Abstract
This chapter describes a specific instance of a Semantic Room that makes use of the well-known centralized complex event processing engine Esper in order to effectively detect inter-domain malicious port scan activities. The Esper engine is deployed by the SR administrator and correlates a massive amount of network traffic data exhibiting the evidence of distributed port scans. The chapter presents two inter-domain SYN scan detection algorithms that have been designed and implemented in Esper and then deployed within the Semantic Room. The two algorithms are the Rank-based SYN (R-SYN) port scan detection algorithm and the Line Fitting port scan detection algorithm. The usefulness of the collaboration employed by the Semantic Room programming model in terms of detection accuracy of the inter-domain port scan attacks is shown. In addition, the chapter shows how Line Fitting is able both to achieve a higher detection accuracy with a smaller number of SR members compared to R-SYN, and to exhibit better detection latencies than R-SYN in the presence of low link bandwidths (i.e., less than 3 Mbit/s) connecting the SR members to the Esper engine deployed by the SR administrator.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
2000 DARPA intrusion detection scenario specific data sets. http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/2000data.html
ITOC research: CDX datasets. http://www.itoc.usma.edu/research/dataset/index.html
LBNL/ICSI enterprise tracing project. http://www.icir.org/enterprise-tracing/
Where complex event processing meets open source: Esper and NEsper. http://esper.codehaus.org/ (2009)
Bro: an open source Unix based Network intrusion detection system (NIDS). http://www.bro-ids.org/ (2010)
Snort: an open source network intrusion prevention and detection system (IDS/IPS). http://www.snort.org/ (2010)
DShield: cooperative network security community—internet security. http://www.dshield.org/indexd.html/ (2011)
System S. http://domino.research.ibm.com/comm/research_projects.nsf/pages/esps.index.html (2010)
WANem the wide area network emulator. http://wanem.sourceforge.net/ (2011)
Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: Proceedings of the IEEE Symposium on Security and Privacy (2004)
Zhou, C.V., Karunasekera, S., Leckie, C.: Evaluation of a decentralized architecture for large scale collaborative intrusion detection. In: Proc. of the 10th IFIP/IEEE International Symposium on Integrated Network Management (2007)
Akdere, M., Çetintemel, U., Tatbul, N.: Plan-based complex event detection across distributed sources. PVLDB 1(1), 66–77 (2008)
Locasto, M.E., Parekh, J.J., Keromytis, A.D., Stolfo, S.J.: Towards collaborative security and P2P intrusion detection. In: IEEE Workshop on Information Assurance and Security, United States Military Academy, West Point, NY, 15–17 June (2005)
Poncelet, P., Verma, N., Trousset, F., Masseglia, F.: Intrusion detection in collaborative organizations by preserving privacy. In: Advances in Knowledge Discovery and Management, December (2009)
Tang, C., Steinder, M., Spreitzer, M., Pacifici, G.: A scalable application placement controller for enterprise data centers. In: 16th International Conference on World Wide Web (2007)
Xie, Y., Sekar, V., Reiter, M.K., Zhang, H.: Forensic analysis for epidemic attacks in federated networks. In: ICNP, pp. 43–53 (2006)
Zhang, X.J., Andrade, H., Gedik, B., King, R., Morar, J., Nathan, S., Park, Y., Pavuluri, R., Pring, E., Schnier, R., Selo, P., Spicer, M., Uhlig, V., Venkatramani, C.: Implementing a high-volume, low-latency market data processing system on commodity hardware using IBM middleware. In: Proc. of the 2nd ACM Workshop on High Performance Computational Finance, New York, USA, pp. 1–8 (2009)
Zhou, C.V., Karunasekera, S., Leckie, C.: A peer-to-peer collaborative intrusion detection system. In: 13th IEEE International Conference on Networks, Kuala Lumpur, Malaysia, November (2005)
Zhou, C.V., Leckie, C., Karunasekera, S.: A survey of coordinated attacks and collaborative intrusion detection. Comput. Secur. 29(2010), 124–140 (2009)
Hauser, C.H., Bakken, D.E., Dionysiou, I., Gjermundrød, K.H., Irava, V.S., Helkey, J., Bose, A.: Security, trust, and QoS in next-generation control and communication for large power systems. Int. J. Comput. Inf. Sci. 4(1/2), 3–16 (2008)
Huang, Y., Feamster, N., Lakhina, A., Xu, J.(Jun): Diagnosing network disruptions with network-wide analysis. In: Proc. of the 2007 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems, pp. 61–72. ACM, New York (2007)
Aniello, L., Lodi, G., Baldoni, R.: Inter-domain stealthy port scan detection through complex event processing. In: Proc. of 13th European Workshop on Dependable Computing, Pisa, 11–12 May (2011)
Aniello, L., Lodi, G., Di Luna, G.A., Baldoni, R.: A collaborative event processing system for protection of critical infrastructures from cyber attacks. In: Proceedings of the 30th Conference on System Safety, Reliability and Security (SAFECOMP), Napoli, September (2011)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Esteves Verssimo, P., Aniello, L., Di Luna, G.A., Lodi, G., Baldoni, R. (2012). Collaborative Inter-domain Stealthy Port Scan Detection Using Esper Complex Event Processing. In: Baldoni, R., Chockler, G. (eds) Collaborative Financial Infrastructure Protection. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-20420-3_7
Download citation
DOI: https://doi.org/10.1007/978-3-642-20420-3_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-20419-7
Online ISBN: 978-3-642-20420-3
eBook Packages: Computer ScienceComputer Science (R0)