A Flow Based Slow and Fast Scan Detection System

Muraleedharan, N.; Parmar, Arun

doi:10.1007/978-3-642-14478-3_20

A Flow Based Slow and Fast Scan Detection System

N. Muraleedharan⁵ &
Arun Parmar⁵

Conference paper

3475 Accesses

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 89))

Abstract

Attackers perform port scan to find reachability, liveness and services in a system or network. Current day scanning tools provide different scanning options and capable of evading various security tools like firewall, IDS and IPS. So in order to detect and prevent attacks in early stages, an accurate detection of scanning activity in real time is very much essential. In this paper we present a flow based protocol behavior analysis system to detect TCP based slow and fast scan. This system provides scalable, accurate and generic solution to TCP based scanning by means of automatic behavior analysis of the network traffic. Detection capability of proposed system is compared with SNORT and results proves the high detection rate of the system over SNORT.

This is a preview of subscription content, log in via an institution.

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 84.99; Price excludes VAT (USA)

Softcover Book: USD 109.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Firewall/IDS Evasion and Spoofing, Nmap Reference Guide, http://nmap.org/book/man-bypass-firewalls-ids.html
RFC 5101, Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information
Google Scholar
Allman, M., Paxson, V., Terrel, J.: A Brief History of Scanning. In: IMC 2007 Proceedings of the 7th ACM SIGCOMM Conference on Internet Measurement. ACM, New York (2007)
Google Scholar
Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast Port scan detection using sequential hypothesis testing. In: Proceedings of the IEEE Symposium on Seurity Privacy (May 2004)
Google Scholar
Staniford, S., Hoagland, J.A., McAlerney, J.M.: Practical automated detection of stealthy portscans. Journel of Computer Security 10 (2002)
Google Scholar
Quyen, L.T., Zhanikeev, M., Tanaka, Y.: Anomaly identification based on flow analysis. In: 2006 IEEE Region 10 Conference on TENCON 2006 (November 2006)
Google Scholar
Kim, M.-S., Kong, H.-J., Hong, S.-C., Chung, S.-H., Hong, J.W.: A flow-based method for abnormal network traffic detection. In: Network Operations and Management Symposium, NOMS 2004 (2004)
Google Scholar
Hu, Y., Chiu, D.-M., Lui, J.C.S.: Entropy Based Adaptive Flow Aggregation. In: IEEE/ACM (December 2007)
Google Scholar
Nguyen, H.A., Van Nguyen, T., Kim, D.I., Choi, D.: Network traffic anomalies detection and identification with flow monitoring. In: WCON 2008 (May 2008)
Google Scholar
Kim, M.-S., Kang, H.-J., Hong, S.-C., Chung, S.-H., Hong, J.W.: A Flow-based Method for Abnormal Network Traffic Detection. In: IEEE/IFIP Network Operations and Management Symposium (2004)
Google Scholar
Gu, Y., McCallum, A., Towsley, D.: Detecting anomalies in network traffic using maximum entropy estimation. In: Proc. IM 2005 (2005)
Google Scholar
Nychis, G., Sekar, V., Andersen, D.G., Kim, H., Zhang, H.: An empirical evaluation of entropy-based traffic anomaly detection. In: 8th ACM SIGCOMM Conference on Internet (2008)
Google Scholar
Wagner, A., Plattner, B.: Entropy based worm and anomaly detection in fast IP networks. In: 14th IEEE International Workshops on Enabling Technologies 2005 (2005)
Google Scholar
Leckie, C., Kotiagiri, R.: A probabilistic approach to detecting network scans. In: 2002 IEEE/IFIP Network Operations and Management Symposium (2002)
Google Scholar
Introduction to cisco IOS netflow - a technical overview, http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/prod_white_paper0900aecd80406232.html
RFC793 - Transmission Control Protocol (September 1981)
Google Scholar
de Vivo, M., Carrasco, E., Isern, G., de Vivo, G.O.: A review of port scanning techniques. ACM SIGCOMM Computer Communication Review (April 1999)
Google Scholar
RFC1122 - Requirements for Internet Hosts – Communication Layers (October 1989)
Google Scholar
Muraleedharan, N.: Analysis of TCP Flow data for Traffic Anomaly and Scan Detection. In: 16th IEEE International Conference on Networks (2008)
Google Scholar
Snort Manual, http://www.snort.org
nmap Reference guide, http://nmap.org/book/man.html

Download references

Author information

Authors and Affiliations

Centre for Development of Advanced Computing (C-DAC), Electronics City, Bangalore, India
N. Muraleedharan & Arun Parmar

Authors

N. Muraleedharan
View author publications
You can also search for this author in PubMed Google Scholar
Arun Parmar
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Jackson State University, Jackson, MS, USA
Natarajan Meghanathan
CNAM / CEDRIC, Paris, France
Selma Boumerdassi
University of Calcutta, Calcutta, India
Nabendu Chaki
Wireilla Net Solutions PTY Ltd, Australia
Dhinaharan Nagamalai

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Muraleedharan, N., Parmar, A. (2010). A Flow Based Slow and Fast Scan Detection System. In: Meghanathan, N., Boumerdassi, S., Chaki, N., Nagamalai, D. (eds) Recent Trends in Network Security and Applications. CNSA 2010. Communications in Computer and Information Science, vol 89. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-14478-3_20

Download citation

DOI: https://doi.org/10.1007/978-3-642-14478-3_20
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-14477-6
Online ISBN: 978-3-642-14478-3
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics