A novel threshold-based scan detection method using genetic algorithm

In order to attack to a network, an attacker first must find vulnerability points of the target network. This task is done through scanning. There are many methods of scan detection. Most of these methods are based on thresholding. Setting a proper threshold value is crucial and depends on many parameters such as network structure and time window. In this study we proposed a new scan detection method based on genetic algorithm (GA). This method has two phases. In the first phase we separate normal traffic from suspicious traffic and send only suspicious traffic to the second phase. This way the overhead of the process in the second phase is decreased considerably. In the second phase we aim to detect attacks with respect to two optimum parameters of threshold and memory. We compared our method with snort. Results showed that our method achieves better performance in both hit rate and false alarm rate.

[1]  D. M. Green,et al.  Signal detection theory and psychophysics , 1966 .

[2]  Seung-Woo Seo,et al.  An automatic portscan detection system with adaptive threshold setting , 2010, Journal of Communications and Networks.

[3]  Wei Li,et al.  Using Genetic Algorithm for Network Intrusion Detection , 2004 .

[4]  Neil A. Macmillan,et al.  Detection Theory: A User's Guide , 1991 .

[5]  Michel Cukier,et al.  An experimental evaluation to determine if port scans are precursors to an attack , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[6]  Keeseong Cho,et al.  A Modified Multi-Resolution Approach for Port Scan Detection , 2010, 2010 IEEE Global Telecommunications Conference GLOBECOM 2010.

[7]  Hossein Shirazi,et al.  An Intelligent Intrusion Detection System Using Genetic Algorithms and Features Selection , 2010 .

[8]  Aiko Pras,et al.  An Overview of IP Flow-Based Intrusion Detection , 2010, IEEE Communications Surveys & Tutorials.

[9]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[10]  Gouda I. Salama,et al.  Performance Evaluation of a Genetic Algorithm Based Approach to Network Intrusion Detection System , 2009 .

[11]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[12]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[13]  Vyas Sekar,et al.  A Multi-Resolution Approach forWorm Detection and Containment , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[14]  Richard Lippmann,et al.  The 1999 DARPA off-line intrusion detection evaluation , 2000, Comput. Networks.