Cargando…
Detection of slow port scans in flow-based network traffic
Frequently, port scans are early indicators of more serious attacks. Unfortunately, the detection of slow port scans in company networks is challenging due to the massive amount of network data. This paper proposes an innovative approach for preprocessing flow-based data which is specifically tailor...
| Autores principales: | , , |
|---|---|
| Formato: | Online Artículo Texto |
| Lenguaje: | English |
| Publicado: |
Public Library of Science
2018
|
| Materias: | |
| Acceso en línea: | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6156027/ https://www.ncbi.nlm.nih.gov/pubmed/30252894 http://dx.doi.org/10.1371/journal.pone.0204507 |
| _version_ | 1783358016400130048 |
|---|---|
| author | Ring, Markus Landes, Dieter Hotho, Andreas |
| author_facet | Ring, Markus Landes, Dieter Hotho, Andreas |
| author_sort | Ring, Markus |
| collection | PubMed |
| description | Frequently, port scans are early indicators of more serious attacks. Unfortunately, the detection of slow port scans in company networks is challenging due to the massive amount of network data. This paper proposes an innovative approach for preprocessing flow-based data which is specifically tailored to the detection of slow port scans. The preprocessing chain generates new objects based on flow-based data aggregated over time windows while taking domain knowledge as well as additional knowledge about the network structure into account. The computed objects are used as input for the further analysis. Based on these objects, we propose two different approaches for detection of slow port scans. One approach is unsupervised and uses sequential hypothesis testing whereas the other approach is supervised and uses classification algorithms. We compare both approaches with existing port scan detection algorithms on the flow-based CIDDS-001 data set. Experiments indicate that the proposed approaches achieve better detection rates and exhibit less false alarms than similar algorithms. |
| format | Online Article Text |
| id | pubmed-6156027 |
| institution | National Center for Biotechnology Information |
| language | English |
| publishDate | 2018 |
| publisher | Public Library of Science |
| record_format | MEDLINE/PubMed |
| spelling | pubmed-61560272018-10-19 Detection of slow port scans in flow-based network traffic Ring, Markus Landes, Dieter Hotho, Andreas PLoS One Research Article Frequently, port scans are early indicators of more serious attacks. Unfortunately, the detection of slow port scans in company networks is challenging due to the massive amount of network data. This paper proposes an innovative approach for preprocessing flow-based data which is specifically tailored to the detection of slow port scans. The preprocessing chain generates new objects based on flow-based data aggregated over time windows while taking domain knowledge as well as additional knowledge about the network structure into account. The computed objects are used as input for the further analysis. Based on these objects, we propose two different approaches for detection of slow port scans. One approach is unsupervised and uses sequential hypothesis testing whereas the other approach is supervised and uses classification algorithms. We compare both approaches with existing port scan detection algorithms on the flow-based CIDDS-001 data set. Experiments indicate that the proposed approaches achieve better detection rates and exhibit less false alarms than similar algorithms. Public Library of Science 2018-09-25 /pmc/articles/PMC6156027/ /pubmed/30252894 http://dx.doi.org/10.1371/journal.pone.0204507 Text en © 2018 Ring et al http://creativecommons.org/licenses/by/4.0/ This is an open access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0/) , which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited. |
| spellingShingle | Research Article Ring, Markus Landes, Dieter Hotho, Andreas Detection of slow port scans in flow-based network traffic |
| title | Detection of slow port scans in flow-based network traffic |
| title_full | Detection of slow port scans in flow-based network traffic |
| title_fullStr | Detection of slow port scans in flow-based network traffic |
| title_full_unstemmed | Detection of slow port scans in flow-based network traffic |
| title_short | Detection of slow port scans in flow-based network traffic |
| title_sort | detection of slow port scans in flow-based network traffic |
| topic | Research Article |
| url | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6156027/ https://www.ncbi.nlm.nih.gov/pubmed/30252894 http://dx.doi.org/10.1371/journal.pone.0204507 |
| work_keys_str_mv | AT ringmarkus detectionofslowportscansinflowbasednetworktraffic AT landesdieter detectionofslowportscansinflowbasednetworktraffic AT hothoandreas detectionofslowportscansinflowbasednetworktraffic |