A flow describes only one specific connection whereas a port scan causes many connections. We use knowledge about the company network to identify internal hosts. To that end, we propose an innovative preprocessing chain which is specifically tailored to detect slow port scans. The main idea of both approaches is to overcome the shortcomings of flow-based data by exploiting knowledge about the company network and characteristics of port scans in flow-based data. Due to these advantages, we focus on flow-based data and propose two different approaches for the detection of (slow) port scans. Hence, the detection of slow port scans is more complicated, but the amount of data to be analysed and, consequently, privacy concerns are reduced. Information in flow-based data is significantly condensed in comparison to packet-based data. Network flows provide meta information about network connections between endpoint devices. Thus, our work contributes to detecting attacks early, namely already in an initial stage during the Scanning phase. Port scans as such do not cause any damage, but often constitute a forerunner of attacks that might cause serious harm. This paper tackles the problem of detecting slow port scans in flow-based network data. Detection of slow port scans must be taken into account for intrusion and insider threat detection. Due to the fact that scanning is an essential phase within a typical attack scenario, it is of upmost importance to detect slow port scans in order to identify new attacks. Consequently, detection of slow port scans is more challenging. Rather, attackers send probe packets to a host for example only every 15 seconds or every 5 minutes. Slow means in this context that an attacker does not send probe packets permanently. However, serious attackers scan their targets slowly in order to avoid suspicion. Such port scans can be easily detected by simple mechanisms like counting the number of requested ports for each Source IP Address. Normally, port scans trigger huge amounts of requests to different ports or IP Addresses within a short period of time. In the Scanning phase, attackers often use port scans to identify hosts or networks which they want to infiltrate. Skoudis and Liston provide a widely known definition of five attack phases, namely Reconnaissance, Scanning, Gaining Access, Maintaining Access and Covering Tracks. We take advantage of the fact that attack scenarios often follow a general sequence of phases. To reach this goal, a flexible method is needed which is able to identify new attacks by utilizing and finally generalizing known behaviour. This work aims to support security experts and security systems in detecting novel and more serious attacks on the basis of data which are easy to obtain, while, at the same time, respecting the privacy of the user. Most of these operational security systems are, however, signature-based and cannot detect or prevent novel attack scenarios really well. Therefore, companies use various security mechanisms like firewalls or intrusion detection sytems (IDS) to protect their data.
Experiments indicate that the proposed approaches achieve better detection rates and exhibit less false alarms than similar algorithms.Ĭompany data are a valuable asset which must be protected against unauthorized access and manipulation. We compare both approaches with existing port scan detection algorithms on the flow-based CIDDS-001 data set. One approach is unsupervised and uses sequential hypothesis testing whereas the other approach is supervised and uses classification algorithms. Based on these objects, we propose two different approaches for detection of slow port scans. The computed objects are used as input for the further analysis.
Red alert 2 porting kit slow windows#
The preprocessing chain generates new objects based on flow-based data aggregated over time windows while taking domain knowledge as well as additional knowledge about the network structure into account. This paper proposes an innovative approach for preprocessing flow-based data which is specifically tailored to the detection of slow port scans. Unfortunately, the detection of slow port scans in company networks is challenging due to the massive amount of network data. Frequently, port scans are early indicators of more serious attacks.
0 kommentar(er)
