Surveying port scans and their detection methodologies

Scanning of ports on a computer occurs frequently on the Internet. An attacker performs port scans of IP addresses to find vulnerable hosts to compromise. However, it is also useful for system administrators and other network defenders to detect port scans as possible preliminaries to more serious attacks. It is a very difficult task to recognize instances of malicious port scanning. In general, a port scan may be an instance of a scan by attackers or an instance of a scan by network defenders. In this survey, we present research and development trends in this area. Our presentation includes a discussion of common port scan attacks. We provide a comparison of port scan methods based on type, mode of detection, mechanism used for detection, and other characteristics. This survey also reports on the available datasets and evaluation criteria for port scan detection approaches

Intrusion Detection by Port Scan Using Snort

Network intrusion detection systems (NIDS) are an important part of any network security architecture. They provide a layer of defense which monitors network traffic for predefined suspicious activity or patterns, and alert system administrators when potential hostile traffic is detected. Network Intrusion Detection Systems (NIDS) perform deep packet inspection on packet payloads to identify, prevent, and inhibit malicious attacks over the Internet[l]. Snort is a lightweight intrusion detection system that can log packets coming across your network. This program can be used on smaller networks but on larger ones, with Gigabit Ethernet, snort can become unreliable. Snort doesn't require that you recompile your kernel or add any software or hardware to your existing distribution but it does require that you have root privileges

Distributed Port Scanning Detection

Conventional Network Intrusion Detection System (NIDS) have heavyweight processing and memory requirements as they maintain per flow state using data structures like linked lists or trees. This is required for some specialized jobs such as Stateful Packet Inspection (SPI) where the network communications between entities are recreated in its entirety to inspect application level data. The downside to this approach is that the NIDS must be in a position to view all inbound and outbound traffic of the protected network. The NIDS can be overwhelmed by a DDoS attack since most of these try and exhaust the available state of network entities. For some applications like port scan detection, we do not require to reconstruct the complete network tra�c. We propose to integrate a detector into all routers so that a more distributed detection approach can be achieved. Since routers are devices with limited memory and processing capabilities, conventional NIDS approaches do not work while integrating a detector in them. We describe a method to detect port scans using aggregation. A data structure called a Partial Completion Filter(PCF) or a counting Bloom filter is used to reduce the per flow state

New Sequential Methods for Detecting Portscanners

In this paper, we propose new sequential methods for detecting port-scan attackers which routinely perform random "portscans" of IP addresses to find vulnerable servers to compromise. In addition to rigorously control the probability of falsely implicating benign remote hosts as malicious, our method performs significantly faster than other current solutions. Moreover, our method guarantees that the maximum amount of observational time is bounded. In contrast to the previous most effective method, Threshold Random Walk Algorithm, which is explicit and analytical in nature, our proposed algorithm involve parameters to be determined by numerical methods. We have developed computational techniques such as iterative minimax optimization for quick determination of the parameters of the new detection algorithm. A framework of multi-valued decision for testing portscanners is also proposed.Comment: 11 pages, 5 figures, the mathematical theory of the detection algorithm has been presented in SPIE conference

Dendritic Cells for Real-Time Anomaly Detection

Dendritic Cells (DCs) are innate immune system cells which have the power to activate or suppress the immune system. The behaviour of human DCs is abstracted to form an algorithm suitable for anomaly detection. We test this algorithm on the real-time problem of port scan detection. Our results show a significant difference in artificial DC behaviour for an outgoing portscan when compared to behaviour for normal processes

Analisa dan Implementasi Sistem Kemananan Jaringan Intrusion Detection System (IDS) Berbasis Mikrotik

Jurnal ini membahas mengenai analisa dari suatu system Intrusion Detection System (IDS) Berbasis Mikrotik untuk mendeteksi serangan DoS (Denial of Service) yang biasanya sering terjadi . Sistem ini digunakan untuk mendeteksi perilaku traffic dan mencocokannya dengan parameter-parameter yang telah dibuat untuk setiap jenis serangan. Analisa yang dilakukan adalah dengan mengkaji keakuratan pendeteksian system IDS, Analisa difokuskan pada enam jenis serangan DoS yaitu SYN flood, UDP flood, ICMP flood, Smurf, port scan, dan host scan. Hasil menunjukkan system ini dapat secara akurat mengidentifikasi semua traffic dan semua host yang terkait dengan aktivitas serangan. Kata kunci--- Intrusion Detection System (IDS), Mikrotik, Denial of Service, DoS, DDo

Implementasi Portsentry Sebagai Keamanan Server Ubuntu Dari Aktifitas Serangan Di SMK Negeri 2 Pekalongan

Sistem keamanan jaringan disebuah lingkungan pendidikan khususnya sekolahan merupakan faktor penting untuk menjamin stabilitas, integritas, dan validitas sebuah data. Implementasi Instrusion Detection System berbasis Portsentry dapat menghemat biaya pengadaan software karena bersifat gratis dan cukup handal dalam mendeteksi serangan keamanan scanning port. Portsentry dapat diimplementasikan kedalam sistem operasi Ubuntu yang saat ini sudah banyak digunakan terutama di SMK Negeri 2 Pekalongan. Sebuah serangan scanning port dapat terdeteksi dan dilihat jejaknya pada Syslog. Berdasarkan hasil pengujian sistem Porsentry dengan port scan dapat memberikan peringatan adanya serangan keamanan terhadap sistem melalui paket-paket yang melewati jaringan. Hasil tersebut dapat digunakan sebagai acuan untuk menentukan kebijakan keamanan jaringan sekolah

Real-time Intrusion Detection using Multidimensional Sequence-to-Sequence Machine Learning and Adaptive Stream Processing

A network intrusion is any unauthorized activity on a computer network. There are host-based and network-based Intrusion Detection Systems (IDS\u27s), of which there are each signature-based and anomaly-based detection methods. An anomalous network behavior can be defined as an intentional violation of the expected sequence of packets. In a real-time network-based IDS, incoming packets are treated as a stream of data. A stream processor takes any stream of data or events and extracts interesting patterns on the fly. This representation allows applying statistical anomaly detection using sequence prediction algorithms as well as using a stream processor to perform signature-based intrusion detection and sequence extraction from a stream of packets. In this thesis, a Multidimensional Sequence to Multidimensional Sequence (MSeq2MSeq) encoder-decoder model is proposed to predict sequences of packets and an adaptive and functionally auto-scaling stream processor: Wisdom is proposed to process streams of packets. The proposed MSeq2MSeq model trained on legitimate traffic is able to detect Neptune Denial of Service (DoS) attacks, and Port Scan probes with 100% detection rate using the DARPA 1999 dataset. A hybrid algorithm using Particle Swarm Optimization (PSO) and Bisection algorithms was developed to optimize Complex Event Processing (CEP) rules in Wisdom . Adaptive CEP rules optimized by the above algorithm was able to detect FTP Brute Force attack, Slow Header DoS attack, and Port Scan probe with 100% detection rate while processing over 2.5 million events per second. An adaptive and functionally auto-scaling IDS was built using the MSeq2MSeq model and Wisdom stream processor to detect and prevent attacks based on anomalies and signature in real-time. The proposed IDS adapts itself to obtain best results without human intervention and utilizes available system resources in functionally auto-scaling deployment. Results show that the proposed IDS detects FTP Brute Force attack, Slow Header DoS attack, HTTP Unbearable Load King (HULK) DoS attack, SQL Injection attack, Web Brute Force attack, Cross-site scripting attack, Ares Botnet attack, and Port Scan probe with a 100% detection rate in a real-time environment simulated from the CICIDS 2017 dataset