Statistical cross-relation approach for detecting TCP and UDP random and sequential network scanning (SCANS)

Abstract

Network scanning is considered to be the first step taken by attackers trying to gain access to a targeted network. System and network administrators find it useful if they are able to identify the targets scanned by network attackers. Resources and services can be further protected by patching or installing security measures, such as a firewall, an intrusion detection system, or some alternative computer system. This paper presents a statistical ‘cross-relation’ approach for detecting network scanning and identifying its targets. Our approach is based on using TCP RST packets for detecting TCP sequential scanning and ICMP type 3 (port unreachable) packets for detecting UDP sequential scanning. TCP or UDP random scanning is confirmed when there is a ‘cross-relation’ between an ICMP type 3, code 1 (host unreachable) and the TCP RST counts per source IP address and between an ICMP type 3, code 3 (port unreachable) and an ICMP type 3, code 1 (host unreachable). We tested the proposed approach with the DARPA 1998 data set and confirmed that our method was more effective in detecting TCP and UDP scanning than the existing approaches, and it also provided better detection accuracy.

Keywords:

• network scanning
• intrusion detection system
• TCP scanning
• UDP scanning

2000 AMS Subject Classification:

• 14C17