Surveying Port Scans and Their Detection Methodologies

Scanning of ports on a computer occurs frequently on the Internet. An attacker performs port scans of Internet protocol addresses to find vulnerable hosts to compromise. However, it is also useful for system administrators and other network defenders to detect port scans as possible preliminaries to more serious attacks. It is a very difficult task to recognize instances of malicious port scanning. In general, a port scan may be an instance of a scan by attackers or an instance of a scan by network defenders. In this survey, we present research and development trends in this area. Our presentation includes a discussion of common port scan attacks. We provide a comparison of port scan methods based on type, mode of detection, mechanism used for detection and other characteristics. This survey also reports on the available data sets and evaluation criteria for port scan detection approaches.

[1]  Vinod Yegneswaran,et al.  Internet intrusions: global characteristics and prevalence , 2003, SIGMETRICS '03.

[2]  Joseph B. Kadane,et al.  Scan Detection on Very Large Networks Using Logistic Regression Modeling , 2006, 11th IEEE Symposium on Computers and Communications (ISCC'06).

[3]  Jee-Hyong Lee,et al.  A slow port scan attack detection mechanism based on fuzzy logic and a stepwise p1olicy , 2008 .

[4]  Biswanath Mukherjee,et al.  A network security monitor , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[5]  Z. Trabelsi,et al.  On Detecting Port Scanning using Fuzzy Based Intrusion Detection System , 2008, 2008 International Wireless Communications and Mobile Computing Conference.

[6]  Glenn Mansfield,et al.  A Real-Time Intrusion Detection System (IDS) for Large Scale Networks and Its Evaluations , 1999 .

[7]  Jayant Gadge,et al.  Port scan detection , 2008, 2008 16th IEEE International Conference on Networks.

[8]  Erol Gelenbe,et al.  Synchronized Interactions in Spiked Neuronal Networks , 2008, Comput. J..

[9]  Kulsoom Abdullah,et al.  Passive visual fingerprinting of network attack tools , 2004, VizSEC/DMSEC '04.

[10]  Erol Gelenbe,et al.  G-networks: a unifying model for neural and queueing networks , 1993, MASCOTS.

[11]  Michael A. Kouritzin,et al.  Detecting network portscans through anomoly detection , 2004, SPIE Defense + Commercial Sensing.

[12]  Tao Li,et al.  Network Traffic Analysis Using Refined Bayesian Reasoning to Detect Flooding and Port Scan Attacks , 2008, 2008 International Conference on Advanced Computer Theory and Engineering.

[13]  William Yurcik,et al.  NVisionIP: netflow visualizations of system state for security situational awareness , 2004, VizSEC/DMSEC '04.

[14]  Syed Ali Khayam,et al.  A Comparative Evaluation of Anomaly Detectors under Portscan Attacks , 2008, RAID.

[15]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[16]  C. Q. Lee,et al.  The Computer Journal , 1958, Nature.

[17]  Georgios Loukas,et al.  A Denial of Service Detector based on Maximum Likelihood Detection and the Random Neural Network , 2007, Comput. J..

[18]  Gulay Oke,et al.  Likelihood ratios and recurrent random neural networks in detection of denial of service attacks , 2007 .

[19]  Kwan-Liu Ma,et al.  PortVis: a tool for port-based detection of security events , 2004, VizSEC/DMSEC '04.

[20]  David J. Parish,et al.  Visualising Communication Network Security Attacks , 2007, 2007 11th International Conference Information Visualization (IV '07).

[21]  Udo W. Pooch,et al.  A Methodology for Using Intelligent Agents to provide Automated Intrusion Response , 2000 .

[22]  Karl N. Levitt,et al.  GrIDS A Graph-Based Intrusion Detection System for Large Networks , 1996 .

[23]  Michel Cukier,et al.  An experimental evaluation to determine if port scans are precursors to an attack , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[24]  William Yurcik,et al.  NVisionCC: a visualization framework for high performance cluster security , 2004, VizSEC/DMSEC '04.

[25]  Zhang Jiawan,et al.  A Novel Visualization Approach for Efficient Network Scans Detection , 2008, 2008 International Conference on Security Technology.

[26]  Robert K. Cunningham,et al.  Detecting Low-Profile Probes and Novel Denial-of-Service Attacks , 2001 .

[27]  David Whyte,et al.  Network scanning detection strategies for enterprise networks , 2008 .

[28]  Erol Gelenbe,et al.  Detecting Denial of Service Attacks with Bayesian Classifiers and the Random Neural Network , 2007, 2007 IEEE International Fuzzy Systems Conference.

[29]  Kwan-Liu Ma,et al.  Interactive Visualization for Network and Port Scan Detection , 2005, RAID.

[30]  Jason Lee,et al.  A first look at modern enterprise traffic , 2005, IMC '05.

[31]  Muhammad Zubair Shafiq,et al.  A Comparative Study of Fuzzy Inference Systems, Neural Networks and Adaptive Neuro Fuzzy Inference Systems for Portscan Detection , 2008, EvoWorkshops.

[32]  Jaideep Srivastava,et al.  Detection of Novel Network Attacks Using Data Mining , 2003 .

[33]  Jian-hua Li,et al.  An adaptive algorithm to detect port scans , 2004 .

[34]  Lotfi A. Zadeh,et al.  Fuzzy logic, neural networks, and soft computing , 1993, CACM.

[35]  Stuart Staniford-Chen,et al.  Practical Automated Detection of Stealthy Portscans , 2002, J. Comput. Secur..

[36]  Stefan Axelsson,et al.  The base-rate fallacy and the difficulty of intrusion detection , 2000, TSEC.

[37]  H BhuyanMonowar Surveying Port Scans and Their Detection Methodologies , 2011 .

[38]  Gregory A. Koenig,et al.  Searching for open windows and unlocked doors: port scanning in large-scale commodity clusters , 2005, CCGrid 2005. IEEE International Symposium on Cluster Computing and the Grid, 2005..

[39]  Tao He,et al.  Scalable Double Filter Structure for Port Scan Detection , 2006, 2006 IEEE International Conference on Communications.

[40]  W. Streilein,et al.  Improved Detection of Low-Profile Probe and Denial-of-Service Attacks 1 , 2001 .

[41]  Salvatore J. Stolfo,et al.  Surveillance detection in high bandwidth environments , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[42]  Alfonso Valdes,et al.  Live Traffic Analysis of TCP/IP Gateways , 1998, NDSS.

[43]  Kulsoom Abdullah,et al.  Visualizing network data for intrusion detection , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[44]  Tao Ye,et al.  Connectionless port scan detection on the backbone , 2006, 2006 IEEE International Performance Computing and Communications Conference.

[45]  Marco de Vivo,et al.  A review of port scanning techniques , 1999, CCRV.

[46]  Kotagiri Ramamohanarao,et al.  A probabilistic approach to detecting network scans , 2002, NOMS 2002. IEEE/IFIP Network Operations and Management Symposium. ' Management Solutions for the New Communications World'(Cat. No.02CH37327).

[47]  Erol Gelenbe,et al.  Random Neural Networks with Negative and Positive Signals and Product Form Solution , 1989, Neural Computation.

[48]  Wei Zhang,et al.  Scan attack detection based on distributed cooperative model , 2008, 2008 12th International Conference on Computer Supported Cooperative Work in Design.

[49]  Cynthia Bailey Lee,et al.  Detection and Characterization of Port Scan Attacks , 2003 .

[50]  Anitha R,et al.  Reconnaissance Scan Detection Heuristics to disrupt the pre-attack information gathering , 2009, 2009 International Conference on Network and Service Security.

[51]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[52]  David J. Marchette,et al.  Analysis Techniques for Detecting Coordinated Attacks and Probes , 1999, Workshop on Intrusion Detection and Network Monitoring.

[53]  Jason Lee,et al.  The devil and packet trace anonymization , 2006, CCRV.

[54]  John McHugh,et al.  Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory , 2000, TSEC.

[55]  Peter G. Neumann,et al.  EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances , 1997, CCS 2002.

[56]  Erol Gelenbe,et al.  A self-aware approach to denial of service defence , 2007, Comput. Networks.

[57]  Deepak Kapur,et al.  Idle Port Scanning and Non-interference Analysis of Network Protocol Stacks Using Model Checking , 2010, USENIX Security Symposium.

[58]  Hui Xiong,et al.  Scan Detection: A Data Mining Approach , 2006, SDM.

[59]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[60]  Binxing Fang,et al.  A Novel Approach to Scan Detection on the Backbone , 2009, 2009 Sixth International Conference on Information Technology: New Generations.

[61]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[62]  Carrie Gates,et al.  Co-ordinated port scans: a model, a detector and an evaluation methodology , 2006 .

[63]  Steve Romig,et al.  The OSU Flow-tools Package and CISCO NetFlow Logs , 2000, LISA.

[64]  Georg-Hendrik K. Haan Detection of Portscans Using IP Header Data , 2005 .

[65]  Xi-jun Cheng,et al.  A novel fast port scan method using partheno-genetic algorithm , 2009, 2009 2nd IEEE International Conference on Computer Science and Information Technology.

[66]  李建华,et al.  An Adaptive Algorithm to Detect Port Scans , 2004 .

[67]  Philip K. Chan,et al.  PHAD: packet header anomaly detection for identifying hostile network traffic , 2001 .