Abstract
Port scanning is a widely used technology in reconnaissance, which aims to determine remotely the running services on the target TCP/UDP ports. Current research works have achieved acceptable performance for detection of conventional port scanning, which use handcrafted features such as packets receiving rate, count of requesting ports and packets arriving time distribution. However, advanced attacks such as APT usually employ low-speed scans to lower the risk of exposure. Nevertheless, it is a challenge to precisely detect a low-speed scan since it has much coarser features that are hard to be matched by the current approaches. We propose a novel method DeepPort to solve this problem. DeepPort filters out a majority of normal packets using their well-defined features. Thereafter, DeepPort detects port scans using learned features using a dedicated Convolutional Neural Network (CNN) that is trained from real scanning packets under various time interval configurations. The experiments carried in our campus network show that DeepPort can detect 10 class of low-speed scans with a precision of 97.4% and a recall of 96.9%.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Okhravi, H., et al.: Survey of Cyber Moving Targets Second Edition, Lincoln Laboratory Massachusetts Institute of Technology Technical Report 1228 (2018)
PTES Technical Guidelines. http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines
Chen, P., Desmet, L., Huygens, C.: A study on advanced persistent threats. In: De Decker, B., Zúquete, A. (eds.) CMS 2014. LNCS, vol. 8735, pp. 63–72. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44885-4_5
Giotis, K., Argyropoulos, C., Androulidakis, G., Kalogeras, D., Maglaris, V.: Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments. Comput. Netw. 62, 122–136 (2014)
Khamphakdee, N., Benjamas, N., Saiyod, S.: Improving intrusion detection system based on snort rules for network probe attack detection. In: 2nd International Conference on Information and Communication Technology (ICoICT), pp. 69–74. IEEE Press, New York (2014)
Bou-Harb, E., Debbabi, M., Assi, C.: A statistical approach for fingerprinting probing activities. In: 2013 International Conference on Availability, Reliability and Security, pp. 21–30. IEEE Press, New York (2013)
Benjamin, J.R., Leonardo, M.A., Antonio, J.T., Jim, A.S.: Network traffic anomaly detection using recurrent neural networks (2018). CoRR: https://arxiv.org/abs/1803.10769
Shone, N., Ngoc, T.N., Phai, V.D., Shi, Q.: A deep learning approach to network intrusion detection. IEEE Trans. Emerg. Top. Comput. Intell. 2, 41–50 (2018)
Peng, C.K., Buldyrev, S.V., Havlin, S., Simons, M., Stanley, H.E., Goldberger, A.L.: Mosaic organization of dna nucleotides. Phys. Rev. E. 49, 1685–1689 (1994)
KDD Cup’99 dataset. http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html
NSL-KDD dataset. http://www.unb.ca/cic/datasets/nsl.html
Lyon, G.F.: Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Insecure (2009)
Arkin, O., Yarochkin, F.: Xprobe v2.0: A “Fuzzy” Approach to Remote Active Operating System Fingerprinting. www.xprobe2.org
hping3. http://www.hping.org/
Google, Tensorflow. https://www.tensorflow.org/
Fawcett, T.: An introduction to ROC analysis. Pattern Recogn. Lett. 27, 861–874 (2006)
Acknowledgments
The work was supported in part by the National High-tech R & D Program of China (863 Program) (2015AA017201) and National Key Research and Development Program of China (2016QY01W0200). The authors are very grateful to the anonymous viewers of this paper.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Wang, Y., Zhang, J. (2018). DeepPort: Detect Low Speed Port Scan Using Convolutional Neural Network. In: Qiao, J., et al. Bio-inspired Computing: Theories and Applications. BIC-TA 2018. Communications in Computer and Information Science, vol 951. Springer, Singapore. https://doi.org/10.1007/978-981-13-2826-8_32
Download citation
DOI: https://doi.org/10.1007/978-981-13-2826-8_32
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-13-2825-1
Online ISBN: 978-981-13-2826-8
eBook Packages: Computer ScienceComputer Science (R0)