Cited By
View all- Xu YFang YLiu ZZhang Q(2023)PWAGAT: Potential Web attacker detection based on graph attention networkNeurocomputing10.1016/j.neucom.2023.126725557(126725)Online publication date: Nov-2023
Slow Scan Attack Detection Based on Communication Behavior
Pages 14 - 20
Abstract
We present a novel method for detecting slow scan attacks. Attackers collect information about vulnerabilities in hosts by scan attacks and then penetrate the systems based on the collected information. Detection of scan attacks is therefore useful to avoid the following attacks. The intrusion detection system (IDS) has been proposed for detecting scan attacks. However, it cannot detect slow scan attacks that are executed slowly over a long period. In this paper, we introduce novel features that are useful to distinguish the difference in the communication behavior between the scanning hosts and the benign hosts. Then, we propose the detection method using the features. Furthermore, through the experiments, we confirm the effectiveness of our method for detecting a slow scan attack.
References
[1]
[n.d.]. MITRE ATT&CK Enterprise Matrix. https://attack.mitre.org/matrices/enterprise/.
[2]
[n.d.]. MITRE PRE-ATT&CK Matrix. https://attack.mitre.org/matrices/pre/.
[3]
[n.d.]. Nmap. https://nmap.org/.
[4]
[n.d.]. redis. https://redis.io/.
[5]
[n.d.]. Yet another flowmeter. https://linux.die.net/man/1/yaf.
[6]
Mohammad Almseidin, Mouhammd Al-Kasassbeh, and Szilveszter Kovács. 2019. Detecting Slow Port Scan Using Fuzzy Rule Interpolation. 2019 2nd International Conference on new Trends in Computing Sciences (ICTCS) (2019), 1–6.
[7]
Jari Arkko, Michelle Cotton, and Leo Vegoda. 2010. IPv4 Address Blocks Reserved for Documentation. RFC 5737. https://doi.org/10.17487/RFC5737
[8]
Mehiar Dabbagh, Ali J Ghandour, Kassem Fawaz, Wassim El Hajj, and Hazem Hajj. 2011. Slow port scanning detection. In 2011 7th International Conference on Information Assurance and Security (IAS). IEEE, 228–233.
[9]
Carrie Gates, Joshua J McNutt, Joseph B Kadane, and Marc I Kellner. 2006. Scan detection on very large networks using logistic regression modeling. In 11th IEEE Symposium on Computers and Communications (ISCC’06). IEEE, 402–408.
[10]
John Green, David J Marchette, Stephen Northcutt, and Bill Ralph. 1999. Analysis Techniques for Detecting Coordinated Attacks and Probes. In Workshop on Intrusion Detection and Network Monitoring. 1–9.
[11]
Jaekwang Kim and Jee-Hyong Lee. 2008. A slow port scan attack detection mechanism based on fuzzy logic and a stepwise p1olicy. 1 – 5. https://doi.org/10.1049/cp:20081126
[12]
Susmit Panjwani, Stephanie Tan, Keith M Jarrin, and Michel Cukier. 2005. An experimental evaluation to determine if port scans are precursors to an attack. In 2005 International Conference on Dependable Systems and Networks (DSN’05). IEEE, 602–611.
[13]
Dan Pelleg, Andrew W Moore, 2000. X-means: Extending k-means with efficient estimation of the number of clusters. In Icml, Vol. 1. 727–734.
[14]
Ichiro Shimada, Yu Tsuda, Masashi Eto, Daisuke Inoue, 2014. A Slow-Scan Detection Method for Live Network Environments. Computer Security Symposium 2014 2014, 2 (2014), 458–465.
[15]
Stuart Staniford, James A Hoagland, and Joseph M McAlerney. 2002. Practical automated detection of stealthy portscans. Journal of Computer Security 10, 1-2 (2002), 105–136.
[16]
Stuart Staniford-Chen, Steven Cheung, Richard Crawford, Mark Dilger, Jeremy Frank, James Hoagland, Karl Levitt, Christopher Wee, Raymond Yip, and Dan Zerkle. 1996. GrIDS-a graph based intrusion detection system for large networks. In Proceedings of the 19th national information systems security conference, Vol. 1. Baltimore, 361–370.
[17]
Ehsan Moeen Taghavi, Bahman Abolhassani, 2011. A two step secure spectrum sensing algorithm using fuzzy logic for cognitive radio networks. Int’l J. of Communications, Network and System Sciences 4, 08(2011), 507.
[18]
Masahiko Takenaka, Satoru Torii, Satoru Shimizu, 2012. Study on Detection for Randomly Slow Port Scanning. Computer Security Symposium 2012 2012, 3 (2012), 736–741.
[19]
J Udhayan, M Muruga Prabu, V Aravinda Krishnan, and R Anitha. 2009. Reconnaissance scan detection heuristics to disrupt the pre-attack information gathering. In 2009 International Conference on Network and Service Security. IEEE, 1–5.
[20]
Vinod Yegneswaran, Paul Barford, and Johannes Ullrich. 2003. Internet intrusions: Global characteristics and prevalence. ACM SIGMETRICS Performance Evaluation Review 31, 1 (2003), 138–147.
Recommendations
Novel Test-Mode-Only Scan Attack and Countermeasure for Compression-Based Scan Architectures
Scan design is a de facto design-for-testability (DfT) technique that enhances access during manufacturing test process. However, it can also be used as a back door to leak secret information from a secure chip. In existing scan attacks, the secret key of ...
Honeypot Baselining for Zero Day Attack Detection
Honeypots are the network sensors used for capturing the network attacks. As these sensors are solely deployed for the purpose of being attacked and compromised hence they have to be closely monitored and controlled. In the work presented in this paper ...
DDoS attack detection method using cluster analysis
Distributed Denial of Service (DDoS) attacks generate enormous packets by a large number of agents and can easily exhaust the computing and communication resources of a victim within a short period of time. In this paper, we propose a method for ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
November 2020
145 pages
ISBN:9781450389037
DOI:10.1145/3442520
Copyright © 2020 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 13 March 2021
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
ICCNS 2020
ICCNS 2020: 2020 the 10th International Conference on Communication and Network Security
November 27 - 29, 2020
Tokyo, Japan
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 123Total Downloads
- Downloads (Last 12 months)14
- Downloads (Last 6 weeks)3
Reflects downloads up to 09 Jan 2025
Other Metrics
Citations
Cited By
View all- Xu YFang YLiu ZZhang Q(2023)PWAGAT: Potential Web attacker detection based on graph attention networkNeurocomputing10.1016/j.neucom.2023.126725557(126725)Online publication date: Nov-2023
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML Format