Practical automated detection of stealthy portscans
作者: Stuart Staniford , James A. Hoagland , Joseph M. McAlerney
关键词:
摘要: Portscan detectors in network intrusion detection products are easy to evade. They classify a portscan as more than N distinct probes within M seconds from single source. This paper begins with an analysis of the scan problem, and then presents Spice (Stealthy Probing Intrusion Correlation Engine), detector that is effective against stealthy scans yet operationally practical. Our design maintains records event likelihood, which we approximate anomalousness given packet. We use simulated annealing cluster anomalous packets together into portscans using heuristics developed real scans. Packets kept around longer if they anomalous. should enable us detect all detected by current techniques, plus many scans, manageable false positives. also discuss other activity such worms, DDOS control networks.
acm.org
luc.edu 参考文章(7)
Alfonso Valdes, Phillip A. Porras, Live Traffic Analysis of TCP/IP Gateways. network and distributed system security symposium. ,(1998)
Martin Roesch, Snort - Lightweight Intrusion Detection for Networks usenix large installation systems administration conference. pp. 229- 238 ,(1999)
Stephen Northcutt, Judy Novak, Donald McLachlan, Network Intrusion Detection: An Analyst's Handbook ,(2000)
L.T. Heberlein, G.V. Dias, K.N. Levitt, B. Mukherjee, J. Wood, D. Wolber, A network security monitor ieee symposium on security and privacy. pp. 296- 304 ,(1990) , 10.1109/RISP.1990.63859
Stuart J. Russell, Peter Norvig, Artificial Intelligence: A Modern Approach ,(2020)
V. Paxson, S. Floyd, Wide area traffic: the failure of Poisson modeling IEEE ACM Transactions on Networking. ,vol. 3, pp. 226- 244 ,(1995) , 10.1109/90.392383
Thomas T. Cormen, Ronald L. Rivest, Charles E. Leiserson, Introduction to Algorithms ,(1990)