Abstract
In this paper we analyze the coordinated port scan attack where a single adversary coordinates a Group of Attackers (GoA) in order to obtain information on a set of target networks. Such orchestration aims at avoiding Local Intrusion Detection Systems checks allowing each host of the GoA to send a very few number of probes to hosts of the target network. In order to detect this complex attack we propose a collaborative architecture where each target network deploys local sensors that send alarms to a collaborative layer. This, in turn, correlates this data with the aim of (i) identifying coordinated attacks while (ii) reducing false positive alarms and (iii) correctly separating GoAs that act concurrently on overlapping targets. The soundness of our approach is tested on real network traces. Tests show that collaboration among networks domains is mandatory to achieve accurate detection of coordinated attacks and sharp separation between GoAs that execute concurrent attacks on the same targets.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Gates, C.: Coordinated scan detection. In: Proceedings of NDSS 2009 (2009)
Zhou, C.V., Leckie, C., Karunasekera, S.: A survey of coordinated attacks and collaborative intrusion detection. Computer and Security 29, 124–140 (2009-2010)
Prais, M., Ribeiro, C.C.: Reactive grasp: An application to a matrix decomposition problem in tdma traffic assignment. INFORMS Journal on Computing 12, 164–176 (1998)
hybrid, Distributed Information Gathering (2011), http://www.phrack.org/issues.html?issue=55&id=9
Staniford, S., Hoagland, J.A., Mcalerney, J.M.: Practical automated detection of stealthy portscans. Journal of Computer Security 10, 105–136 (2002)
Conti, G., Abdullah, K.: Passive visual fingerprinting of network attack tools. In: Proceedings of VizSEC/DMSEC 2004, pp. 45–54. ACM, New York (2004)
Robertson, S., Siegel, E.V., Miller, M., Stolfo, S.J.: Surveillance detection in high bandwidth environments. In: Proceedings of DARPA DISCEX III, pp. 229–238. IEEE Press (2003)
DShield: Cooperative Network Security Community - Internet Security (2009), http://www.dshield.org/indexd.html/
Yegneswaran, V., Barford, P., Ullrich, J.: Internet intrusions: global characteristics and prevalence. SIGMETRICS Perform. Eval. Rev. 31, 138–147 (2003)
Baldoni, R., Chockler, G.: Collaborative Financial Infrastructure Protection. Springer (2012)
Baldoni, R., Luna, G.D., Querzoni, L.: Collaborative Detection of Coordinated Port Scans, MIDLAB 1/12 - University of Rome “La Sapienza” Tech. Rep. (2012), http://www.dis.uniroma1.it/~midlab/publications.php
Newman, M.E.J.: Modularity and community structure in networks. Proceedings of the National Academy of Sciences 103(23), 8577–8582 (2006)
Blondel, V., Guillaume, J., Lambiotte, R., Mech, E.: Fast unfolding of communities in large networks. J. Stat. Mech., 10008 (2008)
Jung (2011), http://jung.sourceforge.net/
Esper (2011), http://esper.codehaus.org/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Baldoni, R., Di Luna, G.A., Querzoni, L. (2013). Collaborative Detection of Coordinated Port Scans. In: Frey, D., Raynal, M., Sarkar, S., Shyamasundar, R.K., Sinha, P. (eds) Distributed Computing and Networking. ICDCN 2013. Lecture Notes in Computer Science, vol 7730. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35668-1_8
Download citation
DOI: https://doi.org/10.1007/978-3-642-35668-1_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-35667-4
Online ISBN: 978-3-642-35668-1
eBook Packages: Computer ScienceComputer Science (R0)