, pp. 359–372 (2002)
Schechter, S., Jung, J., Berger, A.W.: Fast Detection of Scanning Worm Infections. In: 7th International Symposium on Recent Advances in Intrusion Detection (September 2004)
Twycross, J., Williamson, M.M.: Implementing and testing a virus throttle. In: Proceedings of the 12th USENIX Security Symposium (August 2003)
Templeton, S.J., Levitt, K.E.: Detecting Spoofed Packets. In: DARPA Information Survivability Conference and Exposition (April 2003)
Houle, K.J., Weaver, G.M.: Trends in Denial of Service Attack Technology, The fall 2001 NANOG meeting (October 2001)
Cisco, Unicast Reverse Path Forwarding (uRPF) Enhancements for the ISP-ISP Edge (February 2001), http://www.cisco.com/.../uRP_Enhancement.pdf
Ferguson, P., Senie, D.: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing, RFC 2827 (May 2000)
Savage, S., Karlin, A., Anderson, T.: Network Support for IP Traceback. IEEE/ACM Transactions on Networking 9(3), 226–237 (2001)
Bellovin, S., Leech, M., Taylor, T.: ICMP Traceback Messages, Internet draft (October 2001)
Lee, W., Stolfo, S., Mok, K.: Mining in a Data-flow Environment: Experience in Network Intrusion Detection. In: Proceedings of the 5th ACM International Conference on Knowledge Discovery and Data Mining (KDD 1999) (August 1999)
UCB/LBNL/VINT, ns Notes and Documentation, http://www.isi.edu/nsnam/ns
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Ahn, G., Kim, K. (2005). Active Host Information-Based Abnormal IP Address Detection. In: Lorenz, P., Dini, P. (eds) Networking - ICN 2005. ICN 2005. Lecture Notes in Computer Science, vol 3421. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-31957-3_78
Download citation
DOI: https://doi.org/10.1007/978-3-540-31957-3_78
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-25338-9
Online ISBN: 978-3-540-31957-3
eBook Packages: Computer ScienceComputer Science (R0)