Scalable Double Filter Structure for Port Scan Detection

Port scan detection is very important to predict network intrusions and prevent viruses from spreading. Many networks deploy Network Intrusion Detection Systems (NIDS) to detect port scans in real-time. However, most NIDS are perflow based. They are not scalable on high speed links since it is infeasible to maintain the states of numerous flows. In this paper, we propose a scalable scheme for real-time port scan detection without keeping any per-flow state. We use a double-filter structure to find out pairs which connect to more than N pairs in T time. The experimental results on real network traces show that our scheme can find out those over-threshold pairs with high accuracy. It is easy to scale our scheme to high speed environments due to its little memory consumption and fast processing pipeline.

[1]  Stuart Staniford-Chen,et al.  Practical Automated Detection of Stealthy Portscans , 2002, J. Comput. Secur..

[2]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[3]  Cheng Guang A Hash Algorithm for IP Flow Measurement , 2005 .

[4]  Robert K. Cunningham,et al.  A taxonomy of computer worms , 2003, WORM '03.

[5]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[6]  George Varghese,et al.  New directions in traffic measurement and accounting , 2002, CCRV.

[7]  Biswanath Mukherjee,et al.  A network security monitor , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[8]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[9]  George Varghese,et al.  On the difficulty of scalably detecting network attacks , 2004, CCS '04.

[10]  Kotagiri Ramamohanarao,et al.  A probabilistic approach to detecting network scans , 2002, NOMS 2002. IEEE/IFIP Network Operations and Management Symposium. ' Management Solutions for the New Communications World'(Cat. No.02CH37327).