Fast portscan detection using sequential hypothesis testing
作者: Jaeyeon Jung , V. Paxson , A.W. Berger , H. Balakrishnan
DOI: 10.1109/SECPRI.2004.1301325
关键词:
摘要: Attackers routinely perform random portscans of IP addresses to find vulnerable servers compromise. Network intrusion detection systems (NIDS) attempt detect such behavior and flag these portscanners as malicious. An important need in is prompt response: the sooner a NIDS detects malice, lower resulting damage. At same time, should not falsely implicate benign remote hosts Balancing goals promptness accuracy detecting malicious scanners delicate difficult task. We develop connection between this problem theory sequential hypothesis testing show that one can model accesses local walk on two stochastic processes, corresponding respectively access patterns ones. The then becomes observing particular trajectory inferring from it most likely classification for host. use insight TRW (Threshold Random Walk), an online algorithm identifies hosts. Using analysis traces qualitatively different sites, we requires much smaller number attempts (4 or 5 practice) activity compared previous schemes, while also providing theoretical bounds low (and configurable) probabilities missed false alarms. In summary, performs significantly faster more accurately than other current solutions.
computer.org
icir.org 
uta.edu 参考文章(7)
Vern Paxson, Bro: a system for detecting network intruders in real-time Computer Networks. ,vol. 31, pp. 2435- 2463 ,(1999) , 10.1016/S1389-1286(99)00112-7
Stuart Staniford, James A. Hoagland, Joseph M. McAlerney, Practical automated detection of stealthy portscans Journal of Computer Security. ,vol. 10, pp. 105- 136 ,(2002) , 10.3233/JCS-2002-101-205
Martin Roesch, Snort - Lightweight Intrusion Detection for Networks usenix large installation systems administration conference. pp. 229- 238 ,(1999)
Vinod Yegneswaran, Paul Barford, Johannes Ullrich, Internet intrusions: global characteristics and prevalence measurement and modeling of computer systems. ,vol. 31, pp. 138- 147 ,(2003) , 10.1145/781027.781045
C. Leckie, R. Kotagiri, A probabilistic approach to detecting network scans network operations and management symposium. pp. 359- 372 ,(2002) , 10.1109/NOMS.2002.1015594
S. Robertson, E.V. Siegel, M. Miller, S.J. Stolfo, Surveillance detection in high bandwidth environments darpa information survivability conference and exposition. ,vol. 1, pp. 130- 138 ,(2003) , 10.1109/DISCEX.2003.1194879
L.T. Heberlein, G.V. Dias, K.N. Levitt, B. Mukherjee, J. Wood, D. Wolber, A network security monitor ieee symposium on security and privacy. pp. 296- 304 ,(1990) , 10.1109/RISP.1990.63859