Detecting Slow Port Scan Using Fuzzy Rule Interpolation

Abstract

Fuzzy Rule Interpolation (FRI) offers a convenient way for delivering rule based decisions on continuous universes avoiding the burden of binary decisions. In contrast with the classical fuzzy systems, FRI decision is also performing well on partially complete rule bases serving the methodologies having incremental rule base creation structure. These features make the FRI methods to be perfect candidate for detecting and preventing different types of attacks in an Intrusion Detection System (IDS) application. This paper aims to introduce a detection approach for slow port scan attacks by adapting the FRI reasoning method. A controlled test-bed environment was also designed and implemented for the purpose of this study. The proposed detection approach was tested and evaluated using different observations. Experimental analysis on a real test-bed environment provides useful insights about the effectiveness of the proposed detection approach. These insights include information regarding the detection approach's efficacy in detecting the port scan attack and in determining its level of severity. In the discussion the efficacy of the proposed detection approach is compared to the SNORT IDS. The results of the comparison showed that the SNORT IDS was unable to detect the slow and very slow port scan attacks whereas the proposed FRI rule based detection approach was able to detect the attacks and generate comprehensive results to further analyze the attack's severity.