Slow Port Scanning Detection
No Thumbnail Available
Date
2014
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
UNIVERSITY OF M’SILA- FACULTY OF MATHEMATICS AND INFORMATICS - Department of Computer Science
Abstract
Port scanning represents a sizable portion of today’s internet traffic. An attacker
performs port scans of IP addresses to find vulnerable hosts to compromise. Port
scanning detection has received a lot of attention by researchers. However a slow port
scan attack can deceive most of the existing Intrusion Detection Systems (IDS). In this
project, we present a new, simple, and efficient method for detecting slow port scans.
Our proposed method is mainly composed of two phases: (1) a feature collection
phase that analyzes network traffic and extracts the features needed to classify a
certain IP as malicious or not. (2) A classification phase that divides the IPs, based on
the collected features, into two groups: suspicious IPs and scanner IPs. The IPs of our
approach classified as suspicious are kept and their destination ports for the next (K)
time windows for further examination to decide whether they represent scanners or
legitimate users. A small Local Area Network was put together to test our proposed
method. The experiments show the effectiveness of our proposed method in correctly
identifying malicious scanners when both normal and slow port scan were performed
using the three most common TCP port scanning techniques(TCP SYN, Half connect,
FIN ).
Description
Keywords
Intrusion Detection System, Port Scanning