Journal of Communications and Networks

  • 제12권1호
  • /
  • Pages.74-85
  • /
  • 2010
  • /
  • 1229-2370(pISSN)
  • /
  • 1976-5541(eISSN)
한국통신학회 (The Korean Institute of Commucations and Information Sciences)
권호 표지

An Automatic Portscan Detection System with Adaptive Threshold Setting

  • Kim, Sang-Kon (School of Electrical Engineering and Computer Science & Institute of New Media and Communications, Seoul National University) ;
  • Lee, Seung-Ho (School of Electrical Engineering and Computer Science & Institute of New Media and Communications, Seoul National University) ;
  • Seo, Seung-Woo (School of Electrical Engineering and Computer Science & Institute of New Media and Communications, Seoul National University)
  • 발행 : 2010.02.28
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

For the purpose of compromising hosts, attackers including infected hosts initially perform a portscan using IP addresses in order to find vulnerable hosts. Considerable research related to portscan detection has been done and many algorithms have been proposed and implemented in the network intrusion detection system (NIDS). In order to distinguish portscanners from remote hosts, most portscan detection algorithms use a fixed threshold that is manually managed by the network manager. Because the threshold is a constant, even though the network environment or the characteristics of traffic can change, many false positives and false negatives are generated by NIDS. This reduces the efficiency of NIDS and imposes a high processing burden on a network management system (NMS). In this paper, in order to address this problem, we propose an automatic portscan detection system using an fast increase slow decrease (FISD) scheme, that will automatically and adaptively set the threshold based on statistical data for traffic during prior time periods. In particular, we focus on reducing false positives rather than false negatives, while the threshold is adaptively set within a range between minimum and maximum values. We also propose a new portscan detection algorithm, rate of increase in the number of failed connection request (RINF), which is much more suitable for our system and shows better performance than other existing algorithms. In terms of the implementation, we compare our scheme with other two simple threshold estimation methods for an adaptive threshold setting scheme. Also, we compare our detection algorithm with other three existing approaches for portscan detection using a real traffic trace. In summary, we show that FISD results in less false positives than other schemes and RINF can fast and accurately detect portscanners. We also show that the proposed system, including our scheme and algorithm, provides good performance in terms of the rate of false positives.

키워드

참고문헌

  1. N. Weaver, V. Paxson, S. Staniford, and R. Cunningham, "Large scale malicious code: A research agenda," University of California, Berkeley, Tech. Rep. 2003
  2. CERT, CERT/CC, "CERT advisory CA-200l-19 code red worm," July 2001. [Online]. Available: http://www.cert.org/advisories/CA-2001-19.html
  3. CERT, CERT/CC, "CERT advisory CA-200l-26 nimda worm," Sept. 2001. [Online]. Available: http://www.cert.org/advisories/CA-2001-26.html
  4. CERT, CERT/CC, "advisories." [Online]. Available: http://www.cert.org/advisoriesl
  5. S. Staniford, V. Paxson, and N. Weaver, "How to own the Internet in your spare time," in Proc. 11th USENIX Security Symposium, Aug. 2002.
  6. Z. Chen, L. Gao, and K. Kwiat, "Modeling the spread of active worms," in Proc. IEEE INFOCOM, Mar. 2003.
  7. L. T. Heberlein, G. V. Dias, K. N. Levitt, B. Mukherjee, J. Wood, and D. Wolber, "A network security monitor," in Proc. IEEE Symposium on Research in Security and Privacy, 1990, pp. 296-304.
  8. M. Roesch, "Snort: Lightweight intrusion detection for networks," in Proc. 13th Conf. Sys. Admin., Berkeley, CA, Nov. 1999, pp. 229-238.
  9. [On line]. Available: http://www.snort.org
  10. V. Paxson, "Bro: A system for detecting network intruders in real-time," in Proc. Comput. Netw., Amsterdam, Netherlands, 1999, pp. 2435-2463.
  11. [Online]. Available: http://www.icir.org/vernlbro-info.html
  12. J. Jung, V. Paxson A. W. Berger, and H. Balakrishnan, "Fast portscan detection using sequential hypothesis testing," in Proc. IEEE Symposium on Security and Privacy, May 2004.
  13. S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, J. Rowe, S. Staniford-Chen, R. Yip, and D. Zerkle, "The design of GrIDS: A graph-based intrusion detection system," U. C. Davis Computer Science Department, Tech. Rep. CSE-99-2, 1999.
  14. S. Staniford-Chen, S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, C. Wee, R. Yip, and D. Zerkle, "GrIDS-a graph-based intrusion detection system for large networks," in Proc. 19th National Inf. Sys. Security Conf, 1996.
  15. S. Staniford, J. A. Hoagland, and J. M. McAlerney, "Practical automated detection of stealthy portscans," in Proc. 7th ACM Conf. Comput. and Commun. Security, 2000.
  16. C. Leckie and R. Kotagiri, "A probabilistic approach to detecting network scans," in Proc. Network Operations and Management Symposium, 2002.
  17. A. Sridharan, T. Ye, and S. Bhattacharyya, "Connectionless port scan detection on the backbone," in Proc. 25th IEEE IPCCC, 2006.
  18. A. Sridharan and T. Ye, "Tracking port scanners on the IP backbone," in Proc. Workshop on Large Scale Attack Defense with ACM Sigcomm, 2007.
  19. J, Mai, A. Sridharan, C.-N. Chuah, H. Zang, and T. Ye, "Impact of packet sampling on portscan detection," IEEE J. Sel. Areas Commun., vol. 24, no. 12, pp. 2285-2298, Dec. 2006. https://doi.org/10.1109/JSAC.2006.884027