상세정보
학술대회
A Modified Multi-Resolution Approach for Port Scan Detection
- 발행일
- 201012
- 출처
- Global Telecommunications Conference (GLOBECOM) 2010, pp.1-5
- 협약과제
- 10MR2700, 방송ㆍ통신 융합 다자간 서비스 및 연속성 제어 기술개발, 조기성
- 초록
- Although port scan detection techniques have been widely adopted by the modern network based security systems, the effectiveness of these techniques can significantly be limited since the detection performance heavily relies on the statically determined detection threshold. To tackle the problem, a multi-resolution approach called MRDS, maintaining multiple monitoring windows with the corresponding detection thresholds, has been proposed. However, deploying such technique in a high speed network is not easy due to the time and space complexity required for calculating the number of unique destination addresses contacted in the multiple monitoring windows. In this paper, we present a novel failed flow dispersion estimation technique, called Multi-Window State Map (MWSM), which requires a small amount of memory and a constant number of memory access for implementing the multi-resolution concept. We then extend the proposed MWSMinto a complete port scan detector. Simulation results with real world traffic traces indicate that the proposed estimation technique manages the expected relative error and average standard error of less than 0.8% and 9% respectively and thus the MWSM based detection scheme reduces false positives by 60% compared to MRDS. ©2010 IEEE.
- KSP 제안 키워드
- Detection scheme, Detection threshold, Estimation Technique, False positive, Flow dispersion, High speed network, Memory Access, Multi-resolution approach, Real-world, Relative Error, Time and Space Complexity