Zhaohui Hu,Qi Chen,Ruizhao Yu

DOI: https://doi.org/10.3321/j.issn:1002-8331.2001.10.020

2001-01-01

Abstract:This article introduces the implementation of TCP Protocol and the technique of Port Scanning based on the characteristic of TCP Protocol,at the same time,the several implementations of Port Scanning are also described. We also analyze the potential external attacks that can be made because of the weakness of operation system and the ways to avoid suck kinds of attack are also put up.

LIU Tong,WANG Ze-bing,FENG Yan

DOI: https://doi.org/10.3969/j.issn.1007-130x.2005.08.004

2005-01-01

Abstract:As the distributed intrusion becomes serious, the performance demand for distributed intrusion detection systems will be more and more important. In this paper, the concept of the Super-Peer intrusion detection model (SPIDM) is proposed. Furthermore, the technology of intelligent agent is implemented in this model. As a result, this efficient combination of distributed intrusion detection systems with the super-peer framework increases the system efficiency and collaboration, enhances the system openness, and thus improves the system performance as a whole.

Yufeng Chen,Zhengtao Xiang,Yabo Dong,Dongming Lu

DOI: https://doi.org/10.1109/ical.2008.4636301

2008-01-01

Abstract:Worms not only infect vulnerable hosts, but also occupy a large amount of network bandwidth, which affects the normal operation of the network seriously. To achieve the worm detection and automatic quarantine in real time, a cooperation system of worm detection and quarantine is designed and implemented. The worm detection subsystem is implemented based on Bro and can detect worms in real time with our algorithm, which based on the failure probability of FCC and of heavy-tailed property. The worm quarantine subsystem can quarantine worm hosts automatically with ARP-spoofing. The cooperation between detection subsystem, quarantine subsystem and manager is achieved based on SNMP protocol. The system can be deployed easily with little effect on LAN. Experimental results show that the system can detect and quarantine worm hosts effectively.

Chao Yuan,Jinze Du,Min Yue,Tao Ma

DOI: https://doi.org/10.3390/s20164423

IF: 3.9

2020-08-08

Sensors

Abstract:The control network is an important supporting environment for the control system of the heavy ion accelerator in Lanzhou (HIRFL). It is of great importance to maintain the accelerator system’s network security for the stable operation of the accelerator. With the rapid expansion of the network scale and the increasing complexity of accelerator system equipment, the security situation of the control network is becoming increasingly severe. Port scanning detection can effectively reduce the losses caused by viruses and Trojan horses. This article uses Go Concurrency Patterns, combined with transmission control protocol (TCP) full connection scanning and GIMP Toolkit (GTK) graphic display technology, to develop a tool called HIRFL Scanner. It can scan IP addresses in any range with any ports. This is a very fast, installation-free, cross-platform IP address and port scanning tool. Finally, a series of experiments show that the tool developed in this paper is much faster than the same type of software, and meets the expected development needs.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Xiangzhan Yu,Zhichao Hu,Yi Xin

DOI: https://doi.org/10.1155/2021/6627639

2021-01-01

Wireless Communications and Mobile Computing

Abstract:Computer systems and applications on the internet provide services to outsiders and, at the same time, the vulnerabilities may be exploited by attackers and leak some sensitive private information. To collect and monitor the service information provided by the network environment such as IoT (Internet of Things), vehicular networks, cloud computing, and cloud storage, it is particularly important that a system can provide faster service discovery for discovering and identifying specific network services. The current service discovery systems mainly use port scanning technology, including Nmap, Zmap, and Masscan. However, these technologies hard code the service features and only support common services so that cannot cope with real-time updates and changing network services. To solve the above problems, this paper proposed a customizable distributed network service discovery system based on stateless scanning technology of Masscan and proposed a customizable interactive pattern set syntax. The system used random destination address technologies to scan for Ipv4 address allocation and used a distributed deployment scheme. Experimental results show that the system has high scanning speed and has high adaptability to new services and special services.

Guanglei Song,Lin He,Tianyun Zhao,Yirui Luo,Yichao Wu,Linna Fan,Chenglong Li,Zhiliang Wang,Jiahai Yang

DOI: https://doi.org/10.1109/iwqos57198.2023.10188692

2023-01-01

Abstract:Internet-wide scanning is a commonly used research technique in various network surveys, such as measuring service deployment and security vulnerabilities. However, these network surveys are limited to the given port set, not comprehensively obtaining the real network landscape, and even misleading survey conclusions. In this work, we introduce PMap, a port scanning tool that efficiently discovers the majority of open ports from all 65K ports in the whole network. PMap uses the correlation of ports to build an open port correlation graph of each network, using a reinforcement learning framework to update the correlation graph based on feedback results and dynamically adjust the order of port scanning. Compared to current port scanning methods, PMap achieves better performance on hit rate, coverage, and intrusiveness. Our experiments over real-world networks show that PMap can find 90% open ports by only scanning 125 ports (90% @125) to each active address with 136× less than the state-of-the-art port probing methods. PMap reduces the number of scanned ports to decrease the intrusive nature of port scanning. PMap is the first effective practice for scanning open ports using reinforcement learning. It bridges the gap of existing scanning tools and effectively supports subsequent service discovery and security research.

Pei-sheng LIN,Yi-jun WANG,Zhi XUE

DOI: https://doi.org/10.3969/j.issn.1002-0802.2017.12.026

2017-01-01

Abstract:With the development of port scanning technology, some fast single-node port scanning tools, such as ZMap and MASSCAN, are proposed to maximize the use of bandwidth resources for port scanning. However, the performance of these tools is limited by the bandwidth of a single node. In order to further improve the performance of these tools, a distributed task scheduling algorithm and its supporting protocol is proposed, which can be used to implement a rapid distributed port scanning system. With the addresses sharding technology, the target address can be sent to all available nodes for simultaneous port-scanning, and this could theoretically utilize the bandwidth resources of all nodes. In addition, the algorithm also has some exception handling mechanisms, and these mechanisms maybe used to ensure the availability of the system and the accuracy of the results.

LIU Ting-hua,SONG Hua,DAI Yi-qi

DOI: https://doi.org/10.3969/j.issn.1000-7024.2006.09.003

2006-01-01

Abstract:Techniques of the port scan and its detection were introduced briefly.A new self-adaptive distributed detection method of port scan wasdesigned and implemented.By detecting anomalous packets and calculating the class's anomalysum value,it sets adynamic threshold combined with the network traffic,and then judges whether that is a scan.This method could detect slow scans,random scans and distributed scans effectively.And it could detect DDoS(distributed denial of service) attacks as well.

Guanglei Song,Lin He,Tao Chen,Jinlei Lin,Linna Fan,Kun Wen,Zhiliang Wang,Jiahai Yang

DOI: https://doi.org/10.1109/tnet.2024.3491314

2024-01-01

IEEE/ACM Transactions on Networking

Abstract:Internet-wide scanning is a commonly used research technique in various network surveys, such as measuring service deployment and security vulnerabilities. However, these network surveys are limited to the given port set, not comprehensively obtaining the real network landscape, and even misleading survey conclusions. In this work, we introduce PMap, a port scanning tool that efficiently discovers the most open ports from all 65K ports in the whole network. PMapuses the correlation of ports to build an open port correlation graph of each network, using a reinforcement learning framework to update the correlation graph based on feedback results and dynamically adjust the order of port scanning. Compared to current port scanning methods, PMapperforms better on hit rate, coverage, and intrusiveness. Our experiments over real networks show that PMapcan find 90% open ports by only scanning 125 ports (90%@125) to each address, which is 99.3% less than the state-of-the-art port scanning methods. It reduces the number of scanned ports to decrease the intrusive nature of port scanning. In addition, PMapis highly parallel and lightweight. It scans 500 networks in parallel, achieving a port recommendation rate of up to 18 million per second, consuming only 7GB of memory. PMapis the first effective practice for scanning open ports using reinforcement learning. It bridges the gap of existing scanning tools and effectively supports subsequent service discovery and security research.

Qianli Zhang,Xing Li

1999-01-01

Abstract:In order to present large-scale malicious attacks on an ISP network to maintain network services, we have designed a method to record key packets classified by sessions. Session is the service provided above the IP layer. We define a TCP connection a session, a UDP packet exchange a session, or echo and echo response of ICMP to be a session. The research of network attack/intrusion/information collection has shown that most of the illegal action performed would have something special ongoing in such sessions. For example, winnuke will send OOB packets to the 139 port of a host; most of the platform detection will use strange packets too. Not only the strange packets itself, but the sequence of such packets going through the network indicate the attack. For example, teardrop will transmit packets that have abnormal fragment offset in the second packet, then cause some platform to crash. Some patterns of sessions will be created by flood based attack/information collection. For example, the SYN flood will create a pile SYN-SYN ACK-RST packets in the network, and most of scan tools will create several kind of patterns in the network, all of these patterns indicate the failure of the connection, these include SYN-SYN ACK-RST and SYN-RST and SYNICMP Unreachable message. Based on this thought, we have designed the session-state transition analysis. We will define some packets as the indication of the session state. The happening of such packets causes the change of the session state. When comparing with the predefined rules, we will detect most of the DOS attacks. Another approach is to store these session states transition patterns into a database; thus we can calculate the happening rates of some specific patterns. Compared with the average level, abnormal high happening rates often indicate the possible attack or information collection. For example, we can collect a site’s all sessions' SYN-SYN ACK-RST pattern to decide whether a normal scan had happened. The implementation includes four parts. The first is the data collection part, which collects and unwraps packets passing through the network; the second part is the signature matching part, which will match the packet signature, to filter only the specified packets; the third part will cluster such pa ckets into sessions, and store the session specific signature chain and check whether a rule based match is satisfied; the fourth part will flush the session data into a database, and check whether a statistical based anomaly has happened. Using such kind of techniques has several basic advantages. The first is not to violate privacy, since we are interested in only packet header to know whether a state has changed, to inspect header only also make this implementation efficient and fit for a large scale network. The other advantage is to avoid the headache to set the threshold of a statistical approach. Most scan detection tools (For example, gabriel) will calculate the burst of connections. New scan technique has appeared to avoid burst of connections, for example, slow scan and stealthy scan. Set a proper threshold is much more difficult for a large-scale network. For rule based analysis, since we use the state transition to detect intrusion, we could predict the happening of some attacks in a premature stage. The future approach includes the content analysis based IDS, especially the remote buffer overflow detection. This part of research is underway.

Yirui Luo,Chenglong Li,Zhiliang Wang,Jiahai Yang

DOI: https://doi.org/10.1145/3649470

2024-01-01

Abstract:Internet-wide port and service scanning, a vital tool for network research, is unaffordable in time and network bandwidth consumption. However, scanning only a portion of ports and services may lead to erroneous research conclusions. Previous work has shortened scanning time by predicting potentially active ports and eliminating many invalid scan targets. Still, they suffer from inherent design flaws that compromise their performance in terms of prediction accuracy and efficiency. The vast, unevenly distributed, and noisy nature of active ports presents significant challenges for prediction systems. Meanwhile, service prediction work is still in a shortage state. In this work, we introduce IPREDS, the first efficient prediction system for Internet-wide port and service scanning. IPREDS uses its carefully designed decision model to utilize all input features and predict the scanning reward of each target in parallel, providing high coverage prediction results in minimal time. Our experiment results show that IPREDS can discover 87% of active ports across the entire IPv4 network within two hours, saving at least 87.26% of the total time and 59% of the packets sent compared to existing work. For service scanning, IPREDS finds 91% of all active services using only four handshakes on each active port and saves 85.9% time to find 69% of each active service compared to exhaustive service scanning.

Rana Abu Bakar,Boonserm Kijsirikul

DOI: https://doi.org/10.3390/s23177541

2023-08-30

Abstract:Network security is paramount in today's digital landscape, where cyberthreats continue to evolve and pose significant risks. We propose a DPDK-based scanner based on a study on advanced port scanning techniques to improve network visibility and security. The traditional port scanning methods suffer from speed, accuracy, and efficiency limitations, hindering effective threat detection and mitigation. In this paper, we develop and implement advanced techniques such as protocol-specific probes and evasive scan techniques to enhance the visibility and security of networks. We also evaluate network scanning performance and scalability using programmable hardware, including smart NICs and DPDK-based frameworks, along with in-network processing, data parallelization, and hardware acceleration. Additionally, we leverage application-level protocol parsing to accelerate network discovery and mapping, analyzing protocol-specific information. In our experimental evaluation, our proposed DPDK-based scanner demonstrated a significant improvement in target scanning speed, achieving a 2× speedup compared to other scanners in a target scanning environment. Furthermore, our scanner achieved a high accuracy rate of 99.5% in identifying open ports. Notably, our solution also exhibited a lower CPU and memory utilization, with an approximately 40% reduction compared to alternative scanners. These results highlight the effectiveness and efficiency of our proposed scanning techniques in enhancing network visibility and security. The outcomes of this research contribute to the field by providing insights and innovations to improve network security, identify vulnerabilities, and optimize network performance.

Shan Rong-sheng,Li Xiao-yong D.,Li Jian-hua

DOI: https://doi.org/10.1007/s11741-004-0073-8

2004-01-01

Abstract:Detection of port scan is an important component in a network intrusion detection and prevention system. Traditional statistical methods can be easily evaded by stealthy scans and are prone to DoS attacks. This paper presents a new mechanism termed PSD(port scan detection), which is based on TCP packet anomaly evaluation. By learning the port distribution and flags of TCP packets arriving at the protected hosts, PSD can compute the anomaly score of each packet and effectively detect port scans including slow scans and stealthy scans. Experiments show that PSD has high detection accuracy and low detection latency.

Guannan Guo,Jianwei Zhuge,Mengmeng Yang,Gengqian Zhou,Yixiong Wu

DOI: https://doi.org/10.1109/IINTEC.2018.8695276

2018-01-01

Abstract:Industrial control systems (ICS) have become ubiquitous as cyber-physical systems are widely distributed in critical infrastructures. Yet as the ICS environment evolves and becomes ever more connected, an increasing number of devices are now exposed on the Internet, and the attacking surface and risk increase as well, an attacker who finds an ICS device can cause severe damage to real world easily. In this paper, we deploy high-interaction honeypots using real devices on the Internet to find who is searching the exposed ICS devices and study the discrepancies between different scanners. To gain a more accurate and bigger landscape, instead of performing our own large scale scanning world wide, we provide a survey of ICS devices on the Internet based on historical data collected from multiple data sources. By aggregating and analyzing, we are able to find an even greater number of both ICS devices and honeypots on the Internet compared with any single search engine. We hope to raise the issue of ICS security and inform work on exploring and securing ICS devices on the Internet.

ZHAO Ye-hong,YANG Shou-bao,WANG Shao-lin,DONG Kuo

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.34.030

2006-01-01

Abstract:The traditional approach keeping track of TCP SYN packets needs massive probe's memory and computation resources.An Internet-worm early detecting system based on ISP distributed is proposed in this paper,which relies on TCP RESET packet detecting to find the scan sources.Compared to existing methods,our approach has the merits of detecting the suspicious Internet worms,defending the forge attack,and reducing 59.4% and 28.9% overhead in normal and in simulation worm scanning respectively.

Jiang Zhen

Abstract:The paper introduces the current severe situation of the Web security, and brings up the necessity to design Web vulnerability scanning software. Then it analyzes Web crawler, construction of website structure tree, and detection methods of SQL injection, XSS, integer overflow and URL redirection, which provides a guarantee for developing the system successfully. The paper also describes the software architecture and the design of modules. The final testing results prove that the software is able to detect the common types of vulnerabilities rapidly and comprehensively. The software has been published.

Computer Science

Meng Sun,Qi Wang,Jue He,Huailin Huang,Yu Huang,Xiaojie Shen,Yaohui Xiao,Suchun Fan

DOI: https://doi.org/10.1088/1742-6596/2290/1/012036

2022-01-01

Journal of Physics Conference Series

Abstract:Abstract Power system network is an important guarantee for the smooth operation of power enterprises. Considering the current automatic network vulnerability scanning method of power system, the detection rate of network vulnerability scanning is low due to its poor scheduling ability. Therefore, this paper designs a new automatic scanning method for network vulnerabilities in power system. According to the infrastructure of power system network vulnerability scanner, the power system web page interaction behavior recognition model is constructed to complete the power system web page interaction behavior recognition. On this basis, the power system network scanning scheduling algorithm is designed. Combined with genetic algorithm, the variation process of power system network vulnerabilities is determined, the power system network security situation is determined, the power system network scanning scheduling and vulnerability mining are realized, and the design of power system network leakage automatic scanning method is completed. The experimental link is constructed to verify this method. The verification shows that this method can effectively improve the detection rate of network vulnerability scanning and the efficiency of vulnerability scanning to a certain extent.

Xing-Zhi Wang,Zheng Yan,Li

2009-01-01

Abstract:The requirements for significant computational resources imposed by dynamic security assessment applications have led to an increasing interest in the use of parallel and distributed computing technologies. This paper presents an adaptive scheme that involves user-friendly flat application program interfaces for scripting and an object-oriented programming environment for distributed dynamic security assessment implementation. Functional parallelism and data parallelism are supported by each of the message passing interface model and TCP/IP model. Adaptive stochastic-based objectives and conservative parameter prediction techniques are used to produce more efficient data parallelism. Tests for a 39-bus network and a 3872-bus network are reported, and the results of these experiments demonstrate that the proposed scheme is able to execute the distributed simulations on either stand-alone personal computers, cluster systems, or a computational grid infrastructure and provide efficient parallelism for the given environment.

Qianli Zhang,Xing Li

DOI: https://doi.org/10.1007/11919568_78

2006-01-01

Abstract:The wide spread of worms, DDOS attacks and scan activities have greatly affected the network infrastructure security For scan detection, traditionally most detection methods are flow based, thus undesirable for gigabits or multi-gigabits networks To deal with this scalability problem, in this paper, a novel scan detection method is proposed, in which no flow record is required to maintain Based on the observation that scans will generally generate a large volume of return RST packets, a hypothesis testing based approach is proposed Experiments in practical network and on the DARPA 1998 datasets indicate that this algorithm is effective.

XB Guo,DP Qian,M Liu,R Zhang,B Xu

DOI: https://doi.org/10.1109/iccnmc.2001.962637

2001-01-01

Abstract:Network scanning is an increasing threat to network security. This paper classifies and analyzes current scanning methods, and draws a conclusion that the current detection and protection of scanning mainly aim at information concealment. A novel system of the detection and protection named IEDP is presented in this paper Its concept is discussed and its implementation is described in details. Compared with the current approaches, the concept of IEDP can be recapitulated in one word: "impartation". When detecting a scanning, IEDP gives the scanner bogus information to spoof and confuse him/her. So, for example, when scanning ports, the scanner will find that all ports are listening and can't tell which port is really open. IEDP also adopts a new mechanism called error steering to spoof the scanner IEDP randomly steers errors in communication with the scanner, let the scanner believe that the communication is unstable and give up scanning. Experiments show that IEDP system is efficient.