Detecting probes and scans over high-bandwidth, long-term, incomplete network traffic information using limited memory

摘要: A method for detecting surveillance activity in a computer communication network comprising automatic detection of malicious probes and scans adaptive learning. Automatic scan/probe turn comprises modeling connections, connections that are likely originating from sources, scanning by grouping source addresses logically close to one another recognizing certain combinations probes. The is implemented detector, preferably combination with commercial or open-source intrusion system an anomaly detector. Once generated, the model monitors online detect behavior without any requirement priori knowledge behavior. This referred as “behavior-based” “mining-based detection.” three main components may be used separately each other. alerts produced presented analyst, generating reports (such trend analysis), correlated other detectors. Through correlation, invention prioritizes alerts, reduces number determines most important alerts.