Analysis of Vertical Scans Discovered by Naive Detection

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9701)

Abstract

Network scans are very common and frequent events that appear in almost every network. Generally, the scans are quite harmless. Scanning can be useful for network operators, who need to know state of their infrastructures. Contrary, scans can be used also for gathering sensitive information by attackers. This paper describes a simple detection method that was used to detect vertical scans. Our aim is to show results of long-term measurement on backbone network and to show that it is possible to detect scans efficiently even with a simple method. The paper presents several interesting statistics that characterize network behavior and scanning frequency in a large high-speed national academic network.

Notes

Acknowledgments

This work was partially supported by the “CESNET E-Infrastructure” (LM2015042) and CTU grant No. SGS16/124/OHK3/1T/18 both funded by the Ministry of Education, Youth and Sports of the Czech Republic.

References

  1. 1.
    Bartoš, V., et. al.: Nemea: framework for stream-wise analysis of network traffic. Technical report, CESNET, a.l.e. (2013). http://www.cesnet.cz/wp-content/uploads/2014/02/trapnemea.pdf
  2. 2.
    Bartos, V., Zadnik, M.: An analysis of correlations of intrusion alerts in an NREN. In: 2014 IEEE 19th International Workshop on Computer Aided Modeling and Design of Communication Links and Networks (CAMAD), pp. 305–309. IEEE (2014)Google Scholar
  3. 3.
    Bhuyan, M.H., et al.: Surveying port scans and their detection methodologies. Comput. J. 54, 1565 (2011)CrossRefGoogle Scholar
  4. 4.
    Cejka, T., Svepes, M.: Vertical Scan Detector README. https://github.com/CESNET/Nemea-Detectors/tree/master/vportscan_detector
  5. 5.
    CESNET, a. l. e.: NEMEA: Network Measurements Analysis Framework. https://github.com/CESNET/Nemea
  6. 6.
    Dainotti, A., et al.: Analysis of a /0 stealth scan from a botnet. In: Proceedings of the 2012 ACM Conference on Internet Measurement Conference, pp. 1–14. ACM (2012)Google Scholar
  7. 7.
    Jung, J., et. al.: Fast portscan detection using sequential hypothesis testing. In: Proceedings 2004 IEEE Symposium on Security and Privacy, pp. 211–225. IEEE (2004)Google Scholar
  8. 8.
    Lyon, G.F.: Nmap network scanning: the official Nmap project guide to network discovery and security scanning. In: Insecure (2009)Google Scholar
  9. 9.
    Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation. In: ACM SIGPLAN Notices, vol. 42, pp. 89–100. ACM (2007)Google Scholar
  10. 10.
    Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31(23), 2435–2463 (1999)CrossRefGoogle Scholar
  11. 11.
    Raftopoulos, E., Glatz, E., Dimitropoulos, X., Dainotti, A.: How dangerous is internet scanning? In: Steiner, M., Barlet-Ros, P., Bonaventure, O. (eds.) TMA 2015. LNCS, vol. 9053, pp. 158–172. Springer, Heidelberg (2015)Google Scholar
  12. 12.
    Roesch, M., et al.: Snort: Lightweight intrusion detection for networks. In: LISA, vol. 99, pp. 229–238 (1999)Google Scholar
  13. 13.
    Sridharan, A., Ye, T., Bhattacharyya, S.: Connectionless port scan detection on the backbone. In: 25th IEEE International Performance, Computing, and Communications Conference. IPCCC 2006, p. 10. IEEE (2006)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2016

Authors and Affiliations

  1. 1.CESNETPrague 6Czech Republic
  2. 2.FITCTU in PraguePrague 6Czech Republic

Personalised recommendations