259
Views
5
CrossRef citations to date
0
Altmetric
Section A

Statistical cross-relation approach for detecting TCP and UDP random and sequential network scanning (SCANS)

, &
Pages 1952-1969 | Received 16 Aug 2011, Accepted 21 May 2012, Published online: 19 Jun 2012
 

Abstract

Network scanning is considered to be the first step taken by attackers trying to gain access to a targeted network. System and network administrators find it useful if they are able to identify the targets scanned by network attackers. Resources and services can be further protected by patching or installing security measures, such as a firewall, an intrusion detection system, or some alternative computer system. This paper presents a statistical ‘cross-relation’ approach for detecting network scanning and identifying its targets. Our approach is based on using TCP RST packets for detecting TCP sequential scanning and ICMP type 3 (port unreachable) packets for detecting UDP sequential scanning. TCP or UDP random scanning is confirmed when there is a ‘cross-relation’ between an ICMP type 3, code 1 (host unreachable) and the TCP RST counts per source IP address and between an ICMP type 3, code 3 (port unreachable) and an ICMP type 3, code 1 (host unreachable). We tested the proposed approach with the DARPA 1998 data set and confirmed that our method was more effective in detecting TCP and UDP scanning than the existing approaches, and it also provided better detection accuracy.

2000 AMS Subject Classification:

Reprints and Corporate Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

To request a reprint or corporate permissions for this article, please click on the relevant link below:

Academic Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

Obtain permissions instantly via Rightslink by clicking on the button below:

If you are unable to obtain permissions via Rightslink, please complete and submit this Permissions form. For more information, please visit our Permissions help page.