Inter-domain stealthy port scan detection through complex event processing
作者: Leonardo Aniello , Giorgia Lodi , Roberto Baldoni
关键词:
摘要: Large enterprises are nowadays complex interconnected software systems spanning over several domains. This new dimension makes difficult for the task of enabling efficient security defenses. paper addresses problem detecting inter-domain stealthy port scans and proposes an architecture Intrusion Detection System which uses, such purpose, open source Complex Event Processing engine named Esper. Esper provides low cost ownership high flexibility. The consists sensors deployed at different enterprise Each sensor sends events to event processor correlation. We implemented algorithm detection interdomain SYN Rank-based (R-SYN) scan algorithm. It combines adapts three techniques in order obtain a unique global statement about malicious behavior host activities. An evaluation accuracy our approach has been carried out using traces, some including original traffic dumps, others altered by injecting packets that simulate Accuracy results show is able produce list scanners characterized false positive rates.
acm.org
core.ac.uk
uniroma1.it 参考文章(8)
Stuart Staniford, James A. Hoagland, Joseph M. McAlerney, Practical automated detection of stealthy portscans Journal of Computer Security. ,vol. 10, pp. 105- 136 ,(2002) , 10.3233/JCS-2002-101-205
Jaeyeon Jung, V. Paxson, A.W. Berger, H. Balakrishnan, Fast portscan detection using sequential hypothesis testing ieee symposium on security and privacy. pp. 211- 225 ,(2004) , 10.1109/SECPRI.2004.1301325
Chenfeng Vincent Zhou, Shanika Karunasekera, Christopher Leckie, Evaluation of a Decentralized Architecture for Large Scale Collaborative Intrusion Detection integrated network management. pp. 80- 89 ,(2007) , 10.1109/INM.2007.374772
Hai Zhang, Xuyang Zhu, Wenming Guo, TCP portscan detection based on single packet flows and entropy international conference on information systems. pp. 1056- 1060 ,(2009) , 10.1145/1655925.1656116
Xiaolan J. Zhang, Randall Schnier, Philippe Selo, Michael Spicer, Volkmar Uhlig, Chitra Venkatramani, Henrique Andrade, Buğra Gedik, Richard King, John Morar, Senthil Nathan, Yoonho Park, Raju Pavuluri, Edward Pring, Implementing a high-volume, low-latency market data processing system on commodity hardware using IBM middleware high performance computational finance. pp. 7- ,(2009) , 10.1145/1645413.1645420
C. Kreibich, R. Sommer, Policy-controlled event management for distributed intrusion detection international conference on distributed computing systems workshops. pp. 385- 391 ,(2005) , 10.1109/ICDCSW.2005.112
Chunqiang Tang, Malgorzata Steinder, Michael Spreitzer, Giovanni Pacifici, A scalable application placement controller for enterprise data centers the web conference. pp. 331- 340 ,(2007) , 10.1145/1242572.1242618
Mert Akdere, Uǧur Çetintemel, Nesime Tatbul, Plan-based complex event detection across distributed sources very large data bases. ,vol. 1, pp. 66- 77 ,(2008) , 10.14778/1453856.1453869