skip to main content
10.1145/2656434.2656441acmconferencesArticle/Chapter ViewAbstractPublication PagesiteConference Proceedingsconference-collections
research-article

Detecting subtle port scans through characteristics based on interactive visualization

Published: 13 October 2014 Publication History

Abstract

Port-scan detection is essentially vital to enterprise networks, since many intrusions start with scanning. A port scan can be obvious or subtle in terms of the volume of network traffic. In this paper, we propose a creative approach by combining the characteristic-based method and visual analytics to detect those hard-to-find subtle scans as well as obvious scans in an enterprise environment. The goal of designing this system is to provide useful information and implications about port-scan attackers and benign hosts to a network security team in a simple and efficient manner. The major components of the system consist of three different semantic level visualizations. Through several use cases, we illustrate how the system can detect both obvious and subtle port-scanning activities. The analysis approach proposed in this study proves to be effective by identifying all the port-scan attackers in the data sets.

References

[1]
Abdullah, K. et al. 2005. Visualizing network data for intrusion detection. Information Assurance Workshop, 2005. IAW '05. Proceedings from the Sixth Annual IEEE SMC (Jun. 2005), 100--108.
[2]
Bhuyan, M.H. et al. 2011. Surveying Port Scans and Their Detection Methodologies. The Computer Journal. 54, 10 (Oct. 2011), 1565--1581.
[3]
Conti, G. and Abdullah, K. 2004. Passive Visual Fingerprinting of Network Attack Tools. Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security (New York, NY, USA, 2004), 45--54.
[4]
Fischer, F. and Keim, D.A. VACS: Visual Analytics Suite for Cyber Security.
[5]
Gates, C. 2006. Co-ordinated Port Scans: A Model, a Detector and an Evaluation Methodology. Dalhousie University.
[6]
Itoh, T. et al. 2006. Hierarchical visualization of network intrusion detection data. IEEE Computer Graphics and Applications. 26, 2 (Mar. 2006), 40--47.
[7]
Janies, J. 2008. Existence Plots: A Low-Resolution Time Series for Port Behavior Analysis. Visualization for Computer Security. J.R. Goodall et al., eds. Springer Berlin Heidelberg. 161--168.
[8]
Jiawan, Z. et al. 2008. A Novel Visualization Approach for Efficient Network Scans Detection. International Conference on Security Technology, 2008. SECTECH '08 (Dec. 2008), 23--26.
[9]
Jung, J. et al. 2004. Fast portscan detection using sequential hypothesis testing. 2004 IEEE Symposium on Security and Privacy, 2004. Proceedings (May 2004), 211--225.
[10]
Kim, J. and Lee, J.-H. 2008. A slow port scan attack detection mechanism based on fuzzy logic and a stepwise p1olicy. 2008 IET 4th International Conference on Intelligent Environments (Jul. 2008), 1--5.
[11]
McPherson, J. et al. 2004. PortVis: A Tool for Port-based Detection of Security Events. Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security (New York, NY, USA, 2004), 73--81.
[12]
Paxson, V. 1999. Bro: a system for detecting network intruders in real-time. Computer Networks. 31, 23--24 (Dec. 1999), 2435--2463.
[13]
Taylor, T. et al. 2008. NetBytes Viewer: An Entity-Based NetFlow Visualization Utility for Identifying Intrusive Behavior. VizSEC 2007. J.R. Goodall et al., eds. Springer Berlin Heidelberg. 101--114.
[14]
VAST Challenge 2013: Mini-Challenge 3: http://vacommunity.org/VAST+Challenge+2013%3A+Mini-Challenge+3. Accessed: 2014-06-07.
[15]
De Vivo, M. et al. 1999. A Review of Port Scanning Techniques. SIGCOMM Comput. Commun. Rev. 29, 2 (Apr. 1999), 41--48.
[16]
Yin, X. et al. 2004. VisFlowConnect: Netflow Visualizations of Link Relationships for Security Situational Awareness. Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security (New York, NY, USA, 2004), 26--34.
[17]
Zadeh, L.A. 1994. Fuzzy Logic, Neural Networks, and Soft Computing. Commun. ACM. 37, 3 (Mar. 1994), 77--84.
[18]
Zhao, Y. et al. MVSec: A Novel Multi-view Visualization System for Network Security.

Cited By

View all
  • (2024)A Survey on Enterprise Network Security: Asset Behavioral Monitoring and Distributed Attack DetectionIEEE Access10.1109/ACCESS.2024.341906812(89363-89383)Online publication date: 2024
  • (2023)Research on detection techniques for scanning attacks in software-defined network environments2023 4th International Conference on Computer Engineering and Application (ICCEA)10.1109/ICCEA58433.2023.10135250(115-118)Online publication date: 7-Apr-2023
  • (2019)Predicting Network Attacks with CNN by Constructing Images from NetFlow Data2019 IEEE 5th Intl Conference on Big Data Security on Cloud (BigDataSecurity), IEEE Intl Conference on High Performance and Smart Computing, (HPSC) and IEEE Intl Conference on Intelligent Data and Security (IDS)10.1109/BigDataSecurity-HPSC-IDS.2019.00022(61-66)Online publication date: May-2019
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
RIIT '14: Proceedings of the 3rd annual conference on Research in information technology
October 2014
98 pages
ISBN:9781450327114
DOI:10.1145/2656434
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 October 2014

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. characteristic based
  2. interactive visualization
  3. port scan
  4. security visualization

Qualifiers

  • Research-article

Funding Sources

Conference

SIGITE/RIIT'14
Sponsor:
SIGITE/RIIT'14: SIGITE/RIIT 2014
October 15 - 18, 2014
Georgia, Atlanta, USA

Acceptance Rates

RIIT '14 Paper Acceptance Rate 14 of 39 submissions, 36%;
Overall Acceptance Rate 51 of 116 submissions, 44%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)3
  • Downloads (Last 6 weeks)0
Reflects downloads up to 20 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)A Survey on Enterprise Network Security: Asset Behavioral Monitoring and Distributed Attack DetectionIEEE Access10.1109/ACCESS.2024.341906812(89363-89383)Online publication date: 2024
  • (2023)Research on detection techniques for scanning attacks in software-defined network environments2023 4th International Conference on Computer Engineering and Application (ICCEA)10.1109/ICCEA58433.2023.10135250(115-118)Online publication date: 7-Apr-2023
  • (2019)Predicting Network Attacks with CNN by Constructing Images from NetFlow Data2019 IEEE 5th Intl Conference on Big Data Security on Cloud (BigDataSecurity), IEEE Intl Conference on High Performance and Smart Computing, (HPSC) and IEEE Intl Conference on Intelligent Data and Security (IDS)10.1109/BigDataSecurity-HPSC-IDS.2019.00022(61-66)Online publication date: May-2019
  • (2018)Retracted: A Network Scanning Detection Method Based on TCP Flow State2018 3rd International Conference on Smart City and Systems Engineering (ICSCSE)10.1109/ICSCSE.2018.00089(419-422)Online publication date: Dec-2018
  • (2016)Unsupervised learning clustering and self-organized agents applied to help network managementExpert Systems with Applications: An International Journal10.1016/j.eswa.2016.01.03254:C(29-47)Online publication date: 15-Jul-2016
  • (2016)A fuzzy detection approach toward different speed port scan attacks based on Dempster-Shafer evidence theorySecurity and Communication Networks10.1002/sec.15089:15(2627-2640)Online publication date: 1-Oct-2016

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media