Zhaohui Hu,Qi Chen,Ruizhao Yu

DOI: https://doi.org/10.3321/j.issn:1002-8331.2001.10.020

2001-01-01

Abstract:This article introduces the implementation of TCP Protocol and the technique of Port Scanning based on the characteristic of TCP Protocol,at the same time,the several implementations of Port Scanning are also described. We also analyze the potential external attacks that can be made because of the weakness of operation system and the ways to avoid suck kinds of attack are also put up.

Da-Wen Huang,Fengji Luo,Jichao Bi,Mingyang Sun

DOI: https://doi.org/10.1109/tifs.2022.3191491

IF: 7.231

2022-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Deploying Intrusion Detection Systems (IDSs) is an essential way to enhance the security of Multi-hop Clustered Wireless Sensor Networks (MCWSNs). The conventional IDS deployment architectural designs show limitations in ensuring the security of MCWSNs due to the limited monitoring range of the nodes. This paper proposes an efficient IDS deployment architecture for MCWSNs. The architecture is a hybrid design, in which the cluster heads and the sink collaboratively act as IDS agents to monitor the entire network and perform intrusion detection. Based on the new architecture, this paper proposes a resource allocation model to optimally allocate resources among the IDS agents so that the network’s security metric can be maximized. A comprehensive analytical framework is proposed to analyze the optimality of the model’s solution, and an efficient computational approach is developed to obtain the optimal resource allocation strategy. Extensive numerical simulation and comparison studies are conducted to validate the proposed method.

Baojun Zhang,Xuezeng Pan,Jiebing Wang

DOI: https://doi.org/10.1109/fskd.2007.348

2007-01-01

Abstract:The current network is complicated due to the high- throughput and the multiformity of actions. A hybrid intru- sion detection system (HIDSFCN) is proposed in this study to satisfy the current network. It combines the advantages of all kinds of IDS and put forwards our own solvents to those key problems in current research. Experiment results demonstrate that our HIDSFCN is of high performance and good practicability.

CAI Hongmin,WU Naiqi,TENG Shaohua

DOI: https://doi.org/10.3969/j.issn.2095-347x.2007.02.026

2007-01-01

Abstract:This article introduces the theorys and the methods of the detection of port scanning and OS scanning,and put forward a model of detecting port scanning and OS scanning.It can effectively detects many types of attack of scanning,by capturing the network packets and matching the snort rules.In the end,the article introduced the significance and prospect of the model.

Qianli Zhang,Xing Li

1999-01-01

Abstract:In order to present large-scale malicious attacks on an ISP network to maintain network services, we have designed a method to record key packets classified by sessions. Session is the service provided above the IP layer. We define a TCP connection a session, a UDP packet exchange a session, or echo and echo response of ICMP to be a session. The research of network attack/intrusion/information collection has shown that most of the illegal action performed would have something special ongoing in such sessions. For example, winnuke will send OOB packets to the 139 port of a host; most of the platform detection will use strange packets too. Not only the strange packets itself, but the sequence of such packets going through the network indicate the attack. For example, teardrop will transmit packets that have abnormal fragment offset in the second packet, then cause some platform to crash. Some patterns of sessions will be created by flood based attack/information collection. For example, the SYN flood will create a pile SYN-SYN ACK-RST packets in the network, and most of scan tools will create several kind of patterns in the network, all of these patterns indicate the failure of the connection, these include SYN-SYN ACK-RST and SYN-RST and SYNICMP Unreachable message. Based on this thought, we have designed the session-state transition analysis. We will define some packets as the indication of the session state. The happening of such packets causes the change of the session state. When comparing with the predefined rules, we will detect most of the DOS attacks. Another approach is to store these session states transition patterns into a database; thus we can calculate the happening rates of some specific patterns. Compared with the average level, abnormal high happening rates often indicate the possible attack or information collection. For example, we can collect a site’s all sessions' SYN-SYN ACK-RST pattern to decide whether a normal scan had happened. The implementation includes four parts. The first is the data collection part, which collects and unwraps packets passing through the network; the second part is the signature matching part, which will match the packet signature, to filter only the specified packets; the third part will cluster such pa ckets into sessions, and store the session specific signature chain and check whether a rule based match is satisfied; the fourth part will flush the session data into a database, and check whether a statistical based anomaly has happened. Using such kind of techniques has several basic advantages. The first is not to violate privacy, since we are interested in only packet header to know whether a state has changed, to inspect header only also make this implementation efficient and fit for a large scale network. The other advantage is to avoid the headache to set the threshold of a statistical approach. Most scan detection tools (For example, gabriel) will calculate the burst of connections. New scan technique has appeared to avoid burst of connections, for example, slow scan and stealthy scan. Set a proper threshold is much more difficult for a large-scale network. For rule based analysis, since we use the state transition to detect intrusion, we could predict the happening of some attacks in a premature stage. The future approach includes the content analysis based IDS, especially the remote buffer overflow detection. This part of research is underway.

Shan Rong-sheng,Li Xiao-yong D.,Li Jian-hua

DOI: https://doi.org/10.1007/s11741-004-0073-8

2004-01-01

Abstract:Detection of port scan is an important component in a network intrusion detection and prevention system. Traditional statistical methods can be easily evaded by stealthy scans and are prone to DoS attacks. This paper presents a new mechanism termed PSD(port scan detection), which is based on TCP packet anomaly evaluation. By learning the port distribution and flags of TCP packets arriving at the protected hosts, PSD can compute the anomaly score of each packet and effectively detect port scans including slow scans and stealthy scans. Experiments show that PSD has high detection accuracy and low detection latency.

Xiang-dong QIAO,Tong YANG,Jing-wei ZHANG

DOI: https://doi.org/10.3969/j.issn.1009-3516.2007.04.018

2007-01-01

Abstract:Two different design schemes about firewall IPS module are brought up.In the first scheme snot-inline technique and the QUEUE action of netfilter are used to achieve dropping of attack data packet.In the second one,IPS about Denial of Service attack is achieved with the benefit of combination of synccokies,the new netfilter fuzzy match,PSD match,U32 match with an improvement on the firewall kernel.After comprehensive comparison,the module is developed according to the second scheme.The experiment shows that the designed module works well in defending main DOS attack.

Shijin Kong,Tao He,Xiaoxin Shao,Changqing An,Xing Li

DOI: https://doi.org/10.1109/icc.2006.255093

2006-01-01

Abstract:Port scan detection is very important to predict network intrusions and prevent viruses from spreading. Many networks deploy Network Intrusion Detection Systems (NIDS) to detect port scans in real-time. However, most NIDS are perflow based. They are not scalable on high speed links since it is infeasible to maintain the states of numerous flows. In this paper, we propose a scalable scheme for real-time port scan detection without keeping any per-flow state. We use a doublefilter structure to find out pairs which connect to more than N pairs in T time. The experimental results on real network traces show that our scheme can find out those over-threshold pairs with high accuracy. It is easy to scale our scheme to high speed environments due to its little memory consumption and fast processing pipeline.

Guangfeng Guo,Junxing Zhang,Zhanfei Ma

DOI: https://doi.org/10.2298/csis200206049g

2021-01-01

Computer Science and Information Systems

Abstract:As traditional networks, the software-defined campus network also suffers from intrusion attacks. Current solutions for intrusion prevention cannot meet the requirements of the campus network. Existing methods of attack traceback are either limited to specific protocols or incur high overhead. To protect the data center (DC) of the campus network from internal and external attacks, we propose an Intrusion Prevention System (IPS) based on the coordinated control between the detection engine, the attack traceback agent, and the software-defined control plane. Our solution includes a novel algorithm to infer the best switch port for defending different attacks of varied scales based on the inverse HSA (Header Space Analysis) and the global view of the software-defined controller. The proposed scheme can effectively and timely block the malicious traffic not only protecting victim hosts from attacks but also preventing the whole network from suffering unwanted transmission burden. The proposed IPS is deployed on the bypass of the DC switch and collects network traffic by port mirroring. Compared with the traditional serial deployment, the new design helps defend the DC internal attacks, reduce the probability of network congestion, and avoid the single point of failure. The experimental results show that the overhead of our IPS is very low, which enables it to meet the real-time requirements. The average defense time is between 10 and 14 ms for the data center internal attacks of different scales. For external attacks, the maximum defense time is about 76 ms for a large-scale network with 100 switches.

computer science, information systems, software engineering

Chao Yuan,Jinze Du,Min Yue,Tao Ma

DOI: https://doi.org/10.3390/s20164423

IF: 3.9

2020-08-08

Sensors

Abstract:The control network is an important supporting environment for the control system of the heavy ion accelerator in Lanzhou (HIRFL). It is of great importance to maintain the accelerator system’s network security for the stable operation of the accelerator. With the rapid expansion of the network scale and the increasing complexity of accelerator system equipment, the security situation of the control network is becoming increasingly severe. Port scanning detection can effectively reduce the losses caused by viruses and Trojan horses. This article uses Go Concurrency Patterns, combined with transmission control protocol (TCP) full connection scanning and GIMP Toolkit (GTK) graphic display technology, to develop a tool called HIRFL Scanner. It can scan IP addresses in any range with any ports. This is a very fast, installation-free, cross-platform IP address and port scanning tool. Finally, a series of experiments show that the tool developed in this paper is much faster than the same type of software, and meets the expected development needs.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Sankalp Bagaria

DOI: https://doi.org/10.48550/arXiv.1501.02062

2015-01-09

Abstract:Since last decade, IDS/ IPS has gained popularity in protecting large networks. They can employ signature based techniques and/or flow-based techniques to prevent intrusion from outside/ inside the network they are trying to protect. Signature based IDS/ IPS can be stateless or stateful. Stateful IDS can store the state of the protocol and use it for better detection of malware. In the case of TCP/IP networks, an attacker can also launch an attack such that the malicious code is distributed over many packets. These packets pass through the traditional IDS/ IPS and reassemble inside the network. Once re-assembled inside the network by the TCP/IP layer, the malicious code launches an attack. The TCP state and a copy of last few packets for each active connection has to be maintained in IDS/IPS. In TCP re-assembly, packets are re-assembled at IDS/IPS and searched for signature matches. A connection table has to be maintained for active connections and their list of last few (atmost 11) packets that have already arrived. We need data structures for searching the connection that the latest incoming packet belongs to. Popular hashing algorithms like CRC, XOR, summing tuple, taking modulus are inefficient as hash keys are not evenly distributed in hash-key space. Thus we show how an algorithm based on cryptography concepts can be used for efficient hashing in network connection management. We also show how to use full four tuple for calculating hash key instead of simply summing the tuple and taking the modulus of the sum.

Data Structures and Algorithms,Cryptography and Security,Networking and Internet Architecture

Haiguang Lai,Shengwen Cai,Hao Huang,Junyuan Xie,Hui Li

DOI: https://doi.org/10.1007/978-3-540-24852-1_32

2004-01-01

Abstract:The process speed of network-based intrusion detection systems (NIDSs) is still low compared with the speed of networks. As a result, few NIDS is applicable in a high-speed network. A parallel NIDS for high-speed networks is presented in this paper. By dividing the overall traffic into small slices, several sensors can analyze the traffic concurrently and significantly increase the process speed. For most attacks, our partition algorithm ensures that a single slice contains all the evidence necessary to detect a specific attack, making sensor-to-sensor interaction unnecessary, Meanwhile, by making use of the character of the network traffic, the algorithm can also dynamically balance all sensors' loads. To keep the system as simple as possible, a specific sensor is used to detect the scan and the DoS attack. Although only one sensor is used for this kind of attacks, we argue that our system can still provide high process ability....

Bin Liu,Zhitang Li,Yao Li,Zhanchun Li

DOI: https://doi.org/10.1117/12.657361

2005-01-01

Abstract:Network intrusion detection systems (NIDS) are important parts of network security architecture. Although many NIDS have been proposed, there is little effort to expand the current set of NIDS to support IPv6 protocol. This paper presents the design and implementation of a Network-based Intrusion Detection System that supports both IPv6 protocol and IPv4 protocol. It characters rules based logging to perform content pattern matching and detect a variety of attacks and probes from IPv4 and IPv6. There are four primary subsystems to make it up: packet capture, packet decoder, detection engine, and logging and alerting subsystem. A new approach to packet capture that combined NAPI with MMAP is proposed in this paper. The test results show that the efficiency of packet capture can be improved significantly by this method. Several new attack tools for IPv6 have been developed for intrusion detection evaluation. Test shows that more than 20 kinds of IPv6 attacks can be detected by this system and it also has a good performance under heavy traffic load.

Wei Wei

2007-01-01

Abstract:Network Intrusion Detection System (NIDS) is an important and practical tool for network security. To guarantee a precise detection the NIDS must detect packets at a wire speed. However, with the recent trend of high-speed networks, the capability of a single NIDS can not meet the speed’s demand, resulting in rising of false negatives. To promote the NIDS performance and efficiency, present studies on IDSs for high-speed network monitoring have begun to choose the distributed architecture as an alterative, first suggested by Christopher Kruegel et al . In such a design, the incoming network traffic is disseminated to a pool of sensors, which process a fraction of the whole traffic, reducing the possibility of packet loss caused by overload.

Navya Iyengar

DOI: https://doi.org/10.48550/arXiv.2007.11654

2020-07-22

Networking and Internet Architecture

Abstract:Cloud-based and network-based technology has witnessed an exponential rise in development. Adaptation of these latest technologies has opened flood gates for data breaches, an increase in sophistication of cyber threats, and, a multitude of new attack vectors. Numerous tools and solutions are currently available for detection of these threats. Network-based Intrusion Detection Systems is one of the most effective tools implemented to maintain confidentiality, integrity, and, availability of networks. While there are several open source tools in the offing, this paper evaluates two open-source NIDS Snort and Suricata, along with strategic placement of multi sensor IDS in a WAN environment, in combination with NIDS, for in time threat detection and protection of systems.

Qianli Zhang,Xing Li

DOI: https://doi.org/10.1007/11919568_78

2006-01-01

Abstract:The wide spread of worms, DDOS attacks and scan activities have greatly affected the network infrastructure security For scan detection, traditionally most detection methods are flow based, thus undesirable for gigabits or multi-gigabits networks To deal with this scalability problem, in this paper, a novel scan detection method is proposed, in which no flow record is required to maintain Based on the observation that scans will generally generate a large volume of return RST packets, a hypothesis testing based approach is proposed Experiments in practical network and on the DARPA 1998 datasets indicate that this algorithm is effective.

CHEN Jia,SI Tiange,DAI Yiqi

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.13.058

2006-01-01

Abstract:Intrusion detection technology is an indispensable way to keep the network safety. This paper proposes an intrusion detection system (IDS) framework based on network processor and detecting cluster. The possibility of functioning the distributor by IXP1200 and the key algorithms of the distributor are discussed. The result shows that the distributor can achieve a more than 1000Mbps data-capturing ability, and the load balance policy based on CAM is a satisfying trade-off on protecting the information integrity and reducing the computing complexity.

Rana Abu Bakar,Boonserm Kijsirikul

DOI: https://doi.org/10.3390/s23177541

2023-08-30

Abstract:Network security is paramount in today's digital landscape, where cyberthreats continue to evolve and pose significant risks. We propose a DPDK-based scanner based on a study on advanced port scanning techniques to improve network visibility and security. The traditional port scanning methods suffer from speed, accuracy, and efficiency limitations, hindering effective threat detection and mitigation. In this paper, we develop and implement advanced techniques such as protocol-specific probes and evasive scan techniques to enhance the visibility and security of networks. We also evaluate network scanning performance and scalability using programmable hardware, including smart NICs and DPDK-based frameworks, along with in-network processing, data parallelization, and hardware acceleration. Additionally, we leverage application-level protocol parsing to accelerate network discovery and mapping, analyzing protocol-specific information. In our experimental evaluation, our proposed DPDK-based scanner demonstrated a significant improvement in target scanning speed, achieving a 2× speedup compared to other scanners in a target scanning environment. Furthermore, our scanner achieved a high accuracy rate of 99.5% in identifying open ports. Notably, our solution also exhibited a lower CPU and memory utilization, with an approximately 40% reduction compared to alternative scanners. These results highlight the effectiveness and efficiency of our proposed scanning techniques in enhancing network visibility and security. The outcomes of this research contribute to the field by providing insights and innovations to improve network security, identify vulnerabilities, and optimize network performance.

Xinming Chen,Yiyao Wu,Lianghong Xu,Y. Xue

2009-01-01

Abstract:As security threats and network bandwidth increase in a very fast pace, there is a growing interest in designing highperformance network intrusion detection system (NIDS). This paper presents a parallelization strategy for the popular open-source Snort to build a high performance NIDS on multi-core IA platform. A modular design of parallel NIDS based on Snort is proposed in this paper. Named Para-Snort, it enables flexible and easy module design. This paper also analyzed the performance impact of load balancing and multi-pattern matching. Modified-JSQ and AC-WM algorithms are implemented in order to resolve the bottlenecks and improve the performance of the system. Experimental results show that Para-Snort achieves significant speedup of 4 to 6 times for various traces with a 7-thread parallelizing test setup.

Jingchun Sun,Fei Deng,Qin Su

DOI: https://doi.org/10.1142/s0218001422500239

IF: 1.261

2022-01-01

International Journal of Pattern Recognition and Artificial Intelligence

Abstract:Recently, information networks are becoming a significant part of daily life, so keeping the system’s security is necessary for security tools, such as firewalls and encryption. However, because of the weaknesses of the existing tools, the Intrusion Detection System (IDS) has been implemented to solve the problem. In the application of IDS, feature classification and data analysis are the two most important steps. In this paper, by using the Logit regression model, we attempt to search for the optimal cutting value based on the relationship between cutting value and accuracy index and put forward an input-output port crossed (IOPC) classification for IDS to distinguish the new intrusion features. First, we discuss whole features and propose a taxonomy of IOPC classification for CIC-IDS2017 that is different from other former studies, which can reduce the data space. Second, we compute the distribution curve of cutting values varied with the accuracy index, the purpose of which is to search for the optimal cutting values. Finally, utilizing IOPC classification, the difference between the distribution of the cutting values under the attacks of distributed denial of service (DDoS) and PortScan in CIC-IDS2017 is discussed, which highlights the characteristic that cutting values besieged the attack by PortScan has a conditional distribution compared with DDoS.