Surveying port scans and their detection methodologies

Computer Journal

Volumn 54, Issue 10, 2011, Pages 1565-1581

  Bhuyan, Monowar H ^a   Bhattacharyya, D K ^a   Kalita, J K ^b  

^a TEZPUR UNIVERSITY   (India)

^b University of Colorado Colorado Springs   (United States)

Author keywords

coordinated scanning; OS fingerprinting; TCP IP; UDP

Indexed keywords

DATA SETS; DETECTION APPROACH; EVALUATION CRITERIA; INTERNET PROTOCOL ADDRESS; PORT SCANNING; PORT SCANS; RESEARCH AND DEVELOPMENT; SYSTEM ADMINISTRATORS; TCP/IP; UDP;

INTERNET; INTERNET PROTOCOLS; SCANNING; TELECOMMUNICATION NETWORKS;

SURVEYS;

EID: 80053510589     PISSN: 00104620     EISSN: 14602067     Source Type: Journal    
DOI: 10.1093/comjnl/bxr035     Document Type: Article

References (75)

1. Lee, C.B., Roedel, C. and Elena, S. (2003) Detection and Characterization of Port Scan Attacks. Technical Report, University of California, San Diego, CA. http://cseweb.ucsd.edu/users/clbailey/PortScans.pdf.
2. De Vivo, M., Carrasco, E., Isern, G. and de Vivo, G.O. (1999) A review of port scanning techniques. SIGCOMM Comput. Commun. Rev., 29, 41-48.
3. Panjwani, S., Tan, S. and Jarrin, K.M. (2005) An Experimental Evaluation to Determine If Port Scans are Precursors to an Attack. Proc. DSN'05, Washington, DC, USA, June 28-July 1, pp. 602-611. IEEE Computer Society.
4. Mateti, P. (2010) Lecture Notes on Internet Security. Wright State University.
5. Gregr, M. (2010) Portscan Detection Using Netflow Data. Proc. EEICT'10, Brno, CZ, pp. 229-233. Faculty of Information Technology BUT.
6. Staniford, S., Hoagland, J.A. and McAlerney, J.M. (2000) Practical Automated Detection of Stealthy Portscans. Proc. CCS'00, Athens, Greece, November 1, pp. 1-4. ACM.
7. Staniford, S., Hoagland, J.A. and McAlerney, J.M. (2002) Practical automated detection of stealthy portscans. J. Comput. Secur., 10, 105-136.
8. Yegneswaran, V., Barford, P. and Ullrich, J. (2003) Internet intrusions: global characteristics and prevalence. SIGMETRICS Perform. Eval. Rev., 31, 138-147.
9. hybrid@hotmail.com (1999) Distributed information gathering. Phrack Mag., Article 9, 9.
10. Ensafi, R., Park, J.C., Kapur,D. and Crandall, J.R. (2010) Idle Port Scanning and Non-interference Analysis of Network Protocol Stacks Using Model Checking. Proc. USENIX Security'10, Washington, DC, USA, pp. 257-272. USENIX Association.
11. Staniford-Chen, S., Cheung, S., Crawford, R., Dilger, M., Frank, J., Hoagland, J., Levitt, K.,Wee, C.,Yip, R. and Zerkle, D. (1996) Grids: A Graph Based Intrusion Detection System for Large Networks. Proc. 19th NISS'96, Baltimore, MD, USA, October, pp. 361-370. NIST.
12. Green, J., Marchette, D., Northcutt, S. and Ralph, B. (1999) Analysis Techniques for Detecting Coordinated Attacks and Probes. Proc. WIDNM'99, Santa Clara, CA, USA, April 9-12, pp. 1-9. USENIX Association.
13. Robertson, S., Siegel, E.V., Miller, M. and Stolfo, S.J. (2003) Surveillance Detection in High Bandwidth Environments. Proc. DARPA DISCEX III'03, Washington, DC, USA, April 22-24, pp. 130-139. IEEE Computer Society.
14. Heberlein, T., Dias, G., Levitt, K., Mukherjee, B., Wood, J. and Wolber, D. (1990) A Network Security Monitor. Proc. RISP'90, Oakland, CA, USA, May 7-9, pp. 296-304. IEEE Computer Society.
15. Fyodor (1997) The art of port scanning. Phrack Mag., Article 11, 7.
16. QoSient. Argus. http://www.qosient.com/argus/.
17. Leckie, C. and Kotagiri, R. (2002) A Probabilistic Approach to Detecting Network Scans. Proc. NOMS'02, Florence, Italy, April 15-19, pp. 359-372. IEEE Computer Society.
18. Kim, H., Kim, S., Kouritzin, M.A. and Sun,W. (2004) Detecting Network Portscans Through Anomaly Detection. Proc. SPIE 5429, Orlando, FL, USA, April 12, pp. 254-263.
19. Kato, N., Nitou, H., Ohta, K., Mansfield, G. and Nemoto, Y. (1999)A real-time intrusion detection system (ids) for large scale networks and its evaluations. IEICE Trans. Commun., E82-B, 1817-1825.
20. Ertoz, L., Eilertson, E., Lazarevic, A., Tan, P.-N., Dokas, P., Kumar, V. and Srivastava, J. (2003) Detection of Novel Network Attacks Using Data Mining. Proc. ICDM WDMCS'03, Melbourne, FL, USA, November 19, pp. 30-39.
21. Chandola, V., Banerjee, A. and Kumar, V. (2009) Anomaly detection: A survey. ACM Comput. Surv., 41, 1-58.
22. Gates, C., McNutt, J.J., Kadane, J.B. and Kellner, M. (2006) Scan Detection on Very Large Networks Using Logistic Regression Modeling. Proc. ISCC'06, Pula-Cagliari, Sardinia, Italy, June 26-29, pp. 402-408. IEEE Computer Society.
23. Porras, P. and Valdes, A. (1998) Live Traffic Analysis of TCP/IP Gateways. Proc. ISOC NDSS'98, San Diego, CA, USA, March. ISOC Press.
24. Porras, P.A. and Neumann, P.G. (1997) EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. Proc. NCSC'97, Menlo Park, CA 94025, USA, October 22-25, pp. 353-365. NIST.
25. Udhayan, J., Prabu, M.M., Krishnan, V.A. and Anitha, R. (2009) Reconnaissance Scan Detection Heuristics to Disrupt the Preattack Information Gathering. Proc. N2S'09, Paris, France, June 24-26, pp. 1-5. IEEE Computer Society.
26. Roesch, M. (1999) Snort-lightweight Intrusion Detection for Networks. Proc. LISA'99, Seattle, WA, USA, November 7-12, pp. 229-238. USENIX Association.
27. Gyorgy, S.U., György, J.S. and Hui, X. (2005) Scan Detection: A Data Mining Approach. Proc. SIAM ICDM'05, Sutton Place Hotel, Newport Beach, CA, USA, April 21-23, pp. 118-129. SIAM.
28. Haan, G.-H.K. (2005) Detection of Portscans Using IP Header Data. Proc. TBRC'05, Enschede, January 21.
29. Rong-sheng, S., Xiao-yong, L. and Jian-hua, L. (2004) An adaptive algorithm to detect port scans. J. Shanghai Univ. (Engl. Ed.), 8, 328-332.
30. Gates, C. (2006) Co-ordinated port scans: a model, a detector and an evaluation methodology. PhD Thesis, Dalhousie University Halifax, Nova Scotia.
31. Jung, J., Paxson, V., Berger, A.W. and Balakrishnan, H. (2004) Fast Portscan Detection Using Sequential Hypothesis Testing. Proc. SECPRI'04, Oakland, CA, USA, May 9-12, pp. 211-225. IEEE Computer Society.
32. Paxson,V. (1998) Bro:ASystem for Detecting Network Intruders in Real-Time. Proc. USENIX Security Symp.'98, San Antonio, TX, USA, January 26-29, pp. 2435-2463. USENIXAssociation.
33. Fullmer,M. and Romig, S. (2000) The OSU Flow-Tools Package and Cisco Netflow Logs. Proc. LISA'00, New Orleans, LA, USA, December 3-8, pp. 291-303. USENIX Association.
34. Zhang, Y. and Fang, B. (2009) A Novel Approach to Scan Detection on the Backbone. Proc. ITNG'09, Washington, DC, USA, April 27-29, pp. 16-21. IEEE Computer Society.
35. Sridharan,A.,Ye,T. and Bhattacharyya, S. (2006) Connectionless Port Scan Detection on the Backbone. Proc. IPCCC'06, Phoenix, AZ, USA, April 10-12, pp. 567-576. IEEE Computer Society.
36. Kong, S., He, T., Shao, X., An, C. and Li, X. (2006) Scalable Double Filter Structure for Port Scan Detection. Proc. ICC'06, Istanbul, Turkey, June 11-15, pp. 2177-2182. IEEE Computer Society.
37. Gadge, J. and Patil, A.A. (2008) Port Scan Detection. Proc. ICON'08, Habitat World, IHC, New Delhi, India, December 12-14, pp. 1-6. IEEE Computer Society.
38. Zadeh, L.A. (1994) Fuzzy logic, neural networks, and soft computing. Commun. ACM, 37, 77-84.
39. Basu, R., Cunningham, R.K., Webster, S.E. and Lippmann, R.P. (2001) Detecting Low-profile Probes and Novel Denialof- Service Attacks. Proc. IWIAS'01,West Point, NY, USA, June, pp. 5-10. IEEE Computer Society.
40. Streilein, W.W., Cunningham, R.K. and Webster, S.E. (2002) Improved Detection of Low-profile Probe and Denial-of-Service Attacks. Proc. Workshop on Statistical and Machine Learning Techniques in Computer Intrusion Detection, Baltimore, MD, USA, June 11-13, pp. 11-13.
41. Chen, J.J. and Cheng, X.J. (2009) A Novel Fast Port Scan Method Using Partheno-genetic Algorithm. Proc. ICCSIT'09, Los Alamitos, CA, USA, August 8-11, pp. 219-222. IEEE Computer Society.
42. El-Hajj, W., Aloul, F., Trabelsi, Z. and Zaki, N. (2008) On Detecting Port Scanning Using Fuzzy Based Intrusion Detection System. Proc. IWCMC'08, Crete Island, Greece, August 6-8, pp. 105-110. IEEE Computer Society.
43. Liu, D., Zhang, M.W. and Li, T. (2008) Network Traffic Analysis Using Refined Bayesian Reasoning to Detect Flooding and Port Scan Attacks. Proc. ICACTE'08, Phuket, Thailand, December 20-22, pp. 1000-1004. IEEE Computer Society.
44. Shafiq, M.Z., Farooq, M. and Khayam, S.A. (2008) A Comparative Study of Fuzzy Inference Systems, Neural Networks and Adaptive Neuro Fuzzy Inference Systems for Portscan Detection. Proc. EVO'08, Naples, Italy, December, pp. 52-61. Springer.
45. CS-2001-04 (2001) PHAD: Packet Header Anomaly Detection for Indentifying Hostile Network Traffic. Department of Computer Sciences, Florida Technical Report, Melbourne, FL 32901.
46. Oke, G. and Loukas, G. (2007) A denial of service detector based on maximum likelihood detection and the random neural network. Comput. J., 50, 717-727.
47. Kim, J. and Lee, J.H. (2008) A Slow Port Scan Attack Detection Mechanism Based on Fuzzy Logic and a Stepwise Policy. Proc. IET ICIE'08, University ofWashington, Seattle, USA, July 21-22, pp. 1-5. IEEE Computer Society.
48. Conti, G. and Abdullah, K. (2004) Passive Visual Fingerprinting of NetworkAttackTools. Proc.VizSEC/DMSEC'04,Washington, DC, USA, October, 29, pp. 45-54. ACM.
49. Fyodor. Nmap. http://nmap.org/.
50. FoundStone, a division of McAfee. Superscan. http://www. foundstone.com/us/resources/proddesc/superscan.htm.
51. Tenable Network Security Inc. Columbia. Nessus. http://www. nessus.org/nessus/.
52. Lakkaraju, K., Yurcik, W. and Lee, A.J. (2004) NVisionIP: Netflow Visualizations of System State for Security Situational Awareness. Proc. VizSEC/DMSEC'04, Washington, DC, USA, October 29, pp. 65-72. ACM.
53. Muelder, C., Ma, K.-L. and Bartoletti, T. (2006) Interactive Visualization for Network and Port Scan Detection. LNCS, RAID'05, Seattle, WA, USA, September 7-9, pp. 265-283. Springer, Berlin.
54. McPherson, J., Ma, K.-L., Krystosk, P., Bartoletti, T. and Christensen, M. (2004) PortVis:A Tool for Port-Based Detection of Security Events. Proc. VizSEC/DMSEC'04,Washington, DC, USA, October 29, pp. 73-81. ACM.
55. Abdullah, K., Lee, C., Conti, G. and Copeland, J.A. (2005) Visualizing Network Data for Intrusion Detection. Proc. IEEE IAW'05, West Point, NY, USA, June, pp. 100-108. IEEE Computer Society.
56. Musa, S. and Parish, D.J. (2007) Visualising Communication Network Security Attacks. Proc. IV'07, Washington, DC, USA, July 4-6, pp. 726-733. IEEE Computer Society.
57. Lee, A.J., Koenig, G.A., Meng, X. andYurcik,W. (2005) Searching for Open Windows and Unlocked Doors: Port Scanning in Large-Scale Commodity Clusters. Proc. CCGRID'05, Cardiff, UK, May 9-12, pp. 146-151. IEEE Computer Society.
58. Yurcik, W., Meng, X. and Kiyanclar, N. (2004) NVisionCC: A Visualization Framework for High Performance Cluster Security. Proc. VizSEC/DMSEC'04, New York, NY, USA, October 29, pp. 133-137. ACM.
59. Jiawan, Z., Liang, L., Liangfu, L. and Ning, Z. (2008) A Novel Visualization Approach for Efficient Network Scans Detection. Proc. SECTECH'08, Horizon Resort, Sanya, Hainan Island, China, December 13-15, pp. 23-26. IEEE Computer Society.
60. Whyte, D. (2008) Network scanning detection strategies for enterprise networks. PhD Thesis, School of Computer Science, Carleton University.
61. Curtis, A.C.J., John, M.D.H., John, R.S. and Udo,W.P. (2000)A Methodology for Using Intelligent Agents to Provide Automated Intrusion Response. Proc. IEEE SMC IAW'00, United States MilitaryAcademy,West Point, NY, USA, June 6-7, pp. 110-116. IEEE Computer Society.
62. Zhang, W., Teng, S. and Fu, X. (2008) Scan Attack Detection Based on Distributed Cooperative Model. Proc. CSCWD'08, Xi'an, China,April 16-18, pp. 743-748. IEEE Computer Society.
63. Gelenbe, E. and Loukas, G. (2007) A self-aware approach to denial of service defence. Comput. Netw., 51, 1299-1314.
64. Oke, G., Loukas, G. and Gelenbe, E. (2007) Detecting Denial of Service Attacks with Bayesian Classifiers and the Random Neural Network. Proc. FUZZ-IEEE'07, London, UK, July, pp. 1964-1969. IEEE, USA.
65. Loukas, G. and Oke, G. (2007) Likelihood Ratios and Recurrent Random Neural Networks in Detection of Denial of Service Attacks. Proc. SPECTS'07, San Diego, CA, USA, July 16-18.
66. Gelenbe, E. (1989) Random neural networks with negative and positive signals and product form solution. Neural Comput., 1, 502-510.
67. Gelenbe, E. (1994) G-networks:A unifying model for neural and queueing networks. Ann. Oper. Res., 48, 433-461.
68. Gelenbe, E. and Timotheou, S. (2008) Synchronized interactions in spiked neuronal networks. Comput. J., 51, 723-730.
69. Pang, R., Allman, M., Paxson, V. and Lee, J. (2006) The devil and packet trace anonymization. SIGCOMM Comput. Commun. Rev., 36, 29-38.
70. Pang, R.,Allman, M., Bennett, M., Lee, J., Paxson,V. andTierney, B. (2005)A First Look at Modern Enterprise Traffic. Proc. ACM IMC'05, Berkeley, CA, USA, October, 19-21, pp. 2-2. USENIX Association.
71. Technologies, C.Winpcap. http://www.winpcap.org.
72. symantec.com. Symantec security response. http://security response.symantec.com/avcenter.
73. Axelsson, S. (2000) The base-rate fallacy and the difficulty of intrusion detection. ACM Trans. Inf. Syst. Secur., 3, 186-205.
74. McHugh, J. (2000) Testing intrusion detection systems: a critique of the 1998 and 1999 darpa intrusion detection system evaluations as performed by lincoln laboratory. ACM Trans. Inf. Syst. Secur., 3, 262-294.
75. Ashfaq, A.B., Robert, M.J., Mumtaz, A., Ali, M.Q., Sajjad, A. and Khayam, S.A. (2008) A Comparative Evaluation of Anomaly Detectors Under Portscan Attacks. Proc. RAID'08, Cambridge, MA, USA, September 15-17, pp. 351-371. Springer, Berlin.