Improving the Detection of On-Line Vertical Port Scan in IP Traffic

Improving the Detection of On-Line Vertical Port Scan in IP Traffic

Christine Fricker (INRIA, Le Chesnay, France), Philippe Robert (INRIA, Le Chesnay, France) and Yousra Chabchoub (ISEP, Paris, France)
Copyright: © 2014 |Pages: 14
DOI: 10.4018/ijsse.2014010104

Abstract

The authors propose in this paper an on-line algorithm based on Bloom filters to detect port scan attacks in IP traffic. Only relevant information about destination IP addresses and destination ports are stored in two steps in a two-dimensional Bloom filter. This algorithm can be indefinitely performed on a real traffic stream thanks to a new adaptive refreshing scheme that closely follows traffic variations. It is a scalable algorithm able to deal with IP traffic at a very high bit rate thanks to the use of hashing functions over a sliding window. Moreover it does not need any a priori knowledge about traffic characteristics. When tested against real IP traffic, the proposed on-line algorithm performs well in the sense that it detects all the port scan attacks within a very short response time of only 10 seconds without any false positive.
Article Preview

Introduction

Problem Statement

We address in this paper the problem of designing an on-line algorithm for identifying port scan attacks in IP traffic. A port scan is a method of determining whether particular services are available on a host or a network by observing responses to connection attempts (Devivo, 1999). The received information is exploited to identify weaknesses and vulnerabilities of the host and to launch therefore more serious attacks. Several attack tools are now available and can easily be used (see (Nmap; Foundstone) and (Nessus)). Port scan can be launched from one or several sources. In this latter case, we are dealing with distributed attacks, which are more difficult to detect as the contribution of each source can be considered as legitimate traffic. According to Staniford (2002) port scan attacks can be classified into two categories:

  • 1.

    Vertical scan consisting of scanning a big number of destination ports of a single destination address.

  • 2.

    Horizontal scan when many IP addresses are scanned (generally within the same subnet), on one or several ports.

Purchase this article to continue reading all 14 pages >

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 8: 4 Issues (2017)
Volume 7: 4 Issues (2016)
Volume 6: 4 Issues (2015)
Volume 5: 4 Issues (2014)
Volume 4: 4 Issues (2013)
Volume 3: 4 Issues (2012)
Volume 2: 4 Issues (2011)
Volume 1: 4 Issues (2010)
View Complete Journal Contents Listing