Abstract
Attackers perform port scan to find reachability, liveness and services in a system or network. Current day scanning tools provide different scanning options and capable of evading various security tools like firewall, IDS and IPS. So in order to detect and prevent attacks in early stages, an accurate detection of scanning activity in real time is very much essential. In this paper we present a flow based protocol behavior analysis system to detect TCP based slow and fast scan. This system provides scalable, accurate and generic solution to TCP based scanning by means of automatic behavior analysis of the network traffic. Detection capability of proposed system is compared with SNORT and results proves the high detection rate of the system over SNORT.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Firewall/IDS Evasion and Spoofing, Nmap Reference Guide, http://nmap.org/book/man-bypass-firewalls-ids.html
RFC 5101, Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information
Allman, M., Paxson, V., Terrel, J.: A Brief History of Scanning. In: IMC 2007 Proceedings of the 7th ACM SIGCOMM Conference on Internet Measurement. ACM, New York (2007)
Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast Port scan detection using sequential hypothesis testing. In: Proceedings of the IEEE Symposium on Seurity Privacy (May 2004)
Staniford, S., Hoagland, J.A., McAlerney, J.M.: Practical automated detection of stealthy portscans. Journel of Computer Security 10 (2002)
Quyen, L.T., Zhanikeev, M., Tanaka, Y.: Anomaly identification based on flow analysis. In: 2006 IEEE Region 10 Conference on TENCON 2006 (November 2006)
Kim, M.-S., Kong, H.-J., Hong, S.-C., Chung, S.-H., Hong, J.W.: A flow-based method for abnormal network traffic detection. In: Network Operations and Management Symposium, NOMS 2004 (2004)
Hu, Y., Chiu, D.-M., Lui, J.C.S.: Entropy Based Adaptive Flow Aggregation. In: IEEE/ACM (December 2007)
Nguyen, H.A., Van Nguyen, T., Kim, D.I., Choi, D.: Network traffic anomalies detection and identification with flow monitoring. In: WCON 2008 (May 2008)
Kim, M.-S., Kang, H.-J., Hong, S.-C., Chung, S.-H., Hong, J.W.: A Flow-based Method for Abnormal Network Traffic Detection. In: IEEE/IFIP Network Operations and Management Symposium (2004)
Gu, Y., McCallum, A., Towsley, D.: Detecting anomalies in network traffic using maximum entropy estimation. In: Proc. IM 2005 (2005)
Nychis, G., Sekar, V., Andersen, D.G., Kim, H., Zhang, H.: An empirical evaluation of entropy-based traffic anomaly detection. In: 8th ACM SIGCOMM Conference on Internet (2008)
Wagner, A., Plattner, B.: Entropy based worm and anomaly detection in fast IP networks. In: 14th IEEE International Workshops on Enabling Technologies 2005 (2005)
Leckie, C., Kotiagiri, R.: A probabilistic approach to detecting network scans. In: 2002 IEEE/IFIP Network Operations and Management Symposium (2002)
Introduction to cisco IOS netflow - a technical overview, http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/prod_white_paper0900aecd80406232.html
RFC793 - Transmission Control Protocol (September 1981)
de Vivo, M., Carrasco, E., Isern, G., de Vivo, G.O.: A review of port scanning techniques. ACM SIGCOMM Computer Communication Review (April 1999)
RFC1122 - Requirements for Internet Hosts – Communication Layers (October 1989)
Muraleedharan, N.: Analysis of TCP Flow data for Traffic Anomaly and Scan Detection. In: 16th IEEE International Conference on Networks (2008)
Snort Manual, http://www.snort.org
nmap Reference guide, http://nmap.org/book/man.html
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Muraleedharan, N., Parmar, A. (2010). A Flow Based Slow and Fast Scan Detection System. In: Meghanathan, N., Boumerdassi, S., Chaki, N., Nagamalai, D. (eds) Recent Trends in Network Security and Applications. CNSA 2010. Communications in Computer and Information Science, vol 89. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-14478-3_20
Download citation
DOI: https://doi.org/10.1007/978-3-642-14478-3_20
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-14477-6
Online ISBN: 978-3-642-14478-3
eBook Packages: Computer ScienceComputer Science (R0)