More Web Proxy on the site http://driver.im/

research-article

Network scan detection with LQS: a lightweight, quick and stateful algorithm

Authors:

Mansour Alsaleh,

P. C. van OorschotAuthors Info & Claims

ASIACCS '11: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security

Pages 102 - 113

https://doi.org/10.1145/1966913.1966928

Published: 22 March 2011 Publication History

Abstract

Network scanning reveals valuable information of accessible hosts over the Internet and their offered network services, which allows significant narrowing of potential targets to attack. Addressing and balancing a set of sometimes competing desirable properties is required to make network scanning detection more appealing in practice: 1) fast detection of scanning activity to enable prompt response by intrusion detection and prevention systems; 2) acceptable rate of false alarms, keeping in mind that false alarms may lead to legitimate traffic being penalized; 3) high detection rate with the ability to detect stealthy scanners; 4) efficient use of monitoring system resources; and 5) immunity to evasion. In this paper, we present a scanning detection algorithm designed to accommodate all of these goals. LQS is a fast, accurate, and light-weight scan detection algorithm that leverages the key properties of the monitored network environment as variables that affect how the scanning detection algorithm operates. We also present what is, to our knowledge, the first automated way to estimate a reference baseline in the absence of ground truth, for use as an evaluation methodology for scan detection. Using network traces from two sites, we evaluate LQS and compare its scan detection results with those obtained by the state-of-the-art TRW algorithm. Our empirical analysis shows significant improvements over TRW in all of these properties.

References

[1]

Bro intrusion detection system. Accessed: May 2010. http://bro-ids.org/.

[2]

Ethereal display filter reference. Accessed: Aug 2010. http://www.ethereal.com/docs/dfref/.

[3]

M. Allman, V. Paxson, and J. Terrell. A brief history of scanning. In Proceedings of the 7th ACM SIGCOMM Conference on Internet Measurement, pages 77--82, 2007.

Digital Library

[4]

CERT. Advanced scanning. CERT Incident Note IN-98.04 (Sept. 29 1998). http://www.cert.org/incident_notes/IN-98.04.html.

[5]

M. Fullmer and S. Romig. The OSU Flow-tools package and Cisco Netflow logs. In Proceedings of the 14th Systems Administration Conference (LISA'00), pages 291--303, New Orleans, LA, USA, 2000. USENIX Association.

Digital Library

[6]

C. Gates. Coordinated scan detection. In Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS'09), February 2009.

[7]

L. T. Heberlein, G. V. Dias, K. N. Levitt, B. Mukherjee, J. Wood, and D. Wolber. A network security monitor. IEEE Symposium on Security and Privacy, pages 296--304, 1990.

[8]

J. Jung, R. A. Milito, and V. Paxson. On the adaptive real-time detection of fast-propagating network worms. In Proceedings of the 4th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA'07), pages 175--192, Lucerne, Switzerland, 2007. Springer-Verlag.

Digital Library

[9]

J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan. Fast portscan detection using sequential hypothesis testing. In IEEE Symposium on Security and Privacy, May 2004.

[10]

M. G. Kang, J. Caballero, and D. Song. Distributed evasive scan techniques and countermeasures. In Proceedings of the Fourth GI International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA'07), Lucerne, Switzerland, July 2007.

Digital Library

[11]

N. Kato, H. Nitou, K. Ohta, G. Mansfield, and Y. Nemoto. A real-time intrusion detection system (IDS) for large scale networks and its evaluations. IEICE Transactions on Communications, E82-B(11):1817--1825, 1999.

[12]

H. Kim, S. Kim, M. A. Kouritzin, and W. Sun. Detecting network portscans through anomaly detection. In Proceedings of Signal Processing, Sensor Fusion, and Target Recognition XIII, pages 254--263, 2004.

[13]

C. Leckie and R. Kotagiri. A probabilistic approach to detecting network scans. In Proceedings of the Eighth IEEE Network Operations and Management Symposium (NOMS'02), pages 359--372, 2002.

[14]

Z. Li, A. Goyal, and Y. Chen. Honeynet-based botnet scan traffic analysis. In Botnet Detection, pages 25--44. Springer US, 2008.

[15]

Z. Li, A. Goyal, Y. Chen, and V. Paxson. Automating analysis of large-scale botnet probing events. In ASIACCS, pages 11--22, 2009.

Digital Library

[16]

V. Nagaonkar. Detecting stealthy scans and scanning patterns using threshold random walk. Master's thesis, Dalhousie University, Canada, 2008.

[17]

J.-P. Navarro, B. Nickless, and L. Winkler. Combining Cisco netflow exports with relational database technology for usage statistics, intrusion detection, and network forensics. In the 14th Systems Administration Conference (LISA'00), pages 285--290. USENIX Association, 2000.

Digital Library

[18]

S. Robertson, E. V. Siegel, M. Miller, and S. J. Stolfo. Surveillance detection in high bandwidth environments. In Proceedings of the DARPA DISCEX III Conference, pages 130--139. IEEE, April 2003.

[19]

D. Roelker, M. Norton, and J. Hewlett. sfPortscan. Sept. 2004.

[20]

M. Roesch. Snort: lightweight intrusion detection for networks. In Proceedings of the 13th Systems Administration Conference (LISA'99), pages 229--238, Seattle, WA, USA, 1999. Usenix Association.

Digital Library

[21]

S. E. Schechter, J. Jung, and A. W. Berger. Fast detection of scanning worm infections. In Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection, pages 59--81, 2004.

[22]

S. Staniford, J. A. Hoagland, and J. M. McAlerney. Practical automated detection of stealthy portscans. Journal of Computer Security, 10(1/2):105--136, 2002.

Digital Library

[23]

S. Staniford-Chen, S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagl, K. Levitt, C. Wee, R. Yip, and D. Zerkle. GrIDS - a graph based intrusion detection system for large networks. In Proceedings of the 19th NISSC, pages 361--370, 1996.

[24]

N. Weaver, S. Staniford, and V. Paxson. Very fast containment of scanning worms, revisited. Malware Detection (Advances in Information Security), 27:113--145, 2007.

[25]

D. Whyte, P. C. van Oorschot, and E. Kranakis. Tracking darkports for network defense. In Proceedings of ACSAC, pages 161--171, 2007.

Cited By

Ojetunde BEgashira NSuzuki KKurihara TYano KSuzuki Y(2022)A Multimodel-Based Approach for Estimating Cause of Scanning Failure and Delay in IoT Wireless NetworkNetwork10.3390/network20400312:4(519-544)Online publication date: 12-Oct-2022
https://doi.org/10.3390/network2040031
Ghiette VDoerr C(2022)Clustering Payloads: Grouping Randomized Scan Probes Into Campaign Templates2022 IFIP Networking Conference (IFIP Networking)10.23919/IFIPNetworking55013.2022.9829757(1-9)Online publication date: 13-Jun-2022
https://doi.org/10.23919/IFIPNetworking55013.2022.9829757
Yang JVelez DStaley HMathew NDaniel De Leon (2021)A Practice of Detecting Insider Threats within a NetworkAdvances in Security, Networks, and Internet of Things10.1007/978-3-030-71017-0_13(183-194)Online publication date: 11-Jul-2021
https://doi.org/10.1007/978-3-030-71017-0_13
Show More Cited By

Index Terms

Network scan detection with LQS: a lightweight, quick and stateful algorithm
1. Networks
  1. Network services
    1. Network monitoring

Recommendations

Effective worm detection for various scan techniques

In recent years, the threats and damages caused by active worms have become more and more serious. In order to reduce the loss caused by fast-spreading active worms, an effective detection mechanism to quickly detect worms is desired. In this paper, we ...
A Lifecycle Based Approach for Malware Analysis
CSNT '14: Proceedings of the 2014 Fourth International Conference on Communication Systems and Network Technologies

Most of the detection approaches like Signature based, Anomaly based and Specification based are not able to analyze and detect all types of malware. Signature-based approach for malware detection has one major drawback that it cannot detect zero-day ...
A Novel Approach to Scan Detection on the Backbone
ITNG '09: Proceedings of the 2009 Sixth International Conference on Information Technology: New Generations

Scanning activities are usually conducted by infected hosts to discover other vulnerable hosts or by a motivated adversary to gather information, and are typically precursor to most of the cyber attacks. There are many scan detection approaches at ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIACCS '11: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security

March 2011

527 pages

ISBN:9781450305648

DOI:10.1145/1966913

General Chairs:
Bruce Cheung
The University of Hong Kong, China
,
Lucas Chi Kwong Hui
The University of Hong Kong, China
,
Program Chairs:
Ravi Sandhu
University of Texas, San Antonio
,
Duncan S. Wong
City University of Hong Kong, China

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 March 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Natural Sciences and Engineering Research Council of Canada

Conference

ASIA CCS '11

Sponsor:

SIGSAC

ASIA CCS '11: 6th ACM Symposium on Information, Compuer and Communications Security

March 22 - 24, 2011

Hong Kong, China

Acceptance Rates

ASIACCS '11 Paper Acceptance Rate 35 of 217 submissions, 16%;

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
383
Total Downloads

Downloads (Last 12 months)10
Downloads (Last 6 weeks)1

Reflects downloads up to 14 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ojetunde BEgashira NSuzuki KKurihara TYano KSuzuki Y(2022)A Multimodel-Based Approach for Estimating Cause of Scanning Failure and Delay in IoT Wireless NetworkNetwork10.3390/network20400312:4(519-544)Online publication date: 12-Oct-2022
https://doi.org/10.3390/network2040031
Ghiette VDoerr C(2022)Clustering Payloads: Grouping Randomized Scan Probes Into Campaign Templates2022 IFIP Networking Conference (IFIP Networking)10.23919/IFIPNetworking55013.2022.9829757(1-9)Online publication date: 13-Jun-2022
https://doi.org/10.23919/IFIPNetworking55013.2022.9829757
Yang JVelez DStaley HMathew NDaniel De Leon (2021)A Practice of Detecting Insider Threats within a NetworkAdvances in Security, Networks, and Internet of Things10.1007/978-3-030-71017-0_13(183-194)Online publication date: 11-Jul-2021
https://doi.org/10.1007/978-3-030-71017-0_13
Wu CXie WYang SZhao SShi HZhang YJia Z(2019)Research on the Impact of Attacks on Security Characteristics2019 IEEE SmartWorld, Ubiquitous Intelligence & Computing, Advanced & Trusted Computing, Scalable Computing & Communications, Cloud & Big Data Computing, Internet of People and Smart City Innovation (SmartWorld/SCALCOM/UIC/ATC/CBDCom/IOP/SCI)10.1109/SmartWorld-UIC-ATC-SCALCOM-IOP-SCI.2019.00262(1450-1455)Online publication date: Aug-2019
https://doi.org/10.1109/SmartWorld-UIC-ATC-SCALCOM-IOP-SCI.2019.00262
Mazel JFontugne RFukuda K(2017)Profiling internet scanners: Spatiotemporal structures and measurement ethics2017 Network Traffic Measurement and Analysis Conference (TMA)10.23919/TMA.2017.8002909(1-9)Online publication date: Jun-2017
https://doi.org/10.23919/TMA.2017.8002909
Zhang RYang CPang SSarrafzadeh H(2017)UnitecDEAMP: Flow Feature Profiling for Malicious Events Identification in Darknet SpaceApplications and Techniques in Information Security10.1007/978-981-10-5421-1_13(157-168)Online publication date: 23-Jun-2017
https://doi.org/10.1007/978-981-10-5421-1_13
Harang RMell P(2015)Evasion-resistant network scan detectionSecurity Informatics10.1186/s13388-015-0019-74:1Online publication date: 9-May-2015
https://doi.org/10.1186/s13388-015-0019-7
Shimada ITsuda YEto MInoue D(2015)Using Bayesian Decision Making to Detect Slow Scans2015 4th International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS)10.1109/BADGERS.2015.015(32-41)Online publication date: Nov-2015
https://doi.org/10.1109/BADGERS.2015.015
Alsaleh Mvan Oorschot P(2012)Revisiting network scanning detection using sequential hypothesis testingSecurity and Communication Networks10.1002/sec.4165:12(1337-1350)Online publication date: 1-Dec-2012
https://dl.acm.org/doi/10.1002/sec.416

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents