Zhaohui Hu,Qi Chen,Ruizhao Yu

DOI: https://doi.org/10.3321/j.issn:1002-8331.2001.10.020

2001-01-01

Abstract:This article introduces the implementation of TCP Protocol and the technique of Port Scanning based on the characteristic of TCP Protocol,at the same time,the several implementations of Port Scanning are also described. We also analyze the potential external attacks that can be made because of the weakness of operation system and the ways to avoid suck kinds of attack are also put up.

唐小明,梁锦华,蒋建春,文伟平

DOI: https://doi.org/10.3969/j.issn.1000-7024.2002.09.005

2002-01-01

Abstract:This paper gives a summary and classification of the existing intrusion detection models and technologies, and their merits or shortcomings have been compared in detail. It also gives out the development for the future.

Chao Yuan,Jinze Du,Min Yue,Tao Ma

DOI: https://doi.org/10.3390/s20164423

IF: 3.9

2020-08-08

Sensors

Abstract:The control network is an important supporting environment for the control system of the heavy ion accelerator in Lanzhou (HIRFL). It is of great importance to maintain the accelerator system’s network security for the stable operation of the accelerator. With the rapid expansion of the network scale and the increasing complexity of accelerator system equipment, the security situation of the control network is becoming increasingly severe. Port scanning detection can effectively reduce the losses caused by viruses and Trojan horses. This article uses Go Concurrency Patterns, combined with transmission control protocol (TCP) full connection scanning and GIMP Toolkit (GTK) graphic display technology, to develop a tool called HIRFL Scanner. It can scan IP addresses in any range with any ports. This is a very fast, installation-free, cross-platform IP address and port scanning tool. Finally, a series of experiments show that the tool developed in this paper is much faster than the same type of software, and meets the expected development needs.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

LAI Hai-guang,XU Feng,HUANG Hao,XIE Jun-yuan

DOI: https://doi.org/10.3321/j.issn:0372-2112.2006.11.003

2006-01-01

Abstract:Portscan is used to figure out whether the target system's ports are open by trying to access these ports.It is usually the fist step of a sequence of intrusion actions.Portscan detection is an indispensable part of an intrusion detection system.However,there are only a few portscan detection methods nowadays.Moreover,they are not very accurate.In order to improve the accuracy of portscan detection,the data produced by two portscan detection methods is fused using DempsterShafer theory of evidence.One method is the ports distribution based portscan detection,which is very simple and has a pretty high detection ratio.The other is the sequential hypothesis testing based detection method,which sufficiently exploits the portscan's essential character.The experiment shows that the portscan detection method based on Dempster-Shafer theory of evidence is far more accurate than the one base on ports distribution or sequential hypothesis testing.

LIU Ting-hua,SONG Hua,DAI Yi-qi

DOI: https://doi.org/10.3969/j.issn.1000-7024.2006.09.003

2006-01-01

Abstract:Techniques of the port scan and its detection were introduced briefly.A new self-adaptive distributed detection method of port scan wasdesigned and implemented.By detecting anomalous packets and calculating the class's anomalysum value,it sets adynamic threshold combined with the network traffic,and then judges whether that is a scan.This method could detect slow scans,random scans and distributed scans effectively.And it could detect DDoS(distributed denial of service) attacks as well.

Shan Rong-sheng,Li Xiao-yong D.,Li Jian-hua

DOI: https://doi.org/10.1007/s11741-004-0073-8

2004-01-01

Abstract:Detection of port scan is an important component in a network intrusion detection and prevention system. Traditional statistical methods can be easily evaded by stealthy scans and are prone to DoS attacks. This paper presents a new mechanism termed PSD(port scan detection), which is based on TCP packet anomaly evaluation. By learning the port distribution and flags of TCP packets arriving at the protected hosts, PSD can compute the anomaly score of each packet and effectively detect port scans including slow scans and stealthy scans. Experiments show that PSD has high detection accuracy and low detection latency.

Lanjia Wang,Haixin Duan,Xing Li

DOI: https://doi.org/10.1007/11602897_21

2005-01-01

Abstract:Detecting and identifying port scans is important for tracking malicious activities at early stage. The previous work mainly focuses on detecting individual scanners, while cares little about their common scan patterns that may imply important security threats against network. In this paper we propose a scan vector model, in which a scanner is represented by a vector that combines different scan features online, such as target ports and scan rate. A center-based clustering algorithm is then used to partition the scan vectors into groups, and provide a condense view of the major scan patterns by a succinct summary of the groups. The experiment on traffic data gathered from two subnets in our campus network shows that our method can accurately identify the major scan patterns without being biased by heavy hitters, meanwhile, possessing simplicity and low computation cost.

CAI Hongmin,WU Naiqi,TENG Shaohua

DOI: https://doi.org/10.3969/j.issn.2095-347x.2007.02.026

2007-01-01

Abstract:This article introduces the theorys and the methods of the detection of port scanning and OS scanning,and put forward a model of detecting port scanning and OS scanning.It can effectively detects many types of attack of scanning,by capturing the network packets and matching the snort rules.In the end,the article introduced the significance and prospect of the model.

Rana Abu Bakar,Boonserm Kijsirikul

DOI: https://doi.org/10.3390/s23177541

2023-08-30

Abstract:Network security is paramount in today's digital landscape, where cyberthreats continue to evolve and pose significant risks. We propose a DPDK-based scanner based on a study on advanced port scanning techniques to improve network visibility and security. The traditional port scanning methods suffer from speed, accuracy, and efficiency limitations, hindering effective threat detection and mitigation. In this paper, we develop and implement advanced techniques such as protocol-specific probes and evasive scan techniques to enhance the visibility and security of networks. We also evaluate network scanning performance and scalability using programmable hardware, including smart NICs and DPDK-based frameworks, along with in-network processing, data parallelization, and hardware acceleration. Additionally, we leverage application-level protocol parsing to accelerate network discovery and mapping, analyzing protocol-specific information. In our experimental evaluation, our proposed DPDK-based scanner demonstrated a significant improvement in target scanning speed, achieving a 2× speedup compared to other scanners in a target scanning environment. Furthermore, our scanner achieved a high accuracy rate of 99.5% in identifying open ports. Notably, our solution also exhibited a lower CPU and memory utilization, with an approximately 40% reduction compared to alternative scanners. These results highlight the effectiveness and efficiency of our proposed scanning techniques in enhancing network visibility and security. The outcomes of this research contribute to the field by providing insights and innovations to improve network security, identify vulnerabilities, and optimize network performance.

Pei-sheng LIN,Yi-jun WANG,Zhi XUE

DOI: https://doi.org/10.3969/j.issn.1002-0802.2017.12.026

2017-01-01

Abstract:With the development of port scanning technology, some fast single-node port scanning tools, such as ZMap and MASSCAN, are proposed to maximize the use of bandwidth resources for port scanning. However, the performance of these tools is limited by the bandwidth of a single node. In order to further improve the performance of these tools, a distributed task scheduling algorithm and its supporting protocol is proposed, which can be used to implement a rapid distributed port scanning system. With the addresses sharding technology, the target address can be sent to all available nodes for simultaneous port-scanning, and this could theoretically utilize the bandwidth resources of all nodes. In addition, the algorithm also has some exception handling mechanisms, and these mechanisms maybe used to ensure the availability of the system and the accuracy of the results.

Qianli Zhang,Xing Li

DOI: https://doi.org/10.1007/11919568_78

2006-01-01

Abstract:The wide spread of worms, DDOS attacks and scan activities have greatly affected the network infrastructure security For scan detection, traditionally most detection methods are flow based, thus undesirable for gigabits or multi-gigabits networks To deal with this scalability problem, in this paper, a novel scan detection method is proposed, in which no flow record is required to maintain Based on the observation that scans will generally generate a large volume of return RST packets, a hypothesis testing based approach is proposed Experiments in practical network and on the DARPA 1998 datasets indicate that this algorithm is effective.

Zibo Li,Xiangzhan Yu,Dawei Wang,Yiru Liu,Huaidong Yin,Shoushuai He

DOI: https://doi.org/10.1007/978-3-030-24268-8_5

2019-01-01

Abstract:With the rapid development of the Internet, more and more services are emerging on the Internet, but it also brings a lot of security risks. Scanning the services on the network by sending probe packets, user can know which host opens a specific service, and can also know statistical data related, which is very important for the network maintenance and discovering dangerous services. This paper focuses on SuperEye, a large-scale and interactive distributed port scanning system. In order to realize interactive port scanning, an enhanced version of TCP state transition automaton is defined to describe the interactive process of contracting and receiving packets. In order to improve the scanning efficiency and avoid triggering IDS, discusses the distribution of tasks, and the tasks are distributed with redundancy and then intermediate states of the task displayed in time, then process and store the returning results for analysis and statistics and at last show the visual results to users. The system interacts with users by friendly web pages. And heartbeat detection is also implemented to ensure the reliability of scanning tasks. Finally, a series of unit tests and integration tests are carried out, and it’s sure that the completed system meets the expected development requirements.

Hao Huang

2010-01-01

Abstract:An anti-illegal connection system is designed based on analyzing the related anti-illegal connection technologies.The system uses authentication and strategy to ensure the credibility of the communcate object and uses SNMP-based network topology discovery algorithm to guarantee timely detection of intranet connected host which is not installed client, and then combines with the device control and kernel monitoring technology to ensure the implementation of the security.Finally, illegal connections are avoided.

WANG Ping-hui,ZHENG Qing-hua,NIU Guo-lin,GUAN Xiao-hong,CAI Zhong-min

DOI: https://doi.org/10.3321/j.issn:1000-436x.2007.12.003

2007-01-01

Journal of Communications

Abstract:A slowly port scan detect method was presented based on the statistical traffic features.Two statistical features: the ratio between the number of hosts and ports a host communicates and similarities of the ports set,were selected to denote the traffic features.The CUSUM and wavelet transform methods were employed to analyze the features and detect the slowly port scan behaviors.The experimental results show that the methods proposed detect port scan behaviors effi-ciently and correctly,it has low false negative and false positive alarm rate compared with the Snort.

刘敏,过晓冰,伍卫国,钱德沛

DOI: https://doi.org/10.3969/j.issn.1000-3428.2002.07.032

2002-01-01

Abstract:This paper introduces the concept of network scanning, and current methodology of network scanning, presents a detection system for network scanning. It describes also the work flow and the implementation of this system.

Akira Tanaka,Chansu Han,Takeshi Takahashi

DOI: https://doi.org/10.1109/access.2023.3249474

IF: 3.9

2023-01-01

IEEE Access

Abstract:Adversaries perform port scanning to discover accessible and vulnerable hosts as a prelude to cyber havoc. A darknet is a cyberattack observation network to capture these scanning activities through reachable yet unused IP addresses. However, the enormous amount of packets and superposition of diverse scanning strategies prevent extracting significant insights from the aggregate traffic. Some coordinated scanners disperse probe packets whose TCP/IP header follows a unique pattern to determine whether the received packets are valid responses to their probes or are part of other background traffic. We call such a pattern a fingerprint. For example, a probe packet from a Mirai-infected host satisfies a pattern whereby the destination IP address equals the sequence number. A fingerprint indicates that the source host has been involved in a particular scanning campaign. Although some fingerprints have been discovered and known to the public, there are and will be more undiscovered ones. We intend to unveil these fingerprints. Our preliminary work automatically identified flexible fingerprints but overlooked low-rate and coordinated scanners. In this work, we improved the fingerprint identifier, enabling it to detect these stealth scans. Moreover, we revealed the scans’ objectives by investigating destination port sets. We associated fingerprints with threat intelligence and verified their reliability. Our approach identified all well-known and eight unknown fingerprints on one month’s worth of darknet data collected from about three-hundred thousand unused IP addresses. We disclosed the fingerprints of the Mozi botnet and destination port sets that were previously unreported.

computer science, information systems,telecommunications,engineering, electrical & electronic

MA Li-bo,ZHANG Jia,LI Xing

DOI: https://doi.org/10.3321/j.issn:0438-0479.2007.z2.021

2007-01-01

Abstract:A scan detection platform constructed by unused IP addresses will effectively improve detection accuracy and reduce false alarm.Before constructing a real scan detection platform,we need to evaluate the detection effectiveness of controlled monitoring addresses to predict the detecting tagets and determine the necessity of the platform deployment.To match these requirements,a new scan detection model based on network classification is presented.According to this model,we can evaluate the detection effectiveness of a scan detection platform which is used to detect random or local preference scanning sources and provide theory guidance for the platform construction and deployment.We use the Leurre'com Honeynet Project's distributed scan detection platform as a practical evaluation instance.Evaluation results show that the platform can effectively detect high speed random scanning sources like Slammer worm and local preference scanning sources whose average scanning rate is more than 2 scan connections per second.To low speed scanning sources,the detection effectiveness is poor.Statistics of real monitoring data and simulation results validate the veracity of evaluation results.

Shijin Kong,Tao He,Xiaoxin Shao,Changqing An,Xing Li

DOI: https://doi.org/10.1109/icc.2006.255093

2006-01-01

Abstract:Port scan detection is very important to predict network intrusions and prevent viruses from spreading. Many networks deploy Network Intrusion Detection Systems (NIDS) to detect port scans in real-time. However, most NIDS are perflow based. They are not scalable on high speed links since it is infeasible to maintain the states of numerous flows. In this paper, we propose a scalable scheme for real-time port scan detection without keeping any per-flow state. We use a doublefilter structure to find out pairs which connect to more than N pairs in T time. The experimental results on real network traces show that our scheme can find out those over-threshold pairs with high accuracy. It is easy to scale our scheme to high speed environments due to its little memory consumption and fast processing pipeline.

LI Guo,HE Lin,SONG Guanglei,WANG Zhiliang,YANG Jiahai,LI Zimu

DOI: https://doi.org/10.11959/j.issn.1000-0801.2019296

2019-01-01

Abstract:Nowadays,the state-of-the-art technologies can spend a very short time to scan the whole IPv4 space,but these methods cannot be applied to the huge IPv6 space easily.Therefore,many researchers propose different heuristic algorithms for the sake of IPv6 scanning.The common way of these algorithms is to input collected IPv6 seed addresses and output new most likely active IPv6 addresses as candidates for later scanning.These methods greatly reduce the scanning range of the active address area.These technologies based on seed addresses were classified,analyzed and summarized,and detailed analysis of the advantages and disadvantages of each method was given.And the several challenges faced by the methods were discussed.73M seed addresses were collected in total from two sources,including published IPv6 datasets in papers and Beijing Node of China Education and Research Network.Through the proposed experiments,time performance and hit rate of four IPv6 address scanning technologies based on seed addresses was compared.Finally,the own thoughts on this field and some future research directions were proposed.

Chuan Sheng,Yu Yao,Lianxiang Zhao,Peng Zeng,Jianming Zhao

DOI: https://doi.org/10.1109/tifs.2024.3359002

IF: 7.231

2024-02-10

IEEE Transactions on Information Forensics and Security

Abstract:As the precursor of cyber-attacks, the campaigns of scanning groups are able to reflect the attack target and attack trend to a great extent, which provide highly valuable threat intelligence for cyber defenders to understand the current cyber security situation. However, how to identify scanning groups in the context of limited information, especially in the absence of relevant threat intelligence, remains a challenging problem. In this paper, we utilize the honeynet as the unique data source to propose a scanning group identification system, Scanner-Hunter, which focuses on identifying scanning groups targeting ICS devices. To better characterize scanning patterns, a novel traffic representation scheme for scanning traffic is proposed, which is composed of a set of feature vectors to describe all the ICS request packets. On this basis, we propose a novel self-expanding multi-class classification (SEMCC) model and the IP prefix judgment, which are deliberately integrated to cope with sophisticated scanning groups. Take the Modbus protocol as an example, we implement a prototype of Scanner-Hunter, and use six years of real-world honeynet datasets to evaluate its performance. The experimental results illustrate its effectiveness and superior performance compared with some popular machine learning methods and existing SOTA scanning group identification methods. In addition, Scanner-Hunter is further leveraged to investigate the group distribution and maliciousness of 506 unknown scanners, and some suspicious attack groups with APT characteristics are analyzed. Furthermore, accurate scanning group information will contribute to revealing potential attack organizations and supporting decision making to prevent or interrupt cyber-attacks in time.

computer science, theory & methods,engineering, electrical & electronic