Abstract
Detecting and identifying port scans is important for tracking malicious activities at early stage. The previous work mainly focuses on detecting individual scanners, while cares little about their common scan patterns that may imply important security threats against network. In this paper we propose a scan vector model, in which a scanner is represented by a vector that combines different scan features online, such as target ports and scan rate. A center-based clustering algorithm is then used to partition the scan vectors into groups, and provide a condense view of the major scan patterns by a succinct summary of the groups. The experiment on traffic data gathered from two subnets in our campus network shows that our method can accurately identify the major scan patterns without being biased by heavy hitters, meanwhile, possessing simplicity and low computation cost.
Chapter PDF
Similar content being viewed by others
References
Berk, V.H., Gray, R.S., Bakos, G.: Using sensor networks and data fusion for early detection of active worms. In: Proceedings of the SPIE AeroSense (2003)
Brutlag, J.: Aberrant Behavior Detection in Timeseries for Network Monitoring. In: Proceedings of USENIX Fourteenth Systems Administration Conference (LISA), New Orleans, LA (December 2000)
Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast Portscan Detection Using Sequential Hypothesis Testing. In: Proceedings of 2004 IEEE Symposium on Security and Privacy, Berkeley, CA, USA, May 2004, pp. 211–225 (2004)
Kompella, R.R., Singh, S., Varghese, G.: On Scalable Attack Detection in the Network. In: Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, Taormina, Sicily, Italy, October 2004, pp. 187–200 (2004)
Krishnamurthy, B., Sen, S., Zhang, Y., Chen, Y.: Sketch-based Change Detection: Methods, Evaluation, and Applications. In: Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement, Pages, Miami Beach, FL, USA, October 2003, pp. 234–247 (2003)
Leckie, C., Kotagiri, R.: A probabilistic approach to detecting network scans. In: Proceedings of the Eighth IEEE Network Operations and Management Symposium (NOMS 2002), Florence, Italy, April 2002, pp. 359–372 (2002)
Moore, D., Shannon, C., Voelker, G.M., Savage, S.: Internet Quarantine: Requirements for Containing Self-Propagating Code. In: Proceedings of IEEE INFOCOM (April 2003)
Paxson, V.: Bro: A System for Detecting Network Intruders in Real Time. In: Proceedings of the 7th USENIX Security Symposium (1998)
Robertson, S., Siegel, E.V., Miller, M., Stolfo, S.J.: Surveillance detection in high bandwidth environments. In: Proceedings of the 2003 DARPA DISCEX III Conference, Washington, DC, April 2003, pp. 130–139 (2003)
Roesch, M.: Snort: Lightweight intrusion detection for networks. In: Proceedings of the 13th Conference on Systems Administration (LISA 1999), Berkeley, CA, November 1999, pp. 229–238. USENIX Association (1999)
Schechter, S.E., Jung, J., Berger, A.W.: Fast Detection of Scan Worm Infections. In: Proceedings of the Seventh International Symposium on Recent Advances in Intrusion Detection, Sophia Antipolis, France (September 2004)
Staniford, S., Hoagland, J.A., McAlerney, J.M.: Practical automated detection of stealthy portscans. In: Proceedings of the 7th ACM Conference on Computer and Communications Security, Athens, Greece (2000)
Yegneswaran, V., Barford, P., Ullrich, J.: Internet intrusions: global characteristics and prevalence. In: Proceedings of the 2003 ACM SIGMETRICS, volume 31, 1 of Performance Evaluation Review, June 2003, pp. 138–147. ACM Press, New York (2003)
de Vivo, M., Carrasco, E., Isern, G., de Vivo, G.: A Review of Port Scan Techniques. Computer Communications Review 29(2), 41–48 (1999)
Zou, C.C., Gao, L., Gong, W., Towsley, D.: Monitoring and Early Warning for Internet Worms. In: Proceedings of the 10th ACM conference on Computer and communications security, Washington, DC, USA (October 2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wang, L., Duan, H., Li, X. (2005). Port Scan Behavior Diagnosis by Clustering. In: Qing, S., Mao, W., López, J., Wang, G. (eds) Information and Communications Security. ICICS 2005. Lecture Notes in Computer Science, vol 3783. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11602897_21
Download citation
DOI: https://doi.org/10.1007/11602897_21
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-30934-5
Online ISBN: 978-3-540-32099-9
eBook Packages: Computer ScienceComputer Science (R0)