Rui-jie WANG,yan FENG,Xiao-fei LONG

DOI: https://doi.org/10.3969/j.issn.1671-7147.2007.03.005

2007-01-01

Abstract:The paper presents a payloadbased anomaly detector model describing the normal pakcet payload of network traffic in a fully automatic,unsupervised and very effecient fashion,for intrusion detection.We firstly compute during a training phase a profile byte frequency distribution and their standard deviation of the application payload flowing to a single host and port.then,Mahalanobis distance during the detection phase is used to calculate the similarity of new data against the precomputed profile.The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold.The surprising effectiveness of the method is demonstrated for the 1999 DARPA IDS dataset.In one case nearly 100% accuracy is achieved with 0.1% false positive rate for port 80 traffic.

Zhaohui Hu,Qi Chen,Ruizhao Yu

DOI: https://doi.org/10.3321/j.issn:1002-8331.2001.10.020

2001-01-01

Abstract:This article introduces the implementation of TCP Protocol and the technique of Port Scanning based on the characteristic of TCP Protocol,at the same time,the several implementations of Port Scanning are also described. We also analyze the potential external attacks that can be made because of the weakness of operation system and the ways to avoid suck kinds of attack are also put up.

WANG Ping-hui,ZHENG Qing-hua,NIU Guo-lin,GUAN Xiao-hong,CAI Zhong-min

DOI: https://doi.org/10.3321/j.issn:1000-436x.2007.12.003

2007-01-01

Journal of Communications

Abstract:A slowly port scan detect method was presented based on the statistical traffic features.Two statistical features: the ratio between the number of hosts and ports a host communicates and similarities of the ports set,were selected to denote the traffic features.The CUSUM and wavelet transform methods were employed to analyze the features and detect the slowly port scan behaviors.The experimental results show that the methods proposed detect port scan behaviors effi-ciently and correctly,it has low false negative and false positive alarm rate compared with the Snort.

YF Chen,YB Dong,DM Lu,YH Pan,ZT Xiang

DOI: https://doi.org/10.1109/icnsc.2005.1461215

2005-01-01

Abstract:Worm detection system must detect worms efficiently and effectively. Current detection methods are mainly based on the property of low successful connections rate of worms. However, they may neglect worms if worms insert successful connections deliberately. Because the size in packets or bytes of normal TCP connections is heavy-tailed, we present a detection method by combining detection criteria of failed connections and heavy-tailed distribution of connection size for a given local host. It is more difficult for worms to evade. The method can decrease false negative and positive rates. The experiments show that our method can detect scanning worms with high efficiency and effectiveness.

Steffen Haas,Florian Wilkens,Mathias Fischer

DOI: https://doi.org/10.1109/NOMS47738.2020.9110470

2020-03-11

Abstract:Public networks are exposed to port scans from the Internet. Attackers search for vulnerable services they can exploit. In large scan campaigns, attackers often utilize different machines to perform distributed scans, which impedes their detection and might also camouflage the actual goal of the scanning campaign. In this paper, we present a correlation algorithm to detect scans, identify potential relations among them, and reassemble them to larger campaigns. We evaluate our approach on real-world Internet traffic and our results indicate that it can summarize and characterize standalone and distributed scan campaigns based on their tools and intention.

Cryptography and Security

Li-Bo Ma,Hai-Xin Duan,Quang-Anh Tran,Xing Li

DOI: https://doi.org/10.1109/icmlc.2006.258991

2006-01-01

Abstract:One of difficulties network scan detection system must face is how to identify a scan source from normal and abnormal hybrid traffics. In this paper, firstly we use modified low interaction honeypots to get pure abnormal scan traffics for avoiding scan sources identification procedure. Secondly, we try to consider scans detection problem through the eye of a network on the basis of above dataset. A 3 layers scan detection network is constructed where the node of every layer is source-IP, destination-IP and resource (the couple {destination port, protocol}), the link is the scan access connection between nodes. The scan detection network owns good features of layer and single-direction. A degree statistics method is put forward to grade the importance of nodes of the scan detection network and give proper warnings. By using a degree statistics method on honeypot dataset we can focus on the research of scan sources' behaviors and stand out what's really worthy of noticing and warning instead of staying at the procedure of identifying whether a source is a scanner or not. Our method enriches the statistic information of scan detection and can effectively reduce warning false positives comparing to previous works

Jing Yang,Liming Wang,Zhen Xu,Jigang Wang,Tian Tian

DOI: https://doi.org/10.1007/978-3-030-21373-2_30

2019-01-01

Abstract:Web scan is one of the most common network attacks on the Internet, in which an adversary probes one or more websites to discover exploitable information in order to perform further cyber attacks. For a coordinated web scan, an adversary controls multiple sources to achieve a large-scale scanning as well as detection evasion. In this paper, a novel detection approach based on hierarchical correlation is proposed to identify coordinated web campaigns from the labelled malicious sources. The semantic correlation is used to identify the malicious sources scanning the similar contents, and the temporal-spatial correlation is employed to identify malicious campaigns from the semantic correlation results. In both correlation phases, we convert the clustering problem into the group partition problem and propose a greedy algorithm to solve it. The evaluation shows that our algorithm is effective in detecting coordinated web scan attacks, since the metric Precision for detection can achieve 1.0, and the metric Rand Index for clustering is 0.984.

LIU Ting-hua,SONG Hua,DAI Yi-qi

DOI: https://doi.org/10.3969/j.issn.1000-7024.2006.09.003

2006-01-01

Abstract:Techniques of the port scan and its detection were introduced briefly.A new self-adaptive distributed detection method of port scan wasdesigned and implemented.By detecting anomalous packets and calculating the class's anomalysum value,it sets adynamic threshold combined with the network traffic,and then judges whether that is a scan.This method could detect slow scans,random scans and distributed scans effectively.And it could detect DDoS(distributed denial of service) attacks as well.

Shijin Kong,Tao He,Xiaoxin Shao,Changqing An,Xing Li

DOI: https://doi.org/10.1109/icc.2006.255093

2006-01-01

Abstract:Port scan detection is very important to predict network intrusions and prevent viruses from spreading. Many networks deploy Network Intrusion Detection Systems (NIDS) to detect port scans in real-time. However, most NIDS are perflow based. They are not scalable on high speed links since it is infeasible to maintain the states of numerous flows. In this paper, we propose a scalable scheme for real-time port scan detection without keeping any per-flow state. We use a doublefilter structure to find out pairs which connect to more than N pairs in T time. The experimental results on real network traces show that our scheme can find out those over-threshold pairs with high accuracy. It is easy to scale our scheme to high speed environments due to its little memory consumption and fast processing pipeline.

Qianli Zhang,Xing Li

DOI: https://doi.org/10.1007/11919568_78

2006-01-01

Abstract:The wide spread of worms, DDOS attacks and scan activities have greatly affected the network infrastructure security For scan detection, traditionally most detection methods are flow based, thus undesirable for gigabits or multi-gigabits networks To deal with this scalability problem, in this paper, a novel scan detection method is proposed, in which no flow record is required to maintain Based on the observation that scans will generally generate a large volume of return RST packets, a hypothesis testing based approach is proposed Experiments in practical network and on the DARPA 1998 datasets indicate that this algorithm is effective.

Chuan Sheng,Yu Yao,Lianxiang Zhao,Peng Zeng,Jianming Zhao

DOI: https://doi.org/10.1109/tifs.2024.3359002

IF: 7.231

2024-02-10

IEEE Transactions on Information Forensics and Security

Abstract:As the precursor of cyber-attacks, the campaigns of scanning groups are able to reflect the attack target and attack trend to a great extent, which provide highly valuable threat intelligence for cyber defenders to understand the current cyber security situation. However, how to identify scanning groups in the context of limited information, especially in the absence of relevant threat intelligence, remains a challenging problem. In this paper, we utilize the honeynet as the unique data source to propose a scanning group identification system, Scanner-Hunter, which focuses on identifying scanning groups targeting ICS devices. To better characterize scanning patterns, a novel traffic representation scheme for scanning traffic is proposed, which is composed of a set of feature vectors to describe all the ICS request packets. On this basis, we propose a novel self-expanding multi-class classification (SEMCC) model and the IP prefix judgment, which are deliberately integrated to cope with sophisticated scanning groups. Take the Modbus protocol as an example, we implement a prototype of Scanner-Hunter, and use six years of real-world honeynet datasets to evaluate its performance. The experimental results illustrate its effectiveness and superior performance compared with some popular machine learning methods and existing SOTA scanning group identification methods. In addition, Scanner-Hunter is further leveraged to investigate the group distribution and maliciousness of 506 unknown scanners, and some suspicious attack groups with APT characteristics are analyzed. Furthermore, accurate scanning group information will contribute to revealing potential attack organizations and supporting decision making to prevent or interrupt cyber-attacks in time.

computer science, theory & methods,engineering, electrical & electronic

Akira Tanaka,Chansu Han,Takeshi Takahashi

DOI: https://doi.org/10.1109/access.2023.3249474

IF: 3.9

2023-01-01

IEEE Access

Abstract:Adversaries perform port scanning to discover accessible and vulnerable hosts as a prelude to cyber havoc. A darknet is a cyberattack observation network to capture these scanning activities through reachable yet unused IP addresses. However, the enormous amount of packets and superposition of diverse scanning strategies prevent extracting significant insights from the aggregate traffic. Some coordinated scanners disperse probe packets whose TCP/IP header follows a unique pattern to determine whether the received packets are valid responses to their probes or are part of other background traffic. We call such a pattern a fingerprint. For example, a probe packet from a Mirai-infected host satisfies a pattern whereby the destination IP address equals the sequence number. A fingerprint indicates that the source host has been involved in a particular scanning campaign. Although some fingerprints have been discovered and known to the public, there are and will be more undiscovered ones. We intend to unveil these fingerprints. Our preliminary work automatically identified flexible fingerprints but overlooked low-rate and coordinated scanners. In this work, we improved the fingerprint identifier, enabling it to detect these stealth scans. Moreover, we revealed the scans’ objectives by investigating destination port sets. We associated fingerprints with threat intelligence and verified their reliability. Our approach identified all well-known and eight unknown fingerprints on one month’s worth of darknet data collected from about three-hundred thousand unused IP addresses. We disclosed the fingerprints of the Mozi botnet and destination port sets that were previously unreported.

computer science, information systems,telecommunications,engineering, electrical & electronic

Weitao Weng,Kai Lei,Kuai Xu,Xiaoyou Liu,Tao Sun

DOI: https://doi.org/10.1007/978-3-319-39937-9_29

2016-01-01

Abstract:Campus networks consist of a rich diversity of end hosts including wired desktops, servers, and wireless BYOD devices such as laptops and smartphones, which are often compromised in insecure networks. Making sense of traffic behaviors of end hosts in campus networks is a daunting task due to the open nature of the network, heterogeneous devices, high mobility of end users, and a wide range of applications. To address these challenges, this paper applies a combination of graphical approaches and spectral clustering to group the Internet traffic of campus networks into distinctive traffic clusters in a divide-and-conquer manner. Specifically, we first model the data communication between a particular subnet of campus networks and the Internet on a specific application port via bipartite graphs, and subsequently use the one-mode projection to capture behavior similarity of end hosts in the same subnet for the same network applications. Finally we apply a spectral clustering algorithm to explore the behavior similarity to identify distinctive application clusters within each subnet. Our experimental results have demonstrated the benefits of our proposed method for analyzing Internet traffic of a large university town to discover anomalous behaviors and to uncover distinctive temporal and spatial traffic patterns.

Zhiyuan Lv,Youjian Zhao,Haibin Li

DOI: https://doi.org/10.1109/ISCC47284.2019.8969587

2019-01-01

Abstract:Nowadays, masquerade attack caused by identity misuse is a kind of severe insider threat and a common security problem for most organizations. Although the anomaly detection based on machine learning has been applied as a common method for this problem, most existing approaches for detecting masquerade attack usually use host-based data to profile user behavior and detect anomaly. However, host-based data are too sensitive to collect, which results in poor universality and makes it difficult for enterprises to deploy. In this paper, we propose a cheap and general masquerade detection method with high accuracy to profile user network behavior and detect anomaly, using network packet sketches (IP, port, protocol, etc.). As network packet headers with standardized format are non-sensitive, our method is suitable for most enterprises and much cheaper to deploy. To validate the method, we collected more than 10 TB normal user data and 5 GB simulated masquerader data in real enterprise environment. The experimental results show that our method achieves good performance with average AUC up to 0.988 and the approach of modeling user network behavior by network packet sketches results in good time efficiency.

Chonghua Wang,Hao Zhou,Zhiqiang Hao,Shu Hu,Jun Li,Xueying Zhang,Bo Jiang,Xuehong Chen

DOI: https://doi.org/10.1016/j.comnet.2022.108760

IF: 5.493

2022-03-01

Computer Networks

Abstract:Due to the ever-growing presence of network traffic, there has been a considerable amount of research on anomaly detection in network traffic by clustering. Most of them have not considered the problem that collective anomaly detection in network traffic. Collective anomaly might scatter among multiple clusters when applying the clustering-based algorithms in the anomaly detection. In this paper, we propose a progressive exploration framework for collective anomaly detection on network traffic based on a clustering method, called CCAD. CCAD enables analysts to effectively explore collective anomaly in network traffic. This framework is different from the other anomaly detection methods. It is based on the analysis of the influence of collective anomaly on the clustering results in the network traffic stream data. CCAD framework efficiently supports the collective anomaly exploration. As demonstrated by our extensive experiments with real-world data, CCAD has high detection rate in comparison with other existing methods.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Lixin Wang,Jianhua Yang,Xiaohua Xu,Peng-Jun Wan

DOI: https://doi.org/10.1155/2021/6632671

2021-03-03

Wireless Communications and Mobile Computing

Abstract:Intruders on the Internet usually launch network attacks through compromised hosts, called stepping stones, in order to reduce the chance of being detected. With stepping-stone intrusions, an attacker uses tools such as SSH to log in several compromised hosts remotely and create an interactive connection chain and then sends attacking packets to a target system. An effective method to detect such an intrusion is to estimate the length of a connection chain. In this paper, we develop an efficient algorithm to detect stepping-stone intrusion by mining network traffic using the k -means clustering. Existing approaches for connection-chain-based stepping-stone intrusion detection either are not effective or require a large number of TCP packets to be captured and processed and, thus, are not efficient. Our proposed detection algorithm can accurately determine the length of a connection chain without requiring a large number of TCP packets being captured and processed, so it is more efficient. Our proposed detection algorithm is also easier to implement than all existing approaches for stepping-stone intrusion detection. The effectiveness, correctness, and efficiency of our proposed detection algorithm are verified through well-designed network experiments.

computer science, information systems,telecommunications,engineering, electrical & electronic

Wei Liang,Kuan-Ching Li,Jing Long,Xiaoyan Kui,Albert Y. Zomaya

DOI: https://doi.org/10.1109/tii.2019.2946791

IF: 12.3

2020-03-01

IEEE Transactions on Industrial Informatics

Abstract:Industrial networks are complex and diverse. Among existing intrusion prevention systems available, several of them have problems such as low detection accuracy rate, high false positive (FP) rate, and low real-time performance for impersonation attacks. To address such issues, it is proposed in this article an industrial network intrusion detection algorithm based on multifeature data clustering optimization model, where the weighted distances and security coefficients of data are classified based on the priority threshold of data attribute feature for each node in the network, given that the data modules in the industrial network environment are diverse and easy to diagnose, restore, and rebuild. The proposed algorithm can effectively improve the detection rate and real-time performance of detecting abnormal behavior for the multifeature data in industrial networks. The novel features are twofold, to rapidly select a node with high-security coefficient as the cluster center, and match the multifeature data around the center into a cluster. Experimental results show that the proposed algorithm has good superiority in terms of detection rate and time compared to other algorithms. In the industrial network, the detection accuracy of abnormal data reaches 97.8, and the FP of detection is decreased by 8.8.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Rana Abu Bakar,Boonserm Kijsirikul

DOI: https://doi.org/10.3390/s23177541

2023-08-30

Abstract:Network security is paramount in today's digital landscape, where cyberthreats continue to evolve and pose significant risks. We propose a DPDK-based scanner based on a study on advanced port scanning techniques to improve network visibility and security. The traditional port scanning methods suffer from speed, accuracy, and efficiency limitations, hindering effective threat detection and mitigation. In this paper, we develop and implement advanced techniques such as protocol-specific probes and evasive scan techniques to enhance the visibility and security of networks. We also evaluate network scanning performance and scalability using programmable hardware, including smart NICs and DPDK-based frameworks, along with in-network processing, data parallelization, and hardware acceleration. Additionally, we leverage application-level protocol parsing to accelerate network discovery and mapping, analyzing protocol-specific information. In our experimental evaluation, our proposed DPDK-based scanner demonstrated a significant improvement in target scanning speed, achieving a 2× speedup compared to other scanners in a target scanning environment. Furthermore, our scanner achieved a high accuracy rate of 99.5% in identifying open ports. Notably, our solution also exhibited a lower CPU and memory utilization, with an approximately 40% reduction compared to alternative scanners. These results highlight the effectiveness and efficiency of our proposed scanning techniques in enhancing network visibility and security. The outcomes of this research contribute to the field by providing insights and innovations to improve network security, identify vulnerabilities, and optimize network performance.

SHI ZHONG,TAGHI M. KHOSHGOFTAAR,NAEEM SELIYA

DOI: https://doi.org/10.1142/s0218539307002568

2007-04-01

International Journal of Reliability, Quality and Safety Engineering

Abstract:Recently data mining methods have gained importance in addressing network security issues, including network intrusion detection — a challenging task in network security. Intrusion detection systems aim to identify attacks with a high detection rate and a low false alarm rate. Classification-based data mining models for intrusion detection are often ineffective in dealing with dynamic changes in intrusion patterns and characteristics. Consequently, unsupervised learning methods have been given a closer look for network intrusion detection. We investigate multiple centroid-based unsupervised clustering algorithms for intrusion detection, and propose a simple yet effective self-labeling heuristic for detecting attack and normal clusters of network traffic audit data. The clustering algorithms investigated include, k-means, Mixture-Of-Spherical Gaussians, Self-Organizing Map, and Neural-Gas. The network traffic datasets provided by the DARPA 1998 offline intrusion detection project are used in our empirical investigation, which demonstrates the feasibility and promise of unsupervised learning methods for network intrusion detection. In addition, a comparative analysis shows the advantage of clustering-based methods over supervised classification techniques in identifying new or unseen attack types.

Chao Yuan,Jinze Du,Min Yue,Tao Ma

DOI: https://doi.org/10.3390/s20164423

IF: 3.9

2020-08-08

Sensors

Abstract:The control network is an important supporting environment for the control system of the heavy ion accelerator in Lanzhou (HIRFL). It is of great importance to maintain the accelerator system’s network security for the stable operation of the accelerator. With the rapid expansion of the network scale and the increasing complexity of accelerator system equipment, the security situation of the control network is becoming increasingly severe. Port scanning detection can effectively reduce the losses caused by viruses and Trojan horses. This article uses Go Concurrency Patterns, combined with transmission control protocol (TCP) full connection scanning and GIMP Toolkit (GTK) graphic display technology, to develop a tool called HIRFL Scanner. It can scan IP addresses in any range with any ports. This is a very fast, installation-free, cross-platform IP address and port scanning tool. Finally, a series of experiments show that the tool developed in this paper is much faster than the same type of software, and meets the expected development needs.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation