首页    期刊浏览 2024年11月30日 星期六
登录注册

文章基本信息

  • 标题:How can sliding HyperLogLog and EWMA detect port scan attacks in IP traffic?
  • 本地全文:下载
  • 作者:Yousra Chabchoub ; Raja Chiky ; Betul Dogan
  • 期刊名称:EURASIP Journal on Information Security
  • 印刷版ISSN:1687-4161
  • 电子版ISSN:1687-417X
  • 出版年度:2014
  • 卷号:2014
  • 期号:1
  • DOI:10.1186/1687-417X-2014-5
  • 语种:English
  • 出版社:Hindawi Publishing Corporation
  • 摘要:IP networks are constantly targeted by new techniques of denial of service attacks (SYN flooding, port scan, UDP flooding, etc), causing service disruption and considerable financial damage. The on-line detection of DoS attacks in the current high-bit rate IP traffic is a big challenge. We propose in this paper an on-line algorithm for port scan detection. It is composed of two complementary parts: First, a probabilistic counting part, where the number of distinct destination ports is estimated by adapting a method called ‘sliding HyperLogLog’ to the context of port scan in IP traffic. Second, a decisional mechanism is performed on the estimated number of destination ports in order to detect in real time any behavior that could be related to a malicious traffic. This latter part is mainly based on the exponentially weighted moving average algorithm (EWMA) that we adapted to the context of on-line analysis by adding a learning step (supposed without attacks) and improving its update mechanism. The obtained port scan detecting method is tested against real IP traffic containing some attacks. It detects all the port scan attacks within a very short time response (of about 30 s) and without any false positive. The algorithm uses a very small total memory of less than 22 kb and has a very good accuracy on the estimation of the number of destination ports (a relative error of about 3.25%), which is in agreement with the theoretical bounds provided by the sliding HyperLogLog algorithm.
  • 关键词:Control Chart;Exponentially Weight Move Average;Bloom Filter;Attack Detection;Destination Port
国家哲学社会科学文献中心版权所有