Abstract
There are many studies aiming at using port-scan traffic data for the fast and accurate detection of rapidly spreading worms. This paper proposes two new methods for reducing the traffic data to a simplified form comprising significant components of smaller dimensionality. (1) Dimension reduction via Term Frequency – Inverse Document Frequency (TF-IDF) values, a technique used in information retrieval, is used to choose significant ports and addresses in terms of their “importance” for classification. (2) Dimension reduction via Principal Component Analysis (PCA), widely used as a tool in exploratory data analysis, enables estimation of how uniformly the sensors are distributed over the reduced coordinate system. PCA gives a scatter plot for the sensors, which helps to detect abnormal behavior in both the source address space and the destination port space. In addition to our proposals, we report on experiments that use the Internet Scan Data Acquisition System (ISDAS) distributed observation data from the Japan Computer Emergency Response Team (JPCERT).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Terada, M., Takada, S., Doi, N.: Network Worm Analysis System. IPSJ Journal 46(8), 2014–2024 (2005) (in Japanese)
Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast Portscan Detection Using Sequential Hypothesis Testing. In: Proc. of the 2004 IEEE Symposium on Security and Privacy (S&P 2004) (2004)
JPCERT/CC, ISDAS, http://www.jpcert.or.jp/isdas
Number of Hosts advertised in the DNS, Internet Domain Survey (July 2005), http://www.isc.org/ops/reports/2005-07
Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the Slammer Worm. IEEE Security & Privacy, 33–39 (July 2003)
Shannon, C., Moore, D.: The Spread of the Witty Worm. IEEE Security & Privacy 2(4), 46–50 (2004)
Changchun Zou, C., Gong, W., Towsley, D.: Code Red Worm Propagation Modeling and Analysis. In: ACM CCS 2002 (November 2002)
Moore, D., Shannon, C., Voelker, G., Savage, S.: Network Telescopes: Technical Report, Cooperative Association for Internet Data Analysis (CAIDA) (July 2004)
Kumar, A., Paxson, V., Weaver, N.: Exploiting Underlying Structure for Detailed Reconstruction of an Internet-scale Event. In: ACM Internet Measurement Conference (IMC 2005), pp. 351–364 (2005)
The Distributed Honeypot Project: Tools for Honeynets, http://www.lucidic.net
SANS Institute: Internet Storm Center, http://isc.sans.org
DShield.org, Distributed Intrusion Detection System, http://www.dshield.org
Kumar, A., Paxson, V., Weaver, N.: Exploiting Underlying Structure for Detailed Reconstruction of an Internet-scale Event. In: ACM Internet Measurement Conference (2005)
Ishiguro, M., Suzuki, H., Murase, I., Shinoda, Y.: Internet Threat Analysis Methods Based on Spatial and Temporal Features. IPSJ Journal 48(9), 3148–3162 (2007)
Dunlop, M., Gates, C., Wong, C., Wang, C.: SWorD – A Simple Worm Detection Scheme. In: Meersman, R., Tari, Z. (eds.) OTM 2007, Part II. LNCS, vol. 4804, pp. 1752–1769. Springer, Heidelberg (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kikuchi, H., Fukuno, N., Terada, M., Doi, N. (2008). Principal Components of Port-Address Matrices in Port-Scan Analysis. In: Meersman, R., Tari, Z. (eds) On the Move to Meaningful Internet Systems: OTM 2008. OTM 2008. Lecture Notes in Computer Science, vol 5332. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-88873-4_3
Download citation
DOI: https://doi.org/10.1007/978-3-540-88873-4_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-88872-7
Online ISBN: 978-3-540-88873-4
eBook Packages: Computer ScienceComputer Science (R0)