A Multi-resolution Port Scan Detection Technique for High-speed Networks

In this paper, we present a novel failed flow dispersion estimation technique, called multi-window state map (MWSM), which requires a small amount of memory and a constant number of memory accesses for implementing the multi-resolution concept (e.g., MRDS). We then extended the proposed MWSM scheme into a complete port scan detector. The simulation results with real-world traffic traces indicate that the proposed estimation technique manages the expected relative error and average standard error of less than 0.8% and 9%, respectively, while limiting the memory consumption to less than 60% of MRDS. In addition, the number of false positives decreases by 61% compared to a scan detector based on MRDS when it is extended to a complete scan detector. Owing to its simple mechanism and architecture, the proposed technique is well suited to hardware implementation. Therefore, we believe that the proposed technique is practically viable in modern high-speed intrusion detection systems.

[1]  Vern Paxson,et al.  Detecting stealthy, distributed SSH brute-forcing , 2013, CCS.

[2]  George Varghese,et al.  Graption: A graph-based P2P traffic classification framework for the internet backbone , 2011, Comput. Networks.

[3]  Jin Xu,et al.  Chemical Reaction Optimization for Task Scheduling in Grid Computing , 2011, IEEE Transactions on Parallel and Distributed Systems.

[4]  Paul C. van Oorschot,et al.  Network scan detection with LQS: a lightweight, quick and stateful algorithm , 2011, ASIACCS '11.

[5]  Chita R. Das,et al.  Memory-efficient content filtering hardware for high-speed intrusion detection systems , 2007, SAC '07.

[6]  Kyu-Young Whang,et al.  A linear-time probabilistic counting algorithm for database applications , 1990, TODS.

[7]  Syed Ali Khayam,et al.  Traffic analyzer for differentiating BitTorrent handshake failures from port-scans , 2013, ArXiv.

[8]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[9]  Roberto Baldoni,et al.  Inter-domain stealthy port scan detection through complex event processing , 2011, EWDC '11.

[10]  Kang G. Shin,et al.  Detecting SYN flooding attacks , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[11]  Antonio Pescapè,et al.  Analysis of a "/0" stealth scan from a botnet , 2015, TNET.

[12]  Xinjia Chen,et al.  Analytic sequential methods for detecting network intrusions , 2014, Sensing Technologies + Applications.

[13]  Xun Wang,et al.  On detecting active worms with varying scan rate , 2011, Comput. Commun..

[14]  Xun Wang,et al.  Peer-to-peer system-based active worm attacks: Modeling, analysis and defense , 2008, Comput. Commun..

[15]  George Varghese,et al.  Automated Worm Fingerprinting , 2004, OSDI.

[16]  Raja Chiky,et al.  How can sliding HyperLogLog and EWMA detect port scan attacks in IP traffic? , 2014, EURASIP J. Inf. Secur..

[17]  Jiang Wu,et al.  An Effective Architecture and Algorithm for Detecting Worms with Various Scan , 2004, NDSS.

[18]  Vyas Sekar,et al.  An empirical evaluation of entropy-based traffic anomaly detection , 2008, IMC '08.

[19]  Yu Yongquan,et al.  An Intrusion Detection Algorithm Model Based on Extension Clustering Support Vector Machine , 2009, 2009 International Conference on Artificial Intelligence and Computational Intelligence.

[20]  Wanjiun Liao,et al.  Spectrum analysis for detecting slow-paced persistent activities in network security , 2013, 2013 IEEE International Conference on Communications (ICC).

[21]  Irfan Ul Haq,et al.  What Is the Impact of P2P Traffic on Anomaly Detection? , 2010, RAID.

[22]  David Moore,et al.  Internet quarantine: requirements for containing self-propagating code , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[23]  Vern Paxson,et al.  Very Fast Containment of Scanning Worms, Revisited , 2007, Malware Detection.

[24]  Seung-Woo Seo,et al.  An automatic portscan detection system with adaptive threshold setting , 2010 .

[25]  Christopher Krügel,et al.  Stateful intrusion detection for high-speed network's , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[26]  George Varghese,et al.  Bitmap algorithms for counting active flows on high speed links , 2003, IMC '03.

[27]  Jugal K. Kalita,et al.  Surveying Port Scans and Their Detection Methodologies , 2011, Comput. J..

[28]  Vyas Sekar,et al.  A Multi-Resolution Approach forWorm Detection and Containment , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[29]  Xinjia Chen,et al.  Adaptive sequential methods for detecting network intrusions , 2013, Defense, Security, and Sensing.

[30]  Donald F. Towsley,et al.  Detecting anomalies in network traffic using maximum entropy estimation , 2005, IMC '05.

[31]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[32]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[33]  Chita R. Das,et al.  Technique for Estimating the Number of Active Flows in High-Speed Networks , 2008 .

[34]  Philippe Robert,et al.  Improving the detection of on-line vertical port scan in IP traffic , 2012, 2012 7th International Conference on Risks and Security of Internet and Systems (CRiSIS).

[35]  Konstantina Papagiannaki,et al.  Exploiting Temporal Persistence to Detect Covert Botnet Channels , 2009, RAID.

[36]  Seung Woo Lee,et al.  A Hardware-Based String Matching Using State Transition Compression for Deep Packet Inspection , 2013 .

[37]  Hyunjin Kim,et al.  A Memory-Efficient Bit-Split Parallel String Matching Using Pattern Dividing for Intrusion Detection Systems , 2011, IEEE Transactions on Parallel and Distributed Systems.

[38]  Josep Sanjuàs-Cuxart,et al.  A Practical Approach to Portscan Detection in Very High-Speed Links , 2011, PAM.