Improving the detection of on-line vertical port scan in IP traffic

Author

Chabchoub, Yousra ; Fricker, Christine ; Robert, Philippe

Author_Institution

ISEP, Paris, France

fYear

2012

fDate

10-12 Oct. 2012

Firstpage

1

Lastpage

6

Abstract

We propose in this paper an on-line algorithm based on Bloom filters to detect port scan attacks in IP traffic. Only relevant information about destination IP addresses and destination ports are stored in two steps in a two-dimensional Bloom filter. This algorithm can be indefinitely performed on a real traffic stream thanks to a new adaptive refreshing scheme that closely follows traffic variations. It is a scalable algorithm able to deal with IP traffic at a very high bit rate thanks to the use of hashing functions over a sliding window. Moreover it does not need any a priori knowledge about traffic characteristics. When tested against real IP traffic, the proposed on-line algorithm performs well in the sense that it detects all the port scan attacks within a very short response time of only 10 seconds without any false positive.

Keywords

IP networks; Internet; computer network security; data structures; telecommunication traffic; IP traffic; Internet measurements; destination IP addresses; destination ports; hashing functions; online vertical port scan detection algorithm; port scan attack detection; sliding window; two-dimensional Bloom filter; Algorithm design and analysis; Context; IP networks; Internet; Manganese; Radiation detectors; Attack detection; Bloom filter; Internet measurements; On-line algorithms;

fLanguage

English

Publisher

ieee

Conference_Titel

Risk and Security of Internet and Systems (CRiSIS), 2012 7th International Conference on

Conference_Location

Cork

Print_ISBN

978-1-4673-3087-9

Electronic_ISBN

978-1-4673-3088-6

Type

conf

DOI

10.1109/CRISIS.2012.6378945

Filename

6378945