By Topic

A Novel Approach to Scan Detection on the Backbone

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

2 Author(s)
Yu Zhang ; Res. Center of Comput. Network & Inf. Security Technol., Harbin Inst. of Technol., Harbin ; Binxing Fang

Scanning activities are usually conducted by infected hosts to discover other vulnerable hosts or by a motivated adversary to gather information, and are typically precursor to most of the cyber attacks. There are many scan detection approaches at present; however, most of them focus on enterprise-level network where the traffic volume is low, bi-directional and packet-level information are available. This paper proposes a new port scan detection approach-time based flow size distribution sequential hypothesis testing or TFDS briefly, for high-speed transit network where only unidirectional flow information is available. TFDS uses the main idea of sequential hypothesis testing to detect scanners that exhibit abnormal access patterns in terms of flow size distribution (FSD) entropy. We make a comparison with the state-of-the-art backbone port scan detection method TAPS in terms of efficiency and effectiveness using real backbone packet trace, and find that TFDS performs much better than TAPS.

Published in:

Information Technology: New Generations, 2009. ITNG '09. Sixth International Conference on

Date of Conference:

27-29 April 2009