论文信息 - Inter-domain stealthy port scan detection through complex event processing

Inter-domain stealthy port scan detection through complex event processing

Large enterprises are nowadays complex interconnected software systems spanning over several domains. This new dimension makes difficult for enterprises the task of enabling efficient security defenses. This paper addresses the problem of detecting inter-domain stealthy port scans and proposes an architecture of an Intrusion Detection System which uses, for such purpose, an open source Complex Event Processing engine named Esper. Esper provides low cost of ownership and high flexibility. The architecture consists of software sensors deployed at different enterprise domains. Each sensor sends events to the Esper event processor for correlation. We implemented an algorithm for the detection of interdomain SYN port scans named Rank-based SYN (R-SYN) port scan detection algorithm. It combines and adapts three detection techniques in order to obtain a unique global statement about the malicious behavior of host activities. An evaluation of the accuracy of our approach has been carried out using several traces, some of which including original traffic dumps, some others altered by injecting packets that simulate port scan activities. Accuracy results show that our algorithm is able to produce a list of scanners characterized by high detection and low false positive rates.

Roberto Baldoni | Giorgia Lodi | Leonardo Aniello

[1] Christopher Leckie,et al. Evaluation of a Decentralized Architecture for Large Scale Collaborative Intrusion Detection , 2007, 2007 10th IFIP/IEEE International Symposium on Integrated Network Management.

[2] Malgorzata Steinder,et al. A scalable application placement controller for enterprise data centers , 2007, WWW '07.

[3] Christian Kreibich,et al. Policy-controlled event management for distributed intrusion detection , 2005, 25th IEEE International Conference on Distributed Computing Systems Workshops.

[4] Ugur Çetintemel,et al. Plan-based complex event detection across distributed sources , 2008, Proc. VLDB Endow..

[5] Wenming Guo,et al. TCP portscan detection based on single packet flows and entropy , 2009, ICIS '09.

[6] Stuart Staniford-Chen,et al. Practical Automated Detection of Stealthy Portscans , 2002, J. Comput. Secur..

[7] Yoonho Park,et al. Implementing a high-volume, low-latency market data processing system on commodity hardware using IBM middleware , 2009, WHPCF '09.

[8] Hari Balakrishnan,et al. Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.