How can sliding HyperLogLog and EWMA detect port scan attacks in IP traffic?

IP networks are constantly targeted by new techniques of denial of service attacks (SYN flooding, port scan, UDP flooding, etc), causing service disruption and considerable financial damage. The on-line detection of DoS attacks in the current high-bit rate IP traffic is a big challenge. We propose in this paper an on-line algorithm for port scan detection. It is composed of two complementary parts: First, a probabilistic counting part, where the number of distinct destination ports is estimated by adapting a method called ‘sliding HyperLogLog’ to the context of port scan in IP traffic. Second, a decisional mechanism is performed on the estimated number of destination ports in order to detect in real time any behavior that could be related to a malicious traffic. This latter part is mainly based on the exponentially weighted moving average algorithm (EWMA) that we adapted to the context of on-line analysis by adding a learning step (supposed without attacks) and improving its update mechanism. The obtained port scan detecting method is tested against real IP traffic containing some attacks. It detects all the port scan attacks within a very short time response (of about 30 s) and without any false positive. The algorithm uses a very small total memory of less than 22 kb and has a very good accuracy on the estimation of the number of destination ports (a relative error of about 3.25%), which is in agreement with the theoretical bounds provided by the sliding HyperLogLog algorithm.

[1]  Georges Hébrail,et al.  Sliding HyperLogLog: Estimating Cardinality in a Data Stream over a Sliding Window , 2010, 2010 IEEE International Conference on Data Mining Workshops.

[2]  Gwilym M. Jenkins,et al.  Time series analysis, forecasting and control , 1971 .

[3]  E. S. Page CONTINUOUS INSPECTION SCHEMES , 1954 .

[4]  João Gama,et al.  Monitoring Incremental Histogram Distribution for Change Detection in Data Streams , 2008, KDD Workshop on Knowledge Discovery from Sensor Data.

[5]  Marco de Vivo,et al.  A review of port scanning techniques , 1999, CCRV.

[6]  Hyong S. Kim,et al.  Detector SherLOCK: Enhancing TRW with Bloom filters under memory and performance constraints , 2008, Comput. Networks.

[7]  James M. Lucas,et al.  Exponentially weighted moving average control schemes: Properties and enhancements , 1990 .

[8]  Josep Sanjuàs-Cuxart,et al.  A Practical Approach to Portscan Detection in Very High-Speed Links , 2011, PAM.

[9]  João Gama,et al.  A Study on Change Detection Methods , 2009 .

[10]  Jugal K. Kalita,et al.  Surveying Port Scans and Their Detection Methodologies , 2011, Comput. J..

[11]  P. Flajolet,et al.  HyperLogLog: the analysis of a near-optimal cardinality estimation algorithm , 2007 .

[12]  Eric Wustrow,et al.  ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[13]  S. W. Roberts A Comparison of Some Control Chart Procedures , 1966 .

[14]  Michèle Basseville,et al.  Detection of abrupt changes: theory and application , 1993 .

[15]  Ricard Gavaldà,et al.  Learning from Time-Changing Data with Adaptive Windowing , 2007, SDM.

[16]  M. Basseville,et al.  Edge detection using sequential methods for change in level--Part I: A sequential edge detection algorithm , 1981 .

[17]  Piotr Indyk,et al.  Maintaining Stream Statistics over Sliding Windows , 2002, SIAM J. Comput..

[18]  W. A. Shewhart,et al.  Economic quality control of manufactured product , 1930 .

[19]  S. W. Roberts Control chart tests based on geometric moving averages , 2000 .

[20]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[21]  Douglas C. Montgomery,et al.  Introduction to Statistical Quality Control , 1986 .

[22]  Alexander Hall,et al.  HyperLogLog in practice: algorithmic engineering of a state of the art cardinality estimation algorithm , 2013, EDBT '13.

[23]  M. A. Girshick,et al.  A BAYES APPROACH TO A QUALITY CONTROL MODEL , 1952 .

[24]  Fred Spiring,et al.  Introduction to Statistical Quality Control , 2007, Technometrics.

[25]  M. Basseville,et al.  Edge detection using sequential methods for change in level--Part II: Sequential detection of change in mean , 1981 .

[26]  Céline Lévy-Leduc,et al.  Detection of network anomalies using rank tests , 2008, 2008 16th European Signal Processing Conference.

[27]  Tao Ye,et al.  Connectionless port scan detection on the backbone , 2006, 2006 IEEE International Performance Computing and Communications Conference.

[28]  João Gama,et al.  Learning with Drift Detection , 2004, SBIA.

[29]  Gordon Fyodor Lyon,et al.  Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning , 2009 .