A Profile-Based Fast Port Scan Detection Method

  • Katalin Hajdú-SzücsEmail author
  • Sándor Laki
  • Attila Kiss
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10448)


Before intruding into a system attackers need to collect information about the target machine. Port scanning is one of the most popular techniques for that purpose, it enables to discover services that may be exploited. In this paper we propose an accurate port scan detection method that can detect port scanning attacks earlier with higher reliability than the widely used Snort-based approaches. Our method is profile-based, meaning that it does not only set a threshold on the connection attempts in a given time interval, like most of the current methods, but builds an IP profile of four features that enables a more fine-grained detection. We use the Budapest node of the FIWARE Lab community cloud as a natural honeypot to identify malicious activities in it.


Port scan detection FIWARE Lab IP profile-based detection 



Authors thank Ericsson Ltd. for support via the ELTE CNL collaboration. Sándor Laki also thanks the partial support of EU FP7 FI-CORE project. This publication is the partial result of the Research & Development Operational Programme for the project “Modernisation and Improvement of Technical Infrastructure for Research and Development of J. Selye University in the Fields of Nanotechnology and Intelligent Space”, ITMS 26210120042, co-funded by the European Regional Development Fund.


  1. 1.
    Fiware lab community cloud (2016).
  2. 2.
    libpcap (2016).
  3. 3.
    Ahanger, T.A.: Port scan - a security concern. Int. J. Eng. Innovative Technol. (IJEIT) 3 (2014)Google Scholar
  4. 4.
    ArborNetworks: Digital attack map (2013).
  5. 5.
    Bhuyan, M.H., Bhattacharyya, D.K., Kalita, J.K.: Surveying port scans and their detection methodologies. Comput. J. 54, 1565–1581 (2011)CrossRefGoogle Scholar
  6. 6.
    Christopher, R.: Port Scanning Techniques and the Defense Against Them. SANS Institute (2001)Google Scholar
  7. 7.
    Cisco: Snort (2016).
  8. 8.
    Jaekwang, K., Lee, J.-H.: A slow port scan attack detection mechanism based on fuzzy logic and a stepwise policy. In: 4th International Conference on Intelligent Environments, IET (2008)Google Scholar
  9. 9.
    Kumar, V., Sangwan, O.P.: Signature based intrusion detection system using snort. Int. J. Comput. Appl. Inf. Technol. 1(3), 35–41 (2012). (ISSN: 2278-7720)Google Scholar
  10. 10.
    Lee, C.B., Roedel, C., Silenok, E.: Detection and characterization of port scan attacks. Univeristy of California, Department of Computer Science and Engineering (2003)Google Scholar
  11. 11.
    Maciej, K., Janowski, L., Duda, A.: An accurate sampling scheme for detecting SYN flooding attacks and portscans. In: International Conference on Communications (ICC). IEEE (2011)Google Scholar
  12. 12.
    Offensivehacking: Five phases of hacking, October 2012.
  13. 13.
    Omar, A.-J., Arafat, A.: Network intrusion detection system using neural network classification of attack behavior. J. Adv. Inf. Technol. 6(1) (2015)Google Scholar
  14. 14.
    Panjwani, S., et al.: An experimental evaluation to determine if port scans are precursors to an attack. In: Proceedings of the International Conference on Dependable Systems and Networks, pp. 602–611. IEEE (2005)Google Scholar
  15. 15.
    Patel, S.K., Sonker, A.: Rule-based network intrusion detection system for port scanning with efficient port scan detection rules using snort. Int. J. Future Gener. Commun. Netw. 9(6), 339–350 (2016)CrossRefGoogle Scholar
  16. 16.
    Soniya, B., Wiscy, M.: Detection of TCP SYN scanning using packet counts and neural network. IEEE International Conference on Signal Image Technology and Internet Based Systems SITIS 2008. IEEE (2008)Google Scholar
  17. 17.
    Stuart, S., Hoagland, J.A., McAlerney, J.M.: Practical automated detection of stealthy portscans. J. Comput. Secur. 10(1–2), 105–136 (2002)Google Scholar
  18. 18.
    Stuart, S.-C., et al.: Grids-a graph based intrusion detection system for large networks. In: Proceedings of the 19th National Information Systems Security Conference, vol. 1 (1996)Google Scholar
  19. 19.
    Todd, H.L., et al.: A network security monitor. In: Computer Society Symposium, Proceedings. IEEE (1990)Google Scholar
  20. 20.
    WEBNet77: Multiple ip address lookup (2016).
  21. 21.
    Jammes, Z., Papadaki, M.: Snort IDS ability to detect Nmap and metasploit framework evasion techniques. Adv. Commun. Comput. Netw. Secur. 10, 104 (2013)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Katalin Hajdú-Szücs
    • 1
    Email author
  • Sándor Laki
    • 1
  • Attila Kiss
    • 1
  1. 1.Eötvös Loránd UniversityBudapestHungary

Personalised recommendations