A Honeypot-Based Degree Statistics Method for Scans Detection

One of difficulties network scan detection system must face is how to identify a scan source from normal and abnormal hybrid traffics. In this paper, firstly we use modified low interaction honeypots to get pure abnormal scan traffics for avoiding scan sources identification procedure. Secondly, we try to consider scans detection problem through the eye of a network on the basis of above dataset. A 3 layers scan detection network is constructed where the node of every layer is source-IP, destination-IP and resource (the couple {destination port, protocol}), the link is the scan access connection between nodes. The scan detection network owns good features of layer and single-direction. A degree statistics method is put forward to grade the importance of nodes of the scan detection network and give proper warnings. By using a degree statistics method on honeypot dataset we can focus on the research of scan sources´ behaviors and stand out what´s really worthy of noticing and warning instead of staying at the procedure of identifying whether a source is a scanner or not. Our method enriches the statistic information of scan detection and can effectively reduce warning false positives comparing to previous works