Hai Zhang
ABSTRACT
Portscanning is a common activity of considerable importance. It is often used by computer attackers to characterize hosts or networks which they are considering hostile activity against. Thus it is useful for system administrators and other network defenders to detect portscans as possible preliminaries to a more serious attack. Thus it is of considerable interest to attackers to determine whether or not the defenders of a network are portscanning it regularly. A major difficulty with detecting these portscans on a high-speed monitoring point is that the traffic volume on high speed links can be tens of gigabits per second and can contain millions of flow and high volume of traffic. Our purpose is to detect portscans based on the flow records on the internet. This data set is sometimes too large for us. Fortunately, we have an approach to detect some specific portscan. First, filter out any web traffic on port 80 and other non-TCP flows. So the data sets are reduced significantly. However, the data sets still are too large for us. Then employ sampling on the data sets. There had been many alternative sampling methods. In this paper, we used simple random sampling, considering this method could select flow records uniformly. Finally, with the sampled data, we introduce a new way to identify ports scanners. As the host which scan large number of different destination IP addresses and ports is probably a ports scanners we can compute the entropy of each host, which reflect the distribution of its destination IP addresses and ports. In theory, simple random sampling has minimal impact on the result of entropy of each host. Therefore the estimation of entropy will be more precise. The experimental results show that datum from the sample also can tell which hosts are port scanners accurately. We will see that the attackers' entropy for destination IP address is bigger than others clearly. So entropy-based SYN detection can help us find out scanners effectively.
- J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan, "Fast Portscan Detection Using Sequential Hypothesis Testing," in Proc. of 2004 IEEE Symposium on Security and Privacy, Oakland, CA, USA, May 2004.Google Scholar
- A. Sridharan, T. Ye, and S. Bhattacharyya, "Connection Port Scan Detection on the Backbone," in Malware Workshop held in conjunction with IPCC, Phoenix, Arizona, USA, April 2006.Google Scholar
- K. Xu, Z.-L. Zhang, and S. Bhattacharyya, "Profiling Internet Backbone Traffic: Behavior Models and Applications," in Proc. ACM SIGCOMM'05, Philadelphia PA, USA, Aug. 2005 Google ScholarDigital Library
- J. Mai, A. Sridharan, C.-N. Chuah, T. Ye, and H. Zang, "Impact of Packet Sampling on Portscan Detection," Sprint ATL, Tech. Rep. RR06-ATL-043166, 2006.Google Scholar
- "Snort," http://www.snort.orgGoogle Scholar
- S. Staniford, J. A. Hoagland, and J. M. McAlerney, "Practical automated detection of stealthy portscans," J. of Computer Security, vol. 10, no.1--2, pp. 105--136, 2002. Google ScholarDigital Library
- K. Xu, Z.-L. Zhang, and S. Bhattacharyya, "Reducing Unwanted Traffic in a Backbone Network," in Proc. of SRUTI'05, Cambridge, MA, USA, July. 2005. Google ScholarDigital Library
- N. Duffield, "Sampling for Passive Internet Measurement: A Review," Statistical Science, vol. 19, no. 3, pp. 472--498, 2004.Google ScholarCross Ref
- N. Duffield, C. Lund, and M. Thorup, "Properties and Prediction of Flow Statistics from Sampled Packet Streams," in Proc. ACM SIGCOMM IMW'02, Marseille, France, Nov. 2002. Google ScholarDigital Library
- N. Hohn and D. Veitch, "Inverting Sampled Traffic," in Proc. ACM SIGCOMM IMC'03, Miami Beach, Florida, USA, Oct. 2003. Google ScholarDigital Library
- C. Estan, K. Keys, D. Moore, and G. Varghese, "Building a Better NetFlow", in Proc. of SIGOMM'04, Portland, Oregon, USA, Aug. 2004. Google ScholarDigital Library
- B.-Y. Choi, J. Park, and Z.-L. Zhang, "Adaptive Random Sampling for Traffic Load Measurement," in Proc. IEEE International Conference on Communications (ICC'03), Anchorage, Alaska, USA, May 2003.Google Scholar
- B.-Y.Choi, J. Park, and Z.-L. Zhang, "Adaptive packet sampling for flow volume measurement", University of Minnesota, MA, Tech. Rep. TR 02-040, Dec. 2002.Google Scholar
- N. G. Duffield, C. Lund, M. Thorup, "Flow Sampling Under Hard Resource Constraints", In Proc ACM SIGMETRICS 2004, New York, NY, June 12--16, 2004 Google ScholarDigital Library
- N. Kamiyama and T. Mori. "Simple and accurate identification of high-rate flows by packet sampling". In Proceedings of IEEE INFOCOM, 2006.Google ScholarCross Ref
- N. G. Duffield, "Sampling for Passive Internet Measurement: A Review", Statistical Science, 2004, to appearGoogle Scholar
Index Terms
- TCP portscan detection based on single packet flows and entropy
Recommendations
Detection Based on Per-flow Packet Count and Entropy
ICECT '09: Proceedings of the 2009 International Conference on Electronic Computer TechnologyPortscanning is a common activity of considerable importance.It is often used by computer attackers to characterize hosts or networks which they are considering hostile activity against. Thus it is useful for system administrators and other network ...
Entropy-Based Anomaly Detection in a Network
Every computer on the Internet these days is a potential target for a new attack at any moment. In this paper we propose a method to enhance network security using entropy based anomaly detection. Intrusion detection system Snort is used for collecting ...
Ransomware detection method based on context-aware entropy analysis
Numerous countermeasures have been proposed since the first appearance of ransomware. However, many ransomware mutants continue to be created, and the damage they cause has been continually increasing. Existing antivirus tools are signature-dependent ...
Comments