A Modified Multi-Resolution Approach for Port Scan Detection

Although port scan detection techniques have been widely adopted by the modern network based security systems, the effectiveness of these techniques can significantly be limited since the detection performance heavily relies on the statically determined detection threshold. To tackle the problem, a multi-resolution approach called MRDS, maintaining multiple monitoring windows with the corresponding detection thresholds, has been proposed. However, deploying such technique in a high speed network is not easy due to the time and space complexity required for calculating the number of unique destination addresses contacted in the multiple monitoring windows. In this paper, we present a novel failed flow dispersion estimation technique, called Multi-Window State Map (MWSM), which requires a small amount of memory and a constant number of memory access for implementing the multi-resolution concept. We then extend the proposed MWSM into a complete port scan detector. Simulation results with real world traffic traces indicate that the proposed estimation technique manages the expected relative error and average standard error of less than 0.8% and 9% respectively and thus the MWSM based detection scheme reduces false positives by 60% compared to MRDS.