Tomoya Yamashita
ABSTRACT
We present a novel method for detecting slow scan attacks. Attackers collect information about vulnerabilities in hosts by scan attacks and then penetrate the systems based on the collected information. Detection of scan attacks is therefore useful to avoid the following attacks. The intrusion detection system (IDS) has been proposed for detecting scan attacks. However, it cannot detect slow scan attacks that are executed slowly over a long period. In this paper, we introduce novel features that are useful to distinguish the difference in the communication behavior between the scanning hosts and the benign hosts. Then, we propose the detection method using the features. Furthermore, through the experiments, we confirm the effectiveness of our method for detecting a slow scan attack.
- [n.d.]. MITRE ATT&CK Enterprise Matrix. https://attack.mitre.org/matrices/enterprise/.Google Scholar
- [n.d.]. MITRE PRE-ATT&CK Matrix. https://attack.mitre.org/matrices/pre/.Google Scholar
- [n.d.]. Nmap. https://nmap.org/.Google Scholar
- [n.d.]. redis. https://redis.io/.Google Scholar
- [n.d.]. Yet another flowmeter. https://linux.die.net/man/1/yaf.Google Scholar
- Mohammad Almseidin, Mouhammd Al-Kasassbeh, and Szilveszter Kovács. 2019. Detecting Slow Port Scan Using Fuzzy Rule Interpolation. 2019 2nd International Conference on new Trends in Computing Sciences (ICTCS) (2019), 1–6.Google Scholar
- Jari Arkko, Michelle Cotton, and Leo Vegoda. 2010. IPv4 Address Blocks Reserved for Documentation. RFC 5737. https://doi.org/10.17487/RFC5737Google ScholarDigital Library
- Mehiar Dabbagh, Ali J Ghandour, Kassem Fawaz, Wassim El Hajj, and Hazem Hajj. 2011. Slow port scanning detection. In 2011 7th International Conference on Information Assurance and Security (IAS). IEEE, 228–233.Google ScholarCross Ref
- Carrie Gates, Joshua J McNutt, Joseph B Kadane, and Marc I Kellner. 2006. Scan detection on very large networks using logistic regression modeling. In 11th IEEE Symposium on Computers and Communications (ISCC’06). IEEE, 402–408.Google ScholarDigital Library
- John Green, David J Marchette, Stephen Northcutt, and Bill Ralph. 1999. Analysis Techniques for Detecting Coordinated Attacks and Probes.. In Workshop on Intrusion Detection and Network Monitoring. 1–9.Google ScholarDigital Library
- Jaekwang Kim and Jee-Hyong Lee. 2008. A slow port scan attack detection mechanism based on fuzzy logic and a stepwise p1olicy. 1 – 5. https://doi.org/10.1049/cp:20081126Google Scholar
- Susmit Panjwani, Stephanie Tan, Keith M Jarrin, and Michel Cukier. 2005. An experimental evaluation to determine if port scans are precursors to an attack. In 2005 International Conference on Dependable Systems and Networks (DSN’05). IEEE, 602–611.Google ScholarDigital Library
- Dan Pelleg, Andrew W Moore, 2000. X-means: Extending k-means with efficient estimation of the number of clusters.. In Icml, Vol. 1. 727–734.Google Scholar
- Ichiro Shimada, Yu Tsuda, Masashi Eto, Daisuke Inoue, 2014. A Slow-Scan Detection Method for Live Network Environments. Computer Security Symposium 2014 2014, 2 (2014), 458–465.Google Scholar
- Stuart Staniford, James A Hoagland, and Joseph M McAlerney. 2002. Practical automated detection of stealthy portscans. Journal of Computer Security 10, 1-2 (2002), 105–136.Google ScholarDigital Library
- Stuart Staniford-Chen, Steven Cheung, Richard Crawford, Mark Dilger, Jeremy Frank, James Hoagland, Karl Levitt, Christopher Wee, Raymond Yip, and Dan Zerkle. 1996. GrIDS-a graph based intrusion detection system for large networks. In Proceedings of the 19th national information systems security conference, Vol. 1. Baltimore, 361–370.Google Scholar
- Ehsan Moeen Taghavi, Bahman Abolhassani, 2011. A two step secure spectrum sensing algorithm using fuzzy logic for cognitive radio networks. Int’l J. of Communications, Network and System Sciences 4, 08(2011), 507.Google ScholarCross Ref
- Masahiko Takenaka, Satoru Torii, Satoru Shimizu, 2012. Study on Detection for Randomly Slow Port Scanning. Computer Security Symposium 2012 2012, 3 (2012), 736–741.Google Scholar
- J Udhayan, M Muruga Prabu, V Aravinda Krishnan, and R Anitha. 2009. Reconnaissance scan detection heuristics to disrupt the pre-attack information gathering. In 2009 International Conference on Network and Service Security. IEEE, 1–5.Google Scholar
- Vinod Yegneswaran, Paul Barford, and Johannes Ullrich. 2003. Internet intrusions: Global characteristics and prevalence. ACM SIGMETRICS Performance Evaluation Review 31, 1 (2003), 138–147.Google ScholarDigital Library
Recommendations
Novel Test-Mode-Only Scan Attack and Countermeasure for Compression-Based Scan Architectures
Scan design is a de facto design-for-testability (DfT) technique that enhances access during manufacturing test process. However, it can also be used as a back door to leak secret information from a secure chip. In existing scan attacks, the secret key of ...
Honeypot Baselining for Zero Day Attack Detection
Honeypots are the network sensors used for capturing the network attacks. As these sensors are solely deployed for the purpose of being attacked and compromised hence they have to be closely monitored and controlled. In the work presented in this paper ...
DDoS attack detection method using cluster analysis
Distributed Denial of Service (DDoS) attacks generate enormous packets by a large number of agents and can easily exhaust the computing and communication resources of a victim within a short period of time. In this paper, we propose a method for ...
Comments