A Hypothesis Testing Based Scalable TCP Scan Detection

  • Qianli Zhang
  • Xing Li
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3961)


The wide spread of worms, DDOS attacks and scan activities have greatly affected the network infrastructure security. For scan detection, traditionally most detection methods are flow based, thus undesirable for gigabits or multi-gigabits networks. To deal with this scalability problem, in this paper, a novel scan detection method is proposed, in which no flow record is required to maintain. Based on the observation that scans will generally generate a large volume of return RST packets, a hypothesis testing based approach is proposed. Experiments in practical network and on the DARPA 1998 datasets indicate that this algorithm is effective.


Intrusion Detection Anomaly Detection High Speed Network Open Port Practical Network 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Moore, D., Voelker, G., Savage, S.: Inferring internet denial of service activity. In: USENIX Security Symposium (2001)Google Scholar
  2. 2.
    Roesch, M.: Snort, http://www.snort.org
  3. 3.
    Paxson, V.: Bro: A system for detecting network intruders in real-time. Computer Networks 31(23-24), 2435–2463 (1999)CrossRefGoogle Scholar
  4. 4.
    Fyodor: nmap manual page, http://www.insecure.org/nmap/
  5. 5.
    Barford, P., Kline, J., Plonka, D., Ron, A.: A signal analysis of network traffic anomalies. In: Proceedings of ACM SIGCOMM Internet Measurement Workshop (November 2002)Google Scholar
  6. 6.
    Krishnamurthy, B., Sen, S., Zhang, Y., Chen, Y.: Sketch-based change detection: methods, evaluation, and applications. In: Proceedings of the conference on Internet measurement conference, pp. 234–247. ACM Press, New York (2003)CrossRefGoogle Scholar
  7. 7.
    Staniford, S.J.: Containment of scanning worms in enterprise networks. Journal of Computer Security (November 2003)Google Scholar
  8. 8.
    Gill, T.M., Poletto, M.: MULTOPS: a data-structure for bandwidth attack detection. In: USENIX Security Symposium (2001)Google Scholar
  9. 9.
    Heberlein, L.T., Dias, G.V., Levitt, K.N., Mukherjee, B., Wood, J., Wolber, D.: A network security monitor. In: Proc. IEEE Symposium on Research in Security and Privacy, pp. 296–304 (1990)Google Scholar
  10. 10.
    Jung, J., Paxson, V., Berger, A., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: Proceedings of IEEE Symposium on Security and Privacy (2004)Google Scholar
  11. 11.
    Leckie, C., Kotagiri, R.: A probabilistic approach to detecting network scans. In: Proceedings of the Eight IEEE Network Operations and Management Symposium (April 2002)Google Scholar
  12. 12.
    Staniford, S., Hoagland, J.A., McAlerney, J.M.: Practical automated detection of stealthy portscans. In: Proceedings of the 7th ACM Conference on Computer and Communications Security (2000)Google Scholar
  13. 13.
    Yaar, A., Perrig, A., Song, D.: Pi: A path identification mechansim to defend against ddos attacks. In: Proceedings of the IEEE Symposium on Security and Privacy (2003)Google Scholar
  14. 14.
    Kompella, R.R., Singh, S., Varghese, G.: On Scalable Attack Detection in the Network. In: ACM SIGCOMM (2004)Google Scholar
  15. 15.
    Casella, G., Berger, R.L.: Statistical Inference, pp. 467–511. Duxbury, Boston (2002)Google Scholar
  16. 16.
    Schuba, C., Krsul, I., Kuhn, M., Spafford, E., Sundaram, A., Zamboni, D.: Analysis of a denial of service attack on tcp. In: Proceedings of IEEE Symposium on Security and Privacy (May 1997)Google Scholar
  17. 17.
    Hyperion hyperion@hacklab.com: Watcher, Phrack53-11Google Scholar
  18. 18.
    Solar designer solar@false.com: Designing and Attacking Port Scan Detection Tools, phrack53-13Google Scholar
  19. 19.
    DARPA: Intrusion Detection Evaluation datasets, http://www.ll.mit.edu/IST/ideval/index.html

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Qianli Zhang
    • 1
  • Xing Li
    • 1
  1. 1.Tsinghua UniversityBeijingChina

Personalised recommendations