Port Scan Attacks Research Articles

Wavelet against random forest for anomaly mitigation in software-defined networking

Security and availability of computer networks remain critical issues even with the constant evolution of communication technologies. In this core, traffic anomaly detection mechanisms need to be flexible to detect the growing spectrum of anomalies that may hinder proper network operation. In this paper, we argue that Software-defined Networking (SDN) provides a suitable environment for the design and implementation of more robust and comprehensive anomaly detection approaches. Aiming towards automated management to detect and prevent potential problems, we present an anomaly identification mechanism based on Discrete Wavelet Transform (DWT) and compare it with another detection model based on Random Forest. These methods generate a normal traffic profile, which is compared with actual real network traffic to recognize abnormal events. After a threat is detected, mitigation measures are activated so that the harmful effects of the malicious event are contained. We assess the effectiveness of the proposed anomaly detection methods and mitigation schemes using Distributed Denial of Service (DDoS) and port scan attacks. Our results confirm the effectiveness of both methods as well as the mitigation routines. In particular, the correspondence between the detection rates confirms that both methods enhance the detection of anomalous behavior by maintaining a satisfactory false-alarm rate.

On the Security of SDN: A Completed Secure and Scalable Framework Using the Software-Defined Perimeter

The widespread adoption and evolution of Software Defined Networking (SDN) have enabled the service providers to successfully simplify network management. Along with the traffic explosion, there is decreasing CAPEX and OPEX as well as an increase in the average revenue per user. However, this wide adoption of SDNs is posing real challenges and concerns in terms of security aspects. The main challenges are how to provide proper authentication, access control, data privacy, and data integrity among others for the API-driven orchestration of network routing. Herein, the Software Defined Perimeter (SDP) is proposed as a framework to provide an orchestration of connections. The expectation is a framework that restricts network access and connections between objects on the SDN-enabled network infrastructures. There are several potential benefits as a result of the integration between SDP systems and SDNs. In particular, it provides a completely scalable and managed security solution. Consequently, it leads to flexible deployment that can be tailored to fit the need of any generic network security perimeter. The proposed Integrated frameworks are examined through virtualized network testbeds. The testing results demonstrate that the proposed framework is malleable to both port scanning (PS) attack and Denial of Service (DoS) bandwidth attack. In addition, it clarifies some interesting potential integration points between the SDP systems and SDNs to further research in this area.

Fast Defense System Against Attacks in Software Defined Networks

With the ever-growing data traffic in computer networks nowadays, the management of large-scale networks is a challenge for guaranteeing the quality of the provided services. This is due to the increasingly usage of connected applications, such as Internet of Things and cloud computing environments. Software-defined networking (SDN) is a new paradigm that aims to make this management process easier by centralizing the configuration of all network devices into a single programmable central controller. However, as any centralized service, this architecture is susceptible to security vulnerabilities, such as distributed denial of service (DDoS) and port scan attacks. Thus, security methods are necessary to guarantee the normal operation of SDN’s central controller. Furthermore, networks are transporting an increasingly amount of information day by day, which could mean data loss in case of long network unavailability. For this reason, security mechanisms must operate online, with fast-responding countermeasures to mitigate the impact of the detected attacks over the SDN. In this paper, we present a fast SDN defense system against DDoS and port scan attacks, which runs directly into the central controller and uses a game theoretical approach for attack mitigation. For the detection, we compare three different approaches, particle swarm optimization, multi-layer perceptron neural network, and discrete wavelet transform. We test our approach over IP flow data generated over Mininet network emulator, along with floodlight controller, and the presented defense system achieved good outcomes for both detection and mitigation processes.

Impregnable Defence Architecture using Dynamic Correlation-based Graded Intrusion Detection System for Cloud

<p class="p1">Data security and privacy are perennial concerns related to cloud migration, whether it is about applications, business or customers. In this paper, novel security architecture for the cloud environment designed with intrusion detection and prevention system (IDPS) components as a graded multi-tier defense framework. It is a defensive formation of collaborative IDPS components with dynamically revolving alert data placed in multiple tiers of virtual local area networks (VLANs). The model has two significant contributions for impregnable protection, one is to reduce alert generation delay by dynamic correlation and the second is to support the supervised learning of malware detection through system call analysis. The defence formation facilitates malware detection with linear support vector machine- stochastic gradient descent (SVM-SGD) statistical algorithm. It requires little computational effort to counter the distributed, co-ordinated attacks efficiently. The framework design, then, takes distributed port scan attack as an example for assessing the efficiency in terms of reduction in alert generation delay, the number of false positives and learning time through comparison with existing techniques is discussed.</p>

Study of Snort performance in counteracting port scanning techniques

Snort Intrusion Detection System became the de-facto standard among the software-based Intrusion Detection Systems because of the high level of customization and the relative ease of use. However, it is essential for an Intrusion Detection System not only to prevent the known attacks, but also to detect zero-day attacks and their preceding steps, such as port scans. A lot of companies neglect the security measures, associated with the prevention of the steps, preceding the attack, such as port scans. This article analyzes the performance of Snort in relation to detecting various port scanning methods and common evasion techniques, as well as the configurations that lead to the best performance. Port scanning prevention is discussed in the context of the nmap service and all the scanning techniques associated with it. Moreover, a packet defragmentation technique is discussed as the evasion technique, as well as the ways of the evasion detection. The article includes the recommendations for configuration of the Snort Intrusion Detection System for effective detection of the port scanning attacks.

A fuzzy detection approach toward different speed port scan attacks based on Dempster–Shafer evidence theory

AbstractPort scan detection is one of the important topics in network security and has received lots of attention by researchers; however a slow port scan attack can deceive most of the existing IDS. Besides, it is unreasonable in typical detection to decide whether it is a probe based on the precise threshold especially when the feature values are around the threshold without taking the uncertainty into consideration. To address these problems, a novel approach was proposed by collecting traffic statistics information called access port set (APS) for each IP address in time windows; several traffic features are extracted from APS which are considered as multiple evidences to indicate a probe. For each evidence, three probabilities are concerned to evaluate the likelihood of the probe occurring which include the probabilities of support, nonsupport and uncertainty. The comprehensive evidence can be obtained from the combination of multiple evidences to evaluate the probe threaten. Several experiments were performed to evaluate the approach with DARPA/MIT datasets and our own generated attack datasets; the experimental results show the feasibility of our approach in terms of detection accuracy and effectiveness. The mechanism can be applied not only in port scan detection but also other precise threshold based situations such as traffic abnormal analysis and intrusion detection. Copyright © 2016 John Wiley & Sons, Ltd.

Rule-Based Network Intrusion Detection System for Port Scanning with Efficient Port Scan Detection Rules Using Snort

In the field of network security, researchers have implemented different models to secure the network. Intrusion Detection System is also one of them and Snort is an open source tool for Intrusion Detection and Prevention System. Today intrusion Detection System is a growing technology in network security and mostly researchers have focused in this field, some of them used signature or rule-based technique and some are anomaly based techniques to improve security of network. In this paper we propose a rule-base Intrusion Detection System with our self generated new Efficient Port Scan Detection Rules (EPSDR). These rules will be used to detect naive port scan attacks in real time network using Snort and Basic Analysis Security Engine (BASE). BASE is used to view the snort results in font-end web page because Snort has no graphic user interface. In This rule-based Intrusion Detection System we will match the signature with our Efficient Port Scan Detection Rules (EPSDR) from captured packet. As a definition of signature based IDS this new EPSDR based IDS will be useful to reduce the false positive alarm.

PERANCANGAN PENGAMANAN SERVER SECARA OTOMATIS MENGGUNAKAN METODE ADAM (AUTOMATIC EVENT DETECTION AND ACTIVITY MONITORING)

In an era like today's global, Internet-based information system security is a must to be considered, because of the public nature of the internet network and global is not safe. Basically the threat is coming from someone who wishes mempuyai gain illegal access to a computer network. Whenever there is a threat encountered on the server such as port scanning, the attacker IP addresses will be captured. Next will be used method Automatic Event Detection And Activity Monitoring (ADAM) to process security. ADAM will carry out retaliatory attacks in the form of a computer virus that was sent to the attacker. For this reason when a computer network is attacked by the intruder, then ADAM server will detect this type of attack is done, then asked for help from another server to strike back. Security server by applying the method ADAM able to do the blocking of port scanning the attacker did not end there ADAM will then send the file is a virus automatically. In terms of time efficiency, the method of securing the ADAM automatically faster than if all phases of the security is done manually. ADAM test non-adaptive systems this takes 4.4 minutes, while the time taken by the ADAM system to immobilize the attacker system only 1 minute 03:59 seconds, so the method ADAM work faster. Traffic normal state (RX 232B, 144B TX), but when encountered in the form of port scanning attacks become 21.46Kib TX RX 25.83Kib, and after working as RX 219B ADAM TX127B, resulting in a significant reduction in traffic.

Real traffic logs creation for testing intrusion detection systems

AbstractPort scanning is one of the most popular reconnaissance techniques that many attackers use to profile running services on a potential target before launching an attack. Many port scanning detection mechanisms have been suggested in literature. To test the proposed detection approaches, researchers use data sets that are available online or simulate their own. However, the available data sets do not provide complete logs and are usually outdated. Furthermore, the simulated data sets provide logs that do not resemble real‒life scenarios. These deficiencies in the available data sets highly affect the performance of testing the intrusion detection systems (IDSs) and result in poor evaluations. Meanwhile, very little work has been done on generating port scanning benchmarks that researchers can use to test their detection methods. In this work, we suggest a simulation framework using OMNeT++ to generate benchmarks that resemble real‒life traffic. We approach the problem by dividing it into three modules: (1) topology creation; (2) good traffic generation; and (3) bad traffic generation, each of which are made realistic, similar to deployed and usable networks. The benchmark is then tested using Snort and MalwareAnalysis. The tested IDSs were not able to catch many of the generated port scanning attacks, specifically the slow and distributed ones. We also measured the attack detection efficiency of the IDSs under different loads of background activities. Hence, the proposed framework and the annotated benchmarks will provide researchers and industry with an effective way of testing the power of IDSs' port scanning detection modules. Copyright © 2014 John Wiley & Sons, Ltd.

How can sliding HyperLogLog and EWMA detect port scan attacks in IP traffic?

IP networks are constantly targeted by new techniques of denial of service attacks (SYN flooding, port scan, UDP flooding, etc), causing service disruption and considerable financial damage. The on-line detection of DoS attacks in the current high-bit rate IP traffic is a big challenge. We propose in this paper an on-line algorithm for port scan detection. It is composed of two complementary parts: First, a probabilistic counting part, where the number of distinct destination ports is estimated by adapting a method called ‘sliding HyperLogLog’ to the context of port scan in IP traffic. Second, a decisional mechanism is performed on the estimated number of destination ports in order to detect in real time any behavior that could be related to a malicious traffic. This latter part is mainly based on the exponentially weighted moving average algorithm (EWMA) that we adapted to the context of on-line analysis by adding a learning step (supposed without attacks) and improving its update mechanism. The obtained port scan detecting method is tested against real IP traffic containing some attacks. It detects all the port scan attacks within a very short time response (of about 30 s) and without any false positive. The algorithm uses a very small total memory of less than 22 kb and has a very good accuracy on the estimation of the number of destination ports (a relative error of about 3.25%), which is in agreement with the theoretical bounds provided by the sliding HyperLogLog algorithm.

Improving the Detection of On-Line Vertical Port Scan in IP Traffic

The authors propose in this paper an on-line algorithm based on Bloom filters to detect port scan attacks in IP traffic. Only relevant information about destination IP addresses and destination ports are stored in two steps in a two-dimensional Bloom filter. This algorithm can be indefinitely performed on a real traffic stream thanks to a new adaptive refreshing scheme that closely follows traffic variations. It is a scalable algorithm able to deal with IP traffic at a very high bit rate thanks to the use of hashing functions over a sliding window. Moreover it does not need any a priori knowledge about traffic characteristics. When tested against real IP traffic, the proposed on-line algorithm performs well in the sense that it detects all the port scan attacks within a very short response time of only 10 seconds without any false positive.

Information Theory and Data-Mining Techniques for Network Traffic Profiling for Intrusion Detection

In this paper, information theory and data mining techniques to extract knowledge of network traffic behavior for packet-level and flow-level are proposed, which can be applied for traffic profiling in intrusion detection systems. The empirical analysis of our profiles through the rate of remaining features at the packet-level, as well as the three-dimensional spaces of entropy at the flow-level, provide a fast detection of intrusions caused by port scanning and worm attacks.

Performance Analysis and Enhancement of UTM Device in Local Area Network

Along with the growth of the computer system and networks, the mysterious and malicious threats and attacks on the computer systems are also increasing exponentially. There is a need of continuous evaluation of the security of a network and enhancement of the network attack detection system, which will be able to detect different attacks along with the characteristics of the attacks. In previous work, the port scan attack is considered as precursors to an attack and the target was to provide the mitigation technique for the particular port scan attack. There have been relatively few empirical studies done for port scan related attacks and those that do exist may no longer reflect the impact of such attacks on the functionalities of the UTM/network device and on the network. To address this lack of knowledge, this experiment is carried out in fully controlled test bed environment wherein a set of varieties of attack can be simulated and impact of attack(s) is analyzed and appropriate mitigation technique is suggested to mitigate the port scan attack. The experiment result indicates that the port scan mitigation implementation on UTM helps reducing the load on the UTM device and reduces network congestion effectively.

An event-based platform for collaborative threats detection and monitoring

Organizations must protect their information systems from a variety of threats. Usually they employ isolated defenses such as firewalls, intrusion detection and fraud monitoring systems, without cooperating with the external world. Organizations belonging to the same markets (e.g., financial organizations, telco providers) typically suffer from the same cyber crimes. Sharing and correlating information could help them in early detecting those crimes and mitigating the damages.The paper discusses the Semantic Room (SR) abstraction which enables the development of collaborative event-based platforms, on the top of Internet, where data from different information systems are shared, in a controlled manner, and correlated to detect and timely react to coordinated Internet-based security threats (e.g., port scans, botnets) and frauds. In order to show the flexibility of the abstraction, the paper proposes the design, implementation and validation of two SRs: an SR that detects inter-domain port scan attacks and an SR that enables an online fraud monitoring over the Italian territory. In both cases, the SRs use real data traces for demonstrating the effectiveness of the proposed approach. In the first SR, high detection accuracy and small detection delays are achieved whereas in the second, new fraud evidence and investigation instruments are provided to law enforcement agencies.

네트워크 포트스캔의 위험에 대한 정량화 방법

네트워크 포트스캔 공격은 내부 네트워크에 있는 시스템에서 열려 있는 포트를 알아내기 위한 방법이다. 기존 대부분의 침입탐지시스템(Intrusion Detection System; IDS)들은 단위 시간당 시스템 또는 네트워크에 몇 번의 패킷을 보냈는지의 횟수를 기록하여 전송한 패킷의 횟수가 임계치보다 높은 소스 인터넷 주소(source IP address)에 대해서 포트스캔 공격이 수행되었다고 간주하였다. 즉, 네트워크 포트스캔 공격을 수행한 소스 인터넷 주소에 대한 위험 정도는 IDS들이 기록한 포트스캔 공격횟수에 의존하였다. 그러나 단순히 포트스캔 공격 횟수에 기반을 둔 위험성의 측정은 느린 포트스캔 공격에 대해 거짓 부정(false negative)이 높아져 포트스캔 탐지율이 낮아진다는 문제가 있다. 본 연구에서는 네트워크 포트스캔 공격에 대해 좀 더 정확하고 포괄적인 구분을 하기 위해 4가지 형태의 정보를 요약한다. 포트스캔 공격에 대한 위험성을 집약적으로 나타내기 위하여 주성분분석(principal component analysis, PCA)에 의해 이러한 정보들을 정량화한 위험지수를 제안한다. 실험을 통해 제안한 위험지수를 이용한 탐지가 포트스캔 탐지율에 있어서 Snort보다 우수하다는 것을 보인다. Network port scan attack is the method for finding ports opening in a local network. Most existing IDSs(intrusion detection system) record the number of packets sent to a system per unit time. If port scan count from a source IP address is higher than certain threshold, it is regarded as a port scan attack. The degree of risk about source IP address performing network port scan attack depends on attack count recorded by IDS. However, the measurement of risk based on the attack count may reduce port scan detection rates due to the increased false negative for slow port scan. This paper proposes a method of summarizing 4 types of information to differentiate network port scan attack more precisely and comprehensively. To integrate the riskiness, we present a risk index that quantifies the risk of port scan attack by using PCA. The proposed detection method using risk index shows superior performance than Snort for the detection of network port scan.

Network Security using Firewall and Cryptographic Authentication

The network Security is the hottest topic in the current research scenario. The information security is really threatened by obnoxious users. With increasing vulnerabilities, caused by port scan attacks, replay attacks and predominantly IP Spoofing, targeting services, the network behavior is getting malevolent. But there is a lack of any clear threat model. The authors have endeavored to consider this problem in order to improve the network security and enhance secure shell daemon protection. A mechanism, QUICKKNOCK, improving upon the potentialities of technologies such as port knocking and SPA (Single Packet Authorization), using Firewall and Cryptography, has been proposed.

Updating snort with a customized controller to thwart port scanning

AbstractWired and wireless networks are being attacked and hacked on continuous basis. One of the critical pieces of information the attacker needs to know is the open ports on the victim's machine, thus the attacker does what is called port scanning. Port scanning is considered one of the dangerous attacks that intrusion detection tries to detect. Snort, a famous network intrusion detection system (NIDS), detects a port scanning attack by combining and analyzing various traffic parameters. Because these parameters cannot be easily combined using a mathematical formula, fuzzy logic can be used to combine them; fuzzy logic can also reduce the number of false alarms. This paper presents a novel approach, based on fuzzy logic, to detect port scanning attacks. A fuzzy logic controller is designed and integrated with Snort in order to enhance the functionality of port scanning detection. Experiments are carried out in both wired and wireless networks. The results show that applying fuzzy logic adds to the accuracy of determining bad traffic. Moreover, it gives a level of degree for each type of port scanning attack. Copyright © 2010 John Wiley & Sons, Ltd.

Allocation Schemes, Architectures, and Policies for Collaborative Port Scanning Attacks

Most network attackers perform port scanning individually, without synchronization, to find victim hosts. Such port scanning schemes suffer from two problems: first, there are too many duplicate scannings and too much contention among different port scanners; second, a complete port scanning takes a long time to finish. In this paper, we present a fast DHT-based collaborative port scanning scheme that aims to eliminate duplicate scanning, minimize contention, and significantly increase the scanning speed. In collaborative attacks, attackers communicate and collaborate with each other to launch much more powerful attacks. In the DHT-based collaborative port scanning scheme, attackers collaborate to search the network for ports that could be exposed to attacks. We propose different collaborative scanning strategies and analyze their advantages and disadvantages.We discuss the static, dynamic, and hybrid target selection and allocation schemes. We present the algorithm details and discuss the stop and revisit policy for the collaborative port scanners. We conduct experiments to evaluate the performance and overhead of the collaborative port scanning strategies. Experimental results suggest that the proposed collaborative port scanning system significantly increases the efficiency of port scanning and provide insights into many design and implementation issues.

Surveying Port Scans and Their Detection Methodologies

Scanning of ports on a computer occurs frequently on the Internet. An attacker performs port scans of Internet protocol addresses to find vulnerable hosts to compromise. However, it is also useful for system administrators and other network defenders to detect port scans as possible preliminaries to more serious attacks. It is a very difficult task to recognize instances of malicious port scanning. In general, a port scan may be an instance of a scan by attackers or an instance of a scan by network defenders. In this survey, we present research and development trends in this area. Our presentation includes a discussion of common port scan attacks. We provide a comparison of port scan methods based on type, mode of detection, mechanism used for detection and other characteristics. This survey also reports on the available data sets and evaluation criteria for port scan detection approaches.

On mitigating sampling-induced accuracy loss in traffic anomaly detection systems

Real-time Anomaly Detection Systems (ADSs) use packet sampling to realize traffic analysis at wire speeds. While recent studies have shown that a considerable loss of anomaly detection accuracy is incurred due to sampling, solutions to mitigate this loss are largely unexplored. In this paper, we propose a Progressive Security-Aware Packet Sampling (PSAS) algorithm which enables a real-time inline anomaly detector to achieve higher accuracy by sampling larger volumes of malicious traffic than random sampling, while adhering to a given sampling budget. High malicious sampling rates are achieved by deploying inline ADSs progressively on a packet's path. Each ADS encodes a binary score (malicious or benign) of a sampled packet into the packet before forwarding it to the next hop node. The next hop node then samples packets marked as malicious with a higher probability. We analytically prove that under certain realistic conditions, irrespective of the intrusion detection algorithm used to formulate the packet score, PSAS always provides higher malicious packet sampling rates. To empirically evaluate the proposed PSAS algorithm, we simultaneously collect an Internet traffic dataset containing DoS and portscan attacks at three different deployment points in our university's network. Experimental results using four existing anomaly detectors show that PSAS, while having no extra communication overhead and extremely low complexity, allows these detectors to achieve significantly higher accuracies than those operating on random packet samples.