An adaptive fuzzy based Scan Detection Technique using Time Independent Feature Set
Port scanning is used to identify vulnerable machines, and in most cases a precursor to more sophisticated attacks. Early detection of port scans results in reducing the impact and propagation of distributed attacks and worms. Many algorithmic, threshold and visual based solutions have been proposed each one boils down to testing X events across in Y size time window in one way or other. Consequently, the accuracy and detection time for each detection solutions ends up to the threshold or sensitivity of detector that also depends upon scanner deployment point. Parallel to these solutions, port scanning has also gone stealthy. Attackers are using diverse techniques to attenuate the scanning pattern either distributing it in time, feature and/or address space. This article proposes an adaptive threshold based generic solution for detecting various port scans and DDoS attacks using Time Independent Feature Set. Instead of using a fix threshold for scan detector, the paper adapts the fuzzy linguistic set boundaries consequently adapting threshold according to network traffic feature such as number of TCP connected sessions. Experiments carried out using DARPA 98/99 Data set shows an early detection of port scans with high detection accuracy.
port scan adaptive threshold fuzzy intrusion anomaly detection
Habib Uilah Baig Farrukh Kamran Mehmood Ahmed Sheikh
Center for Advanced Studies in Engineering (CASE) Department of Computer Engineering Islamabad Pakistan
国际会议
上海
英文
1938-1942
2009-11-20(万方平台首次上网日期,不代表论文的发表时间)