Combining of Scanning Protection Mechanisms in GIS and Corporate Information Systems

  • Igor Kotenko
  • Andrey Chechulin
  • Elena Doynikova
Part of the Lecture Notes in Geoinformation and Cartography book series (LNGC, volume 5)


This chapter proposes an approach to combine different mechanisms of network scanning protection against malefactors’ reconnaissance actions and network worms. This approach can be implemented as a part of protection mechanisms in corporate information systems, including Geographical Information Systems (GIS). The approach allows improving highly the scanning protection effectiveness due to reducing the false positive rate and increasing the detection accuracy. Particular scanning techniques are outlined. The core combining principles and architectural enhancements of the common scanning detection model are considered. An approach to automatically adjust the parameters of used mechanisms based on statistical data about network traffic is also suggested.



This research is supported by grant from the Russian Foundation of Basic Research (project № 10-01-00826-a), program of fundamental research of the Department for Nanotechnologies and Informational Technologies of the Russian Academy of Sciences (contract № 3.2) and partly funded by the EU as part of the SecFutur and MASSIF projects.


  1. Chechulin AA, Kotenko IV (2008) Investigation of Virus Throttling Defense Mechanisms against Network Worms. In: Information Security. Inside, 3:68–73 (in Russian)Google Scholar
  2. Chen S, Tang Y (2004) Slowing Down Internet Worms. In: Proceedings of the 24th International Conference on Distributed Computing SystemsGoogle Scholar
  3. Curran K, Morrissey C, Fagan C, Murphy C, O’Donnel B, Fitzpatrick G, Condit S (2005) Monitoring Hacker Activity with a Honeynet. International Journal of Network Management, 15:123–134CrossRefGoogle Scholar
  4. Jung J, Paxson V, Berger AW, Balakrishnan H (2004) Fast portscan detection using sequential hypothesis testing. In: Proceedings of the 2004 IEEE Symposium on Security and Privacy, Oakland, California, pp 211–225Google Scholar
  5. Jung J (2006) Real-Time Detection of Malicious Network Activity Using Stochastic Models. PhD Theses. MITGoogle Scholar
  6. Kotenko I (2009) Framework for Integrated Proactive Network Worm Detection and Response. In: Proceedings of the 17th Euromicro International Conference on Parallel, Distributed and network-based Processing (PDP 2009). IEEE Computer Society, 2009. pp 379–386Google Scholar
  7. Kotenko IV, Vorontsov VV, Chechulin AA, Ulanov AV (2009). Proactive security mechanisms against network worms: approach, implementation and results of experiments. Information Technologies, 1:37–42 (in Russian)Google Scholar
  8. Moore D (2002) Network Telescopes: Observing Small or Distant Security Events. In: Proceedings of the 11th USENIX Security SymposiumGoogle Scholar
  9. Moore D, Paxson V, Savage S, Shannon C, Staniford S, Weaver N (2003) Inside the Slammer Worm. IEEE Security and Privacy Magazine 1:33–39Google Scholar
  10. Moore D, Shannon C, Voelker G, Savage S (2004) Network Telescopes: Technical Report, CaidaGoogle Scholar
  11. Provos NA (2004) A virtual Honeypot Framework. In: SSYM’04 Proceedings of the 13th conference on USENIX Security Symposium, Vol.13. San Diego, CAGoogle Scholar
  12. Sanchez M (2007) Virus Throttle as basis for ProActive Defense. In: Communications in Computer and Information Science (CCIS), Vol.1, SpringerGoogle Scholar
  13. Schechter S, Jung J, Berger AW (2004) Fast Detection of Scanning Worm Infections. In: Proceedings of the Seventh International Symposium on Recent Advances in Intrusion Detection, French Riviera, FranceGoogle Scholar
  14. Twycross J, Williamson MM (2003) Implementing and testing a virus throttle. In: Proceedings of the 12th USENIX Security Symposium, Washington DC, pp 285–294Google Scholar
  15. Weaver N, Staniford S, Paxson V (2004) Very fast containment of scanning worms. In: Proceedings of the 13th USENIX Security SymposiumGoogle Scholar
  16. Whyte D, Kranakis E, Oorschot PC (2005) DNS-based Detection of Scanning Worms in an Enterprise Network. In: Proceedings of the Network and Distributed System Security SymposiumGoogle Scholar
  17. Williamson MM (2002) Throttling viruses: Restricting propagation to defeat malicious mobile code. In: Proceedings of the 18th Annual Computer Security Applications Conference 1–61. IEEE Computer Society, WashingtonGoogle Scholar
  18. Wong C, Bielski S, Studer A, Wang C. (2006) Empirical Analysis of Rate Limiting Mechanisms. In: Lecture Notes in Computer Science, Vol. 3858, Springer, 2006Google Scholar
  19. Zuev D, Moore AW (2005) Traffic Classification using a Statistical Approach. In: Proceedings of the 2005 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, Banff, Alberta, CanadaGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Igor Kotenko
    • 1
  • Andrey Chechulin
    • 1
  • Elena Doynikova
    • 1
  1. 1.Saint Petersburg Institute for Informatics and Automation of Russian Academy of Sciences (SPIIRAS)St. PetersburgRussia

Personalised recommendations