PD-CPS: A practical scheme for detecting covert port scans in high-speed networks

Abstract

Port scanning is a commonly used technique to discover the vulnerabilities of network systems. Since many existing methods can detect fast port scans effectively, some advanced attackers perform slow port scans to avoid suspicion. Highly covert slow scans can last for tens of days, which poses a great challenge to current intrusion detection methods. In addition, the existing port scanning detection methods are all based on full traffic. They are difficult to apply to high-speed networks due to the huge consumption of computing and storage resources. This paper proposes PD-CPS, which is a Practical scheme for Detecting Covert Port Scans in high-speed networks. Based on the protocol characteristics and the connection mode of port scanning, we construct a traffic feature set that can not only distinguish the specific scan types but also remain valid for the sampled traffic. Furthermore, we customize a data structure Scan Detection Sketch (SDS) for rapid feature extraction. Experimental results using real-world traces demonstrate the feasibility of PD-CPS in detection accuracy and resource consumption. And the proposed method still works well for slow port scans that last for over 60 days.