Port-scanning and OS Fingerprinting exploit vulnerabilities of TCP/IP for intrusion in a computer network. Prevention, detection and countermeasures are three anti-intrusion approaches. This paper deals with detection of port-scanning and OS fingerprinting using clustering. A workbench for simulating port-scanning and OS fingerprinting has been set up. Network live traffic is captured, which includes intrusive as well as non-intrusive sessions. The captured traffic is preprocessed to generate data pertaining to session duration, total no of packets, percentage of destination ports between 1–1023, number of fragmented packets, average datagram length, average number of packets/destination, numbers of TCP, UDP, ICMP, ARP packets. Sessions are labeled as intrusive (sessions with portscans and OS detection) and non-intrusive (sessions without port-scans and OS detection). Labeling is used for the purpose of verification of results and not for detection. Scatterplots are plotted using these parameters. From the scatterplots, outliers are clearly visible. On verification with the actual data, it is found that outliers definitely represent intrusive sessions. This result is validated through hierarchical clustering too. This result also validates one of the possibilities mentioned in the future work section of Leonid Portnoy.
[1]
Stuart Staniford-Chen,et al.
Practical Automated Detection of Stealthy Portscans
,
2002,
J. Comput. Secur..
[2]
Ramesh C. Agarwal,et al.
PNrule: A New Framework for Learning Classifier Models in Data Mining (A Case-Study in Network Intrusion Detection)
,
2001,
SDM.
[3]
Leonid Portnoy,et al.
Intrusion detection with unlabeled data using clustering
,
2000
.
[4]
Karl N. Levitt,et al.
GrIDS A Graph-Based Intrusion Detection System for Large Networks
,
1996
.
[5]
Todd L. Heberlein,et al.
Network intrusion detection
,
1994,
IEEE Network.