Browse > Article
http://dx.doi.org/10.9709/JKSS.2012.21.4.091

A Method for Quantifying the Risk of Network Port Scan  

Park, Seongchul (동국대학교 컴퓨터공학과)
Kim, Juntae (동국대학교 컴퓨터공학과)
Publication Information
Journal of the Korea Society for Simulation / v.21, no.4, 2012 , pp. 91-102 More about this Journal
Abstract
Network port scan attack is the method for finding ports opening in a local network. Most existing IDSs(intrusion detection system) record the number of packets sent to a system per unit time. If port scan count from a source IP address is higher than certain threshold, it is regarded as a port scan attack. The degree of risk about source IP address performing network port scan attack depends on attack count recorded by IDS. However, the measurement of risk based on the attack count may reduce port scan detection rates due to the increased false negative for slow port scan. This paper proposes a method of summarizing 4 types of information to differentiate network port scan attack more precisely and comprehensively. To integrate the riskiness, we present a risk index that quantifies the risk of port scan attack by using PCA. The proposed detection method using risk index shows superior performance than Snort for the detection of network port scan.
Keywords
Intrusion Detection System; Port Scan; Risk Index; Principal Component Analysis;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 W. El-Hajj, F. Aloul, Z. Trabelsi, N. Zaki, "On Detecting Port Scanning using Fuzzy Based Intrusion Detection System", Coll. of Inf. Technol., UAE Univ., Al-Ain, 2008.
2 Fyodor, The Art of Port Scaning, Phrack Magazine, Vol. 7, Issue 52, 1997.
3 IANA, http://www.iana.org/assignments/port-numbers, 2010
4 H. Kikuchi, T. Kobori, "Orthogonal Expansion of Portscanning Packets", Intl. Conf. on Network-Based Information Systems, 2009.
5 S. K. Kim, S. H. Lee and S. W. Seo, "An Automatic Portscan Detection System with Adaptive Threshold Setting", Journal of Communications and Networks, Vol. 12, No. 1, Feb. 2010.
6 J. Jung, V. Paxson, A. W. Berger, H. Balakrishnan, "Fast Portscan Detection Using Sequential Hypothesis Testing", Proc. of the 2004 IEEE Symposium on Security and Privacy, 2004.
7 A. Lazarevic, V. Kummar, J. Srivastava, Managing Cyber Threats : Issues, Approaches and challenges, Springer, 2005
8 C. Leckie, R. Kotagiri, "A probabilistic approach to detecting network scans", Proc. of the Eighth IEEE Network Operations and Management Symposium (NOMS 2002), Florence, Italy, 2002.
9 C. B. Lee, C. Roedel, E. Silenok, "Detection and Characterization of Port Scan Attacks", http://cseweb.ucsd.edu/users/ clbailey/PortScans.pdf, Univeristy of California, Department of Computer Science & Engineering, San Diego, 2003.
10 G. Lyon, The Art of Port Scaning, Phrack Magazine, Vol. 7, Issue 52, 1997.
11 J. Mai, A. Sridharan, C. N. Chuah, H. Zang, T. Ye, "Impact of packet sampling on portscan detection", IEEE Journal on Selected Areas in Communication, vol. 24, no. 12, 2006.
12 S. Northcutt, J. Novak, Network intrusion detection an analyst's handbook, 2nd Edition, New Riders, 2002.
13 V. Paxson, "Bro: A System for Detecting Network Intruders in Real-Time", Proc. of the 7th USENIX Security Symposium, San Antonio, TX, pp. 2435-2463, 1999.
14 F. J. Provost, T. Fawcett, "Analysis and Visualizatio of Classifier Performance: Comparison under Imprecise Class and Cost Distributions", Proc. of the 3rd Intl. Conf. on Knowledge Discovery and Data Mining, Newport Beach, CA, pp. 43-48, 1997 .
15 Snort, Intrusion Detection System, http://www.snort.org, 2010.
16 S. Staniford, S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagl, K. Levitt, C. Wee, R. Yip, and D. Zerkle, "GrIDS - a graph based intrusion detection system for large networks", Proc. of the 19th National Information Systems Security Conference (NISS '96), 1996.
17 S. Staniford, J. A. Hoagland, J. M. Mcalerney, "Practical automated detection of stealthy portscans", Journal of Computer Security, 2002.