MA Li-Bo,LI Xing,ZHANG Liang

DOI: https://doi.org/10.3724/SP.J.1001.2009.03337

2009-01-01

Journal of Software

Abstract:Constructing an effective scan monitoring system is a necessary step for early detection and warning of unknown threats. Scan monitoring systems constructed by routable unused IP addresses will be more effective than those deployed in active networks for their special advantages in identifying threats precisely which results in low false alarm rate. Nowadays systematic researches on how to deploy such an effective monitoring system are still missing. This paper presents a novel scan monitoring model based on BGP route distribution to answer two practical deployment questions. One is how to design and deploy an ideal target-specified scan monitoring system and the other is how to evaluate the detecting effectiveness of actual limited deploying resources. On the basis of the model, this paper puts forward a new concept of deployment threshold which describes the most economical matching value between the monitoring system’s scale and the scanner’s scanning width on the same detection probability demand. According to the model and the deployment threshold, an effective monitoring system can be designed and appropriate detecting targets can be proposed which match the practical deploying resources to avoid blind deployment as before. Simulation results are coincident with the theretical analyses.

Li-Bo Ma,Hai-Xin Duan,Quang-Anh Tran,Xing Li

DOI: https://doi.org/10.1109/icmlc.2006.258991

2006-01-01

Abstract:One of difficulties network scan detection system must face is how to identify a scan source from normal and abnormal hybrid traffics. In this paper, firstly we use modified low interaction honeypots to get pure abnormal scan traffics for avoiding scan sources identification procedure. Secondly, we try to consider scans detection problem through the eye of a network on the basis of above dataset. A 3 layers scan detection network is constructed where the node of every layer is source-IP, destination-IP and resource (the couple {destination port, protocol}), the link is the scan access connection between nodes. The scan detection network owns good features of layer and single-direction. A degree statistics method is put forward to grade the importance of nodes of the scan detection network and give proper warnings. By using a degree statistics method on honeypot dataset we can focus on the research of scan sources' behaviors and stand out what's really worthy of noticing and warning instead of staying at the procedure of identifying whether a source is a scanner or not. Our method enriches the statistic information of scan detection and can effectively reduce warning false positives comparing to previous works

YF Chen,YB Dong,DM Lu,YH Pan,ZT Xiang

DOI: https://doi.org/10.1109/icnsc.2005.1461215

2005-01-01

Abstract:Worm detection system must detect worms efficiently and effectively. Current detection methods are mainly based on the property of low successful connections rate of worms. However, they may neglect worms if worms insert successful connections deliberately. Because the size in packets or bytes of normal TCP connections is heavy-tailed, we present a detection method by combining detection criteria of failed connections and heavy-tailed distribution of connection size for a given local host. It is more difficult for worms to evade. The method can decrease false negative and positive rates. The experiments show that our method can detect scanning worms with high efficiency and effectiveness.

Zhijun Zhang

2011-01-01

Abstract:As the use of distributed deployment of a large number of heterogeneous security devices in order to build network security defense system generates a mass of security event information which is difficult to effectively manage and the security monitoring systems that are deployed in different places are difficult to manage integratedly, united platform model for network security management is proposed. According to the actual distribution of Yunnan security monitoring systems, the platform establish a level of information system by the use of distributed technology. Platform designs and analyzes its oriented network security managers system architecture and uses risk assessment and event correlation to analyze network operating conditions in real-time, reduce false alarm ratio so that network security managers can find security accidents precisely and respond promptly. And then the paper describes key technologies such as distributed data model,secure event standardization model,secure communication and control protocol in detail.

Fei Yu,XiaoPing Dai,Yue Shen,Huang Huang,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICSSSM.2005.1500110

2005-01-01

Abstract:The problem in network security presently is how to get real-time intrusion detection and alert. In the paper, we design Intrusion Detection System architecture and arithmetic again, meanwhile put forward an improved pattern matching arithmetic based on protocol analysis and theorization machine on Frete. New architecture can use network processor to collect and analyze data in network bottom, which enhance the speed and efficiency in Detection System.

向郑涛,陈宇峰,董亚波,鲁东明

DOI: https://doi.org/10.16208/j.issn1000-7024.2009.05.037

2009-01-01

Abstract:The worm detection technologies are discussed. Anomaly detection will be a promising development because of the ability to detect unknown worms. For passive detection, the HoneyPot system designed deliberately with vulnerabilities is used to attract atta- ckers, collect attack information and process analysis. Active detection methods can process the mixed traffics of benign hosts and worm hosts, including the payload-based and behavior-based worm detection methods. The characters and applicability of each method are discussed. The viewpoint that more effective worm detection indices are needed for detection methods is proposed. Based on the diffe- rences of traffic self-similarity between benign hosts and worm hosts, the idea on how to select real-time detection indices is interpreted.

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

Baojun Zhang,Xuezeng Pan,Jiebing Wang

DOI: https://doi.org/10.1109/fskd.2007.348

2007-01-01

Abstract:The current network is complicated due to the high- throughput and the multiformity of actions. A hybrid intru- sion detection system (HIDSFCN) is proposed in this study to satisfy the current network. It combines the advantages of all kinds of IDS and put forwards our own solvents to those key problems in current research. Experiment results demonstrate that our HIDSFCN is of high performance and good practicability.

Chuan Sheng,Yu Yao,Lianxiang Zhao,Peng Zeng,Jianming Zhao

DOI: https://doi.org/10.1109/tifs.2024.3359002

IF: 7.231

2024-02-10

IEEE Transactions on Information Forensics and Security

Abstract:As the precursor of cyber-attacks, the campaigns of scanning groups are able to reflect the attack target and attack trend to a great extent, which provide highly valuable threat intelligence for cyber defenders to understand the current cyber security situation. However, how to identify scanning groups in the context of limited information, especially in the absence of relevant threat intelligence, remains a challenging problem. In this paper, we utilize the honeynet as the unique data source to propose a scanning group identification system, Scanner-Hunter, which focuses on identifying scanning groups targeting ICS devices. To better characterize scanning patterns, a novel traffic representation scheme for scanning traffic is proposed, which is composed of a set of feature vectors to describe all the ICS request packets. On this basis, we propose a novel self-expanding multi-class classification (SEMCC) model and the IP prefix judgment, which are deliberately integrated to cope with sophisticated scanning groups. Take the Modbus protocol as an example, we implement a prototype of Scanner-Hunter, and use six years of real-world honeynet datasets to evaluate its performance. The experimental results illustrate its effectiveness and superior performance compared with some popular machine learning methods and existing SOTA scanning group identification methods. In addition, Scanner-Hunter is further leveraged to investigate the group distribution and maliciousness of 506 unknown scanners, and some suspicious attack groups with APT characteristics are analyzed. Furthermore, accurate scanning group information will contribute to revealing potential attack organizations and supporting decision making to prevent or interrupt cyber-attacks in time.

computer science, theory & methods,engineering, electrical & electronic

Jing Yang,Liming Wang,Zhen Xu,Jigang Wang,Tian Tian

DOI: https://doi.org/10.1007/978-3-030-21373-2_30

2019-01-01

Abstract:Web scan is one of the most common network attacks on the Internet, in which an adversary probes one or more websites to discover exploitable information in order to perform further cyber attacks. For a coordinated web scan, an adversary controls multiple sources to achieve a large-scale scanning as well as detection evasion. In this paper, a novel detection approach based on hierarchical correlation is proposed to identify coordinated web campaigns from the labelled malicious sources. The semantic correlation is used to identify the malicious sources scanning the similar contents, and the temporal-spatial correlation is employed to identify malicious campaigns from the semantic correlation results. In both correlation phases, we convert the clustering problem into the group partition problem and propose a greedy algorithm to solve it. The evaluation shows that our algorithm is effective in detecting coordinated web scan attacks, since the metric Precision for detection can achieve 1.0, and the metric Rand Index for clustering is 0.984.

Qianli Zhang,Xing Li

DOI: https://doi.org/10.1007/11919568_78

2006-01-01

Abstract:The wide spread of worms, DDOS attacks and scan activities have greatly affected the network infrastructure security For scan detection, traditionally most detection methods are flow based, thus undesirable for gigabits or multi-gigabits networks To deal with this scalability problem, in this paper, a novel scan detection method is proposed, in which no flow record is required to maintain Based on the observation that scans will generally generate a large volume of return RST packets, a hypothesis testing based approach is proposed Experiments in practical network and on the DARPA 1998 datasets indicate that this algorithm is effective.

LIU Ting-hua,SONG Hua,DAI Yi-qi

DOI: https://doi.org/10.3969/j.issn.1000-7024.2006.09.003

2006-01-01

Abstract:Techniques of the port scan and its detection were introduced briefly.A new self-adaptive distributed detection method of port scan wasdesigned and implemented.By detecting anomalous packets and calculating the class's anomalysum value,it sets adynamic threshold combined with the network traffic,and then judges whether that is a scan.This method could detect slow scans,random scans and distributed scans effectively.And it could detect DDoS(distributed denial of service) attacks as well.

丁剑,齐竞艳,吕志军,黄皓

DOI: https://doi.org/10.3969/j.issn.1001-3695.2004.01.034

2004-01-01

Abstract:After analyzing many different scanning methods, a Real-time Scan Detection Approach Based on Probability(RSDABP) is presented in this paper.This approach is a backward scan detection method. So it is lower mistaken, real-time and robust. At the same time,it also has some limitations. At the end of this paper, we propose the direction to improve it.

Luca Deri,Francesco Fusco

DOI: https://doi.org/10.48550/arXiv.2308.08356

2023-08-16

Abstract:IP blacklists are widely used to increase network security by preventing communications with peers that have been marked as malicious. There are several commercial offerings as well as several free-of-charge blacklists maintained by volunteers on the web. Despite their wide adoption, the effectiveness of the different IP blacklists in real-world scenarios is still not clear. In this paper, we conduct a large-scale network monitoring study which provides insightful findings regarding the effectiveness of blacklists. The results collected over several hundred thousand IP hosts belonging to three distinct large production networks highlight that blacklists are often tuned for precision, with the result that many malicious activities, such as scanning, are completely undetected. The proposed instrumentation approach to detect IP scanning and suspicious activities is implemented with home-grown and open-source software. Our tools enable the creation of blacklists without the security risks posed by the deployment of honeypots.

Cryptography and Security,Networking and Internet Architecture

LAI Hai-guang,XU Feng,HUANG Hao,XIE Jun-yuan

DOI: https://doi.org/10.3321/j.issn:0372-2112.2006.11.003

2006-01-01

Abstract:Portscan is used to figure out whether the target system's ports are open by trying to access these ports.It is usually the fist step of a sequence of intrusion actions.Portscan detection is an indispensable part of an intrusion detection system.However,there are only a few portscan detection methods nowadays.Moreover,they are not very accurate.In order to improve the accuracy of portscan detection,the data produced by two portscan detection methods is fused using DempsterShafer theory of evidence.One method is the ports distribution based portscan detection,which is very simple and has a pretty high detection ratio.The other is the sequential hypothesis testing based detection method,which sufficiently exploits the portscan's essential character.The experiment shows that the portscan detection method based on Dempster-Shafer theory of evidence is far more accurate than the one base on ports distribution or sequential hypothesis testing.

Shuo Wang,Qingqi Pei,Yang Xiao,Feng Shao,Shuai Yuan,Jiang Chu,Renjie Liao

DOI: https://doi.org/10.1049/cmu2.12774

IF: 1.345

2024-04-25

IET Communications

Abstract:The threat of Scan and Foothold Attack to the Network Edge (SFANE) is increasing, which greatly affects the application and development of edge computing network architecture. According to the state‐of‐the‐art defense technologies, we illustrate three different defense strategies: no defense, address mutation, and fingerprint decoy. Subsequently, three different probabilistic models are constructed to provide a deeper analysis of the theoretical effect of these strategies on resisting the SFANE. The threat of Scan and Foothold Attack to the Network Edge (SFANE) is increasing, which greatly affects the application and development of edge computing network architecture. However, existing works focus on the implementation of specific technologies that resist the SFANE but ignore the effectiveness analysis of them. To overcome this limitation, this paper constructs probabilistic models for evaluating network edge's resistance against SFANE. In particular, the attacker models of the SFANE based on the ATT&CK model are first formalized. Afterward, according to the state‐of‐the‐art defense technologies, three different defense strategies are illustrated: no defense, address mutation, and fingerprint decoy. Subsequently, three different probabilistic models are constructed to provide a deeper analysis of the theoretical effect of these strategies on resisting the SFANE. Finally, the experimental results show that the actual defense effect of each strategy almost perfectly follows its probabilistic model.

engineering, electrical & electronic

Linfeng Wu,Wei Ruan,Keda Sun,Liang Chen,Liu Yang,Tingting Ye

DOI: https://doi.org/10.1109/ICNSC52481.2021.9702185

2021-01-01

Abstract:At present, the security situation in the industrial internet is becoming more and more serious. Various threats such as network attacks, malicious code and vulnerability utilization are gradually increasing. Consequently, it is urgent to study industrial threat detection methods. In order to tackle typical network attacks, system vulnerabilities and malicious operations, a real-time intelligent industrial threat detection method is proposed by analyzing the network data in the industrial control system. Particularly, artificial intelligence technique, adversarial sample generation technique and deep learning model are used in the method. Besides, the proposed method is achieved in the real network, and the corresponding industrial threat detection platform is developed. The results show that the developed threat detection platform can detect a variety of typical network attacks, system vulnerabilities, malicious code, etc. At the same time, the platform has good throughput and compatibility and is suitable for the actual industrial environment.

Xing Li,Qianli Zhang,Jichen Liu

DOI: https://doi.org/10.3969/j.issn.1001-0505.2017.S1.004

2017-01-01

Abstract:Aiming at the problem that the distributed denial of service(DDoS)attacks often use va-rious methods, a comprehensive scoring algorithm is designed.The algorithm can combine several detection algorithms and give a comprehensive score to alarm the attacks.Due to that current DDoS detection algorithms can not provide the specific features of the attacks, an Apriori-Geo-AS algo-rithm and Kolmogorov-Smirnov test based port usage pattern classification algorithm are designed. By improving the Apriori algorithm,the source-address,port and geographic location information of the attack source are extracted more effectively.Compared the port usage pattern with the ideal port usage pattern through the Kolmogorov-Smirnov test,the attacker摧s port usage pattern is further deter-mined.Experimental results show that the comprehensive scoring based detection algorithm can achieve a false alarm rate of less than 0.2%.An analysis on the attack case in Tsinghua University campus network demonstrates the effectiveness of the attack analysis.

Mohammad Borhani,Gurjot Singh Gaba,Juan Basaez,Ioannis Avgouleas,Andrei Gurtov

DOI: https://doi.org/10.1016/j.jii.2024.100623

IF: 11.718

2024-05-06

Journal of Industrial Information Integration

Abstract:Industrial device scanners allow anyone to scan devices on private networks and the Internet. They were intended as network security tools, but they are commonly exploited as attack tools, as scanning can reveal vulnerable devices. However, from a defensive perspective, this vulnerability disclosure could be used to secure devices if characteristics such as type, model, manufacturer, and firmware could be identified. Automated scanning reports can help to apply security measures before an attacker finds a vulnerability. A complete device recognition procedure can then be seen as the basis for auditing networks and identifying vulnerabilities to mitigate cyber-attacks, especially among Industrial Internet of Things (IIoT) devices that are part of critical systems. In this survey, considering SCADA (Supervisory Control and Data Acquisition) systems as monitoring and control components of essential infrastructure, we focus on analyzing the architectures, specifications, and constraints of several industrial device scanners. In addition, we examine the information revealed by the scanners to identify the threats posed by them on industrial systems and networks. We analyze monthly and yearly statistics of cyber-attack incidents to investigate the role of these scanners in accelerating attacks. By presenting the findings of an experimentation, we highlight how easily anyone could identify hundreds of Internet-connected industrial devices in Sweden, which could lead to a major service interruption in industrial environments designed for minimal human involvement. We also discuss several methods to avoid scanners or reduce their identifying capabilities to conceal industrial devices from unauthorized access.

computer science, interdisciplinary applications,engineering, industrial

蔡忠闽,彭勤科,管晓宏,孙国基

DOI: https://doi.org/10.3969/j.issn.1000-3428.2002.07.028

2002-01-01

Abstract:In this paper we present a multi-layer and defense-in-depth intrusion detection model for networked computer systems with a prototype. In this model, the operations on the protected computer system are monitored by four sensors from different viewpoints. The final judgement is made by combining the results of the individual sensors using information fusion techniques. It is demonstrated that an anomaly behavior can be more easily discovered and false alarms can be effectively reduced using our detection model. The methods to detect intrusions at different layers are also discussed using the experience gained in prototype realization.