A network activity classification schema and its application to scan detection

IEEE/ACM Transactions on Networking

Volumn 19, Issue 5, 2011, Pages 1396-1404

  Treurniet, Joanne ^a  

^a DEFENCE RESEARCH AND DEVELOPMENT CANADA   (Canada)

Author keywords

Security and protection; system management; traffic analysis

Indexed keywords

DATA SETS; DETECTION METHODS; DETECTION TECHNIQUE; INTERNET TRAFFIC; IP ADDRESSS; MALICIOUS ACTIVITIES; NETWORK ACTIVITIES; PRIORITIZATION; PROOF OF CONCEPT; SECURITY AND PROTECTION; SECURITY APPLIANCES; SYSTEM MANAGEMENT; TRAFFIC ANALYSIS;

INTERNET; PROBES; TELECOMMUNICATION NETWORKS;

INTERNET PROTOCOLS;

EID: 80054118821     PISSN: 10636692     EISSN: None     Source Type: Journal    
DOI: 10.1109/TNET.2011.2109009     Document Type: Article

References (35)

1. S. Panjwani, S. Tan, K. M. Jarrin, and M. Cukier, "An experimental evaluation to determine if port scans are precursors to an attack," in Proc. IEEE Int. Conf. Depend. Syst. Netw., Yokohama, Japan, 2005, pp. 602-611. (Pubitemid 41538274)
2. J. McHugh, "Testing intrusion detection systems:Acritique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory," Trans. Inf. Syst. Security, vol. 10, no. 4, pp. 262-294, 2000.
3. R. Pang, V. Yegneswaran, P. Barford, V. Paxson, and L. Peterson, "Characteristics of internet background radiation," in Proc. 4th ACM SIGCOMM IMC, New York, 2004, pp. 27-40. (Pubitemid 40372029)
4. D. Moore, C. Shannon, D. J. Brown, G. M. Voelker, and S. Savage, "Inferring internet denial-of-service activity," Trans. Comput. Syst., vol. 24, no. 2, pp. 115-139, 2006.
5. V. Yegneswaran, P. Barford, and J. Ulrich, "Internet intrusions: Global characteristics and prevalence," in Proc. ACMSIGMETRICS, 2003, pp. 138-147.
6. S. Robertson, E. Siegel, M. Miller, and S. Stolfo, "Surveillance detection in high bandwidth environments," in Proc. 3rd IEEE DISCEX, Washington, DC, Apr. 2003, vol. 1, pp. 130-138.
7. M. Allman, V. Paxson, and J. Terrell, "A brief history of scanning," in Proc. ACM SIGCOMM IMC, San Diego, CA, Oct. 2007, pp. 77-82.
8. S. Northcutt, V. Irwin, and B. Ralph, "SHADOW," Naval Surface Warfare Center Dahlgren Laboratory, 1998 [Online]. Available: http://www.nswc.navy.mil/-ISSEC/CID
9. M. Roesch, "Snort," Sourcefire, Inc., Columbia, MD, 2003 [Online]. Available: http://www.snort.org
10. "Snort Users Manual" Sourcefire, Inc., Columbia, MD, 2009 [Online]. Available: http://cvs.snort.org/viewcvs. cgi/*checkout*/ snort/doc/snort-manual.pdf?rev=1.72.2. 1&only-with-tag=SNORT-2-8- 0&content-type=application/pdf
11. S. Staniford, J. Hoagland, and J. McAlerney, "Practical automated detection of stealthy portscans," J. Comput. Security vol. 10, no. 1/2, pp. 105-136, 2002. (Pubitemid 34531414)
12. L. Ertöz, E. Eilertson, A. Lazarevic, P.-N. Tan, V. Kumar, J. Srivastava, and P. Dokas, "The MINDS-Minnesota Intrusion Detection System," in Data Mining: Next Generation Challenges and Future Directions. Cambridge, MA: AAAI/MIT Press, 2004, pp. 199-218.
13. J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan, "Fast portscan detection using sequential hypothesis testing," in Proc. IEEE S&P, 2004, pp. 211-225.
14. C. Gates, J. J. McNutt, J. B. Kadane, and M. I. Kellner, "Scan detection on very large networks using logistic regression modeling," in Proc. 11th IEEE Symp. Comput. Commun.,Washington, DC, 2006, pp. 402-408.
15. D. Whyte, "Network scanning detection strategies for enterprise networks," Ph.D. dissertation, School of Computer Science, Carleton Univ., Ottawa, ON, Canada, 2008.
16. G. J. Simon, H. Xiong, E. Eilertson, and V. Kumar, J. Ghosh, D. Lambert, D. B. Skillicorn, and J. Srivastava, Eds., "Scan detection: A data mining approach," in Proc. 6th SIAM Int. Conf. Data Mining, Bethesda, MD, Apr. 2006, pp. 118-129. (Pubitemid 43955531)
17. R. Basu, R. K. Cunningham, S. E. Webster, and R. P. Lippmann, "Detecting low-profile probes and novel denial-of-service attacks," in Proc. IEEE SMC IA&S Workshop, West Point, NY, 2001, pp. 5-10.
18. W. Streilein, R. Cunningham, and S. Webster, "Improved detection of low-profile probe and novel denial-of-service attacks," in Proc. Workshop Statist. Mach. Learn. Tech. Comput. Intrusion Detect., Baltimore, MD, Jun. 2002 [Online]. Available: http://ams.jhu.edu/~cidwkshop/Presentations2002/Streilein- Paper.pdf
19. H. Kim, K. C. Claffy, M. Fomenkov, D. Barman, M. Faloutsos, and K. Lee, A. Azcorra, G. de Veciana, K. W. Ross, and L. Tassiulas, Eds., "Internet traffic classification demystified: Myths, caveats, and the best practices," in Proc. ACM CoNEXT, Madrid, Spain, Dec. 2008, p. 11.
20. K. Xu, Z.-L. Zhang, and S. Bhattacharyya, "Internet traffic behavior profiling for network security monitoring," IEEE/ACM Trans. Netw., vol. 16, no. 6, pp. 1241-1252, Dec. 2008.
21. J. Treurniet and J. H. Lefebvre, "A finite state machine model of TCP connections in the transport layer," DefenceR&DCanada, Ottawa, ON, Canada, Tech. Rep. DRDC Ottawa TM 2003-139, 2003.
22. J. Treurniet, "A finite state machine algorithm for detecting TCP anomalies: An examination of the 1999 DARPA intrusion detection evaluation data set," Defence R&D Canada, Ottawa, ON, Canada, Tech. Rep. DRDC Ottawa TM 2005-168, 2005.
23. J. Treurniet, "Detecting low-profile scans in tcp anomaly event data," in Proc. ACM PST, New York, 2006, pp. 1-8.
24. W. R. Stevens, TCP/IP Illustrated, Volume 1: The Protocols. Indianapolis, IN: Addison-Wesley, 1994.
25. J. Postel, "Transmission Control Protocol," RFC 793, Sep. 1981 [Online]. Available: http://www.ietf.org/rfc/rfc793.txt
26. J. Postel, "User Datagram Protocol," RFC 768, Aug. 1980 [Online]. Available: http://www.ietf.org/rfc/rfc768.txt
27. J. Postel, "Internet Control Message Protocol," RFC 792, Sep. 1981 [Online]. Available: http://www.ietf.org/rfc/rfc792.txt
28. C. Gates, "Co-ordinated port scans: A model, a detector and an evaluation methodology," Ph.D. dissertation, Faculty of Computer Science, Dalhousie Univ., Halifax, NS, Canada, 2006.
29. G. Lyon, "Nmap-Free security scanner for network exploration & security audits," 2009 [Online]. Available: http://nmap.org
30. "Queso," Apostols, West Lafayette, IN, 1998 [Online]. Available: http://ftp.cerias.purdue.edu/pub/tools/unix/scanners/queso
31. G. Henderson, "Slow scan detector: Sessionizer software design," dRDC Ottawa Contract Rep. 2008-285, 2008.
32. J. Postel and J. Reynolds, "File Transfer Protocol," RFC 959, Oct. 1985 [Online]. Available: http://www.ietf.org/rfc/rfc959.txt
33. P. Calyam, M. Sridharan, W. Mandrawa, and P. Schopis, "Performance measurement and analysis of h.323 traffic," in Proc. PAM, Antibes Juan-les-Pins, France, Apr. 2004, pp. 137-146.
34. V. Paxson, "Bro intrusion detection system," 2009 [Online]. Available: http://www.bro-ids.org
35. D. Whyte, P. C. v. Oorschot, and E. Kranakis, "Tracking darkports for network defense," in Proc. 23rd Annu. IEEE ACSAC, Miami Beach, FL, Dec. 2007, pp. 161-171.