A systematic approach for detecting and clustering distributed cyber scanning
作者: Elias Bou-Harb , Mourad Debbabi , Chadi Assi
DOI: 10.1016/J.COMNET.2013.09.008
关键词:
摘要: We present in this paper an approach that is composed of two techniques respectively tackle the issues detecting corporate cyber scanning and clustering distributed reconnaissance activity. The first employed technique based on a non-attribution anomaly detection focuses what being scanned rather than who performing scanning. second adopts statistical time series rendered by observing correlation status traffic signal to perform identification clustering. To empirically validate both techniques, we utilize examine real network datasets implement experimental environments. dataset comprises unsolicited one-way telescope/darknet while has been captured our lab through customized setup. results show, one hand, for class C with 250 active hosts 5 monitored servers, training period proposed required stabilization less 1 s state memory 80 bytes. Moreover, comparison Snort's sfPortscan technique, it was able detect 4215 unique scans yielded zero false negative. On other correctly identify cluster machines high accuracy even presence legitimate traffic. further formulating presented scenario as machine learning problem. Specifically, compare unsupervised data k-means expectation maximization approach. authenticate rendering feasible adoption.
acm.org
sci-hub.se 参考文章(33)
David W. Scott, Multivariate Density Estimation Wiley Series in Probability and Statistics. ,(1992) , 10.1002/9780470316849
Data-Mining Concepts Wiley-IEEE Press. pp. 1- 25 ,(2011) , 10.1002/9781118029145.CH1
Geoffrey M. Voelker, Stefan Savage, David Moore, Inferring internet denial-of-service activity usenix security symposium. pp. 2- 2 ,(2001)
Gordon Fyodor Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning ,(2009)
Stuart Staniford, James A. Hoagland, Joseph M. McAlerney, Practical automated detection of stealthy portscans Journal of Computer Security. ,vol. 10, pp. 105- 136 ,(2002) , 10.3233/JCS-2002-101-205
Wei Zhang, Shaohua Teng, Xiufen Fu, Scan attack detection based on distributed cooperative model computer supported cooperative work in design. pp. 743- 748 ,(2008) , 10.1109/CSCWD.2008.4537071
Yoo Chung, Distributed denial of service is a scalability problem acm special interest group on data communication. ,vol. 42, pp. 69- 71 ,(2012) , 10.1145/2096149.2096160
A. K. Jain, M. N. Murty, P. J. Flynn, Data clustering: a review ACM Computing Surveys. ,vol. 31, pp. 264- 323 ,(1999) , 10.1145/331499.331504
Eric Wustrow, Manish Karir, Michael Bailey, Farnam Jahanian, Geoff Huston, None, Internet background radiation revisited internet measurement conference. pp. 62- 74 ,(2010) , 10.1145/1879141.1879149
Rob Sloan, Advanced Persistent Threat Engineering & Technology Reference. ,vol. 1, ,(2014) , 10.1049/ETR.2014.0025