AbstractPort scan detection is one of the important topics in network security and has received lots of attention by researchers; however a slow port scan attack can deceive most of the existing IDS. Besides, it is unreasonable in typical detection to decide whether it is a probe based on the precise threshold especially when the feature values are around the threshold without taking the uncertainty into consideration. To address these problems, a novel approach was proposed by collecting traffic statistics information called access port set (APS) for each IP address in time windows; several traffic features are extracted from APS which are considered as multiple evidences to indicate a probe. For each evidence, three probabilities are concerned to evaluate the likelihood of the probe occurring which include the probabilities of support, nonsupport and uncertainty. The comprehensive evidence can be obtained from the combination of multiple evidences to evaluate the probe threaten. Several experiments were performed to evaluate the approach with DARPA/MIT datasets and our own generated attack datasets; the experimental results show the feasibility of our approach in terms of detection accuracy and effectiveness. The mechanism can be applied not only in port scan detection but also other precise threshold based situations such as traffic abnormal analysis and intrusion detection. Copyright © 2016 John Wiley & Sons, Ltd.
Read full abstract