Shan Rong-sheng,Li Xiao-yong D.,Li Jian-hua

DOI: https://doi.org/10.1007/s11741-004-0073-8

2004-01-01

Abstract:Detection of port scan is an important component in a network intrusion detection and prevention system. Traditional statistical methods can be easily evaded by stealthy scans and are prone to DoS attacks. This paper presents a new mechanism termed PSD(port scan detection), which is based on TCP packet anomaly evaluation. By learning the port distribution and flags of TCP packets arriving at the protected hosts, PSD can compute the anomaly score of each packet and effectively detect port scans including slow scans and stealthy scans. Experiments show that PSD has high detection accuracy and low detection latency.

Rui-jie WANG,yan FENG,Xiao-fei LONG

DOI: https://doi.org/10.3969/j.issn.1671-7147.2007.03.005

2007-01-01

Abstract:The paper presents a payloadbased anomaly detector model describing the normal pakcet payload of network traffic in a fully automatic,unsupervised and very effecient fashion,for intrusion detection.We firstly compute during a training phase a profile byte frequency distribution and their standard deviation of the application payload flowing to a single host and port.then,Mahalanobis distance during the detection phase is used to calculate the similarity of new data against the precomputed profile.The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold.The surprising effectiveness of the method is demonstrated for the 1999 DARPA IDS dataset.In one case nearly 100% accuracy is achieved with 0.1% false positive rate for port 80 traffic.

Zhaohui Hu,Qi Chen,Ruizhao Yu

DOI: https://doi.org/10.3321/j.issn:1002-8331.2001.10.020

2001-01-01

Abstract:This article introduces the implementation of TCP Protocol and the technique of Port Scanning based on the characteristic of TCP Protocol,at the same time,the several implementations of Port Scanning are also described. We also analyze the potential external attacks that can be made because of the weakness of operation system and the ways to avoid suck kinds of attack are also put up.

WANG Ping-hui,ZHENG Qing-hua,NIU Guo-lin,GUAN Xiao-hong,CAI Zhong-min

DOI: https://doi.org/10.3321/j.issn:1000-436x.2007.12.003

2007-01-01

Journal of Communications

Abstract:A slowly port scan detect method was presented based on the statistical traffic features.Two statistical features: the ratio between the number of hosts and ports a host communicates and similarities of the ports set,were selected to denote the traffic features.The CUSUM and wavelet transform methods were employed to analyze the features and detect the slowly port scan behaviors.The experimental results show that the methods proposed detect port scan behaviors effi-ciently and correctly,it has low false negative and false positive alarm rate compared with the Snort.

Sheng Zhang,QiFei Zhang,Xuezeng Pan,Xuhui Zhu

DOI: https://doi.org/10.1109/ETCS.2010.476

2010-01-01

Abstract:Distributed Denial-of-Service (DDos) attack is one of the high threats to the Internet. This paper proposes a measure based on Hurst coefficient to detect DDoS on Low-rate. The result of experiments shows that the measure can detect the DDoS intrusion hided in the normal data traffic in real time. © 2010 IEEE.

WEI Wei,DONG Ya-bo,LU Dong-ming,JIN Guang

DOI: https://doi.org/10.3785/j.issn.1008-973x.2008.05.007

2008-01-01

Abstract:Low rate TCP-targeted denial of service(DoS) attack makes use of time-out and retransmission mechanism in transmission control protocol(TCP) and could severely decrease the throughput of legitimate TCP traffic.With its attacking traffic pattern,obvious difference was found between the power spectrum density(PSD) of legitimate and attack traffic samples.The statistical characteristic of this difference in history data was analyzed,and a detection method using the summation of low frequency was proposed.Meanwhile,based on the methods of leak bucket and the increasing of routing buffer,a response method was provided,which uses leak bucket periodically for smoothing the flow and uses buffer for holding extra traffic to send in next period,and its reasonable resource requirement was proved.Simulations show that for more general attack scenarios than the existing methods,the detection method has very low positive and negative false ratio,and the response method can depress attack flows more effectively than the previous methods and maintain the legitimate throughput in a normal level while the previous methods failed.

Kai Bu,Zhixin Sun

DOI: https://doi.org/10.1109/ICYCS.2008.324

2008-01-01

Abstract:The emergence of Distributed Denial of Service (DDoS) attack increases the destructive force of Denial of Service (DoS) attack drastically. Besides bringing more terrible threats, the attack from far and near and the employment of internet protocol (IP) spoofing make the abnormal traffic detection harder and harder. This paper proposes a mechanism defined as AMHI (Address Matching and Hash Inspection) and a method based on it for DDoS attacks detection and defense. Through the simulation experiment, the Address Matching and backup Hash Inspection operations to the suspicious traffic implemented on router interface for local subnet can detect and defend DDoS attacks effectively even when using IP Spoofing. In addition, this method can also decrease a mass of statistical work for the routers, and to some extent ease the pressure of heavy traffic caused by attacks.

杨小平,刘大昕,王桐

DOI: https://doi.org/10.3969/j.issn.1009-671X.2004.01.013

2004-01-01

Abstract:Network Scan Attack and Dos attack are two important types of network attack and the detection of them is difficult.And their common features were analysed.A detection counter was setup,and then an effective counter algorithm was designed and realized.

Xing Li,Qianli Zhang,Jichen Liu

DOI: https://doi.org/10.3969/j.issn.1001-0505.2017.S1.004

2017-01-01

Abstract:Aiming at the problem that the distributed denial of service(DDoS)attacks often use va-rious methods, a comprehensive scoring algorithm is designed.The algorithm can combine several detection algorithms and give a comprehensive score to alarm the attacks.Due to that current DDoS detection algorithms can not provide the specific features of the attacks, an Apriori-Geo-AS algo-rithm and Kolmogorov-Smirnov test based port usage pattern classification algorithm are designed. By improving the Apriori algorithm,the source-address,port and geographic location information of the attack source are extracted more effectively.Compared the port usage pattern with the ideal port usage pattern through the Kolmogorov-Smirnov test,the attacker摧s port usage pattern is further deter-mined.Experimental results show that the comprehensive scoring based detection algorithm can achieve a false alarm rate of less than 0.2%.An analysis on the attack case in Tsinghua University campus network demonstrates the effectiveness of the attack analysis.

CAI Hongmin,WU Naiqi,TENG Shaohua

DOI: https://doi.org/10.3969/j.issn.2095-347x.2007.02.026

2007-01-01

Abstract:This article introduces the theorys and the methods of the detection of port scanning and OS scanning,and put forward a model of detecting port scanning and OS scanning.It can effectively detects many types of attack of scanning,by capturing the network packets and matching the snort rules.In the end,the article introduced the significance and prospect of the model.

LAI Hai-guang,XU Feng,HUANG Hao,XIE Jun-yuan

DOI: https://doi.org/10.3321/j.issn:0372-2112.2006.11.003

2006-01-01

Abstract:Portscan is used to figure out whether the target system's ports are open by trying to access these ports.It is usually the fist step of a sequence of intrusion actions.Portscan detection is an indispensable part of an intrusion detection system.However,there are only a few portscan detection methods nowadays.Moreover,they are not very accurate.In order to improve the accuracy of portscan detection,the data produced by two portscan detection methods is fused using DempsterShafer theory of evidence.One method is the ports distribution based portscan detection,which is very simple and has a pretty high detection ratio.The other is the sequential hypothesis testing based detection method,which sufficiently exploits the portscan's essential character.The experiment shows that the portscan detection method based on Dempster-Shafer theory of evidence is far more accurate than the one base on ports distribution or sequential hypothesis testing.

Lanjia Wang,Haixin Duan,Xing Li

DOI: https://doi.org/10.1007/11602897_21

2005-01-01

Abstract:Detecting and identifying port scans is important for tracking malicious activities at early stage. The previous work mainly focuses on detecting individual scanners, while cares little about their common scan patterns that may imply important security threats against network. In this paper we propose a scan vector model, in which a scanner is represented by a vector that combines different scan features online, such as target ports and scan rate. A center-based clustering algorithm is then used to partition the scan vectors into groups, and provide a condense view of the major scan patterns by a succinct summary of the groups. The experiment on traffic data gathered from two subnets in our campus network shows that our method can accurately identify the major scan patterns without being biased by heavy hitters, meanwhile, possessing simplicity and low computation cost.

Pei-sheng LIN,Yi-jun WANG,Zhi XUE

DOI: https://doi.org/10.3969/j.issn.1002-0802.2017.12.026

2017-01-01

Abstract:With the development of port scanning technology, some fast single-node port scanning tools, such as ZMap and MASSCAN, are proposed to maximize the use of bandwidth resources for port scanning. However, the performance of these tools is limited by the bandwidth of a single node. In order to further improve the performance of these tools, a distributed task scheduling algorithm and its supporting protocol is proposed, which can be used to implement a rapid distributed port scanning system. With the addresses sharding technology, the target address can be sent to all available nodes for simultaneous port-scanning, and this could theoretically utilize the bandwidth resources of all nodes. In addition, the algorithm also has some exception handling mechanisms, and these mechanisms maybe used to ensure the availability of the system and the accuracy of the results.

Dalia Nashat,Xiaohong Jiang,Susumu Horiguchi

DOI: https://doi.org/10.1109/icebe.2008.18

2008-01-01

Abstract:The TCP SYN flooding attack is the most prevalent type of DDoS attacks that exhaust network resources. A router based detection scheme has been proposed to detect the SYN flooding agents based on the assumption that the SYN packets from the agent and the SYN/ACK packets from the victimpsilas server pass through different leaf routers. In the current IP spoofing techniques, however, the attacker can spoof a random address from any subnetwork, so the SYN packets from the agent and the SYN/ACK packets from the server may pass through the same leaf router. Therefore, a more general and flexible detection scheme is highly desirable for the efficient detection of these flooding agents under any type of IP spoofing. In this paper, we propose such a scheme to detect the flooding agents by considering all the possible kinds of IP spoofing. The proposed scheme is based on the TCP SYN-SYN/ACK protocol pair with the consideration of packet header information (both sequence and Ack. numbers). The Counting Bloom Filter is used to classify all the incoming SYN/ACK packets to the sub network into two streams, the first SYN/ACK packets (SYN/ACKf ) and the retransmission SYN/ACK packets (SYN/ACKr), to make our scheme generally applicable and the Cumulative Sum algorithm is applied to avoid the dependence of detection on sites and access patterns. Compared to the old detection scheme without the consideration of IP spoofing techniques, the proposed new scheme can significantly improve the accuracy in detecting the SYN flooding agents, as verified by extensive simulation results based on different IP spoofing techniques.

刘敏,过晓冰,伍卫国,钱德沛

DOI: https://doi.org/10.3969/j.issn.1000-3428.2002.07.032

2002-01-01

Abstract:This paper introduces the concept of network scanning, and current methodology of network scanning, presents a detection system for network scanning. It describes also the work flow and the implementation of this system.

Y Xiang,Y Lin,WL Lei,SJ Huang

DOI: https://doi.org/10.1049/ip-com:20040526

2004-01-01

Abstract:A new method of real-time distributed denial of service (DDOS) attack inspection is introduced, based on changes in the characteristic of network self-similarity. Using the real-time RS (R2S) algorithm, simulation experiments with real DDOS attacks and background traffic have been carried out. The results show that DDOS attacks can be detected effectively and precisely under most situations using the proposed method.

Qianli Zhang,Xing Li

DOI: https://doi.org/10.1007/11919568_78

2006-01-01

Abstract:The wide spread of worms, DDOS attacks and scan activities have greatly affected the network infrastructure security For scan detection, traditionally most detection methods are flow based, thus undesirable for gigabits or multi-gigabits networks To deal with this scalability problem, in this paper, a novel scan detection method is proposed, in which no flow record is required to maintain Based on the observation that scans will generally generate a large volume of return RST packets, a hypothesis testing based approach is proposed Experiments in practical network and on the DARPA 1998 datasets indicate that this algorithm is effective.

Dalia Nashat,Xiaohong Jiang,Michitaka Kameyama

DOI: https://doi.org/10.1587/transcom.e93.b.1113

2010-01-01

IEICE Transactions on Communications

Abstract:The Distributed Denial of Service attack (DDoS) is one of the major threats to network security that exhausts network bandwidth and resources. Recently, an efficient approach Live Baiting was proposed for detecting the identities of DDoS attackers in web service using low state overhead without requiring either the models of legitimate requests nor anomalous behavior. However, Live Baiting has two limitations. First, the detection algorithm adopted in Live Baiting starts with a suspects list containing all clients, which leads to a high false positive probability especially for large web service with a huge number of clients. Second, Live Baiting adopts a fixed threshold based on the expected number of requests in each bucket during the detection interval without the consideration of daily and weekly traffic variations. In order to address the above limitations, we first distinguish the clients activities (Active and Non-Active clients during the detection interval) in the detection process and then further propose a new adaptive threshold based on the Change Point Detection method, such that we can improve the false positive probability and avoid the dependence of detection on sites and access patterns. Extensive trace-driven simulation has been conducted on real Web trace to demonstrate the detection efficiency of the proposed scheme in comparison with the Live Baiting detection scheme.

Nashat, D.,Xiaohong Jiang,Horiguchi, S.

DOI: https://doi.org/10.1109/HSPR.2008.4734440

2008-01-01

Abstract:The TCP SYN flooding attack is the most prevalent type of DDoS attacks that exhaust network resources. The current detection schemes only work well for the detection of high-rate flooding sources. It is notable, however, that in the current DDoS attacks, the flooding rate is usually distributed among many low-rate flooding agents to make the detection more difficult. Therefore, a more sensitive and fast detection scheme is highly desirable for the efficient detection of these low-rate flooding sources. In this paper, we focus on the low-rate agent and propose a router-based detection scheme for it. The proposed scheme is based on the TCP SYN-SYN/ACK protocol pair with the consideration of packet header information (both sequence and Ack. numbers). To make our scheme more sensitive and generally applicable, the counting bloom filter is used to avoid the effect of SYN/ACK retransmission and the change point detection method is applied to avoid the dependence of detection on sites and access patterns. Extensive trace-driven simulation has been conducted to demonstrate the efficiency of the proposed scheme in terms of its detection probability and also average detection time.

XB Guo,DP Qian,M Liu,R Zhang,B Xu

DOI: https://doi.org/10.1109/iccnmc.2001.962637

2001-01-01

Abstract:Network scanning is an increasing threat to network security. This paper classifies and analyzes current scanning methods, and draws a conclusion that the current detection and protection of scanning mainly aim at information concealment. A novel system of the detection and protection named IEDP is presented in this paper Its concept is discussed and its implementation is described in details. Compared with the current approaches, the concept of IEDP can be recapitulated in one word: "impartation". When detecting a scanning, IEDP gives the scanner bogus information to spoof and confuse him/her. So, for example, when scanning ports, the scanner will find that all ports are listening and can't tell which port is really open. IEDP also adopts a new mechanism called error steering to spoof the scanner IEDP randomly steers errors in communication with the scanner, let the scanner believe that the communication is unstable and give up scanning. Experiments show that IEDP system is efficient.