A behavior-based method for detecting distributed scan attacks in darknets

Research output: Contribution to journalArticle

9 Citations (Scopus)

Abstract

The technologies used by attackers in the Internet environment are becoming more and more sophisticated. Of the many kinds of attacks, distributed scan attacks have become one of the most serious problems. In this study, we propose a novel method based on normal behavior modes of traffic to detect distributed scan attacks in darknet environments. In our proposed method, all the possible destination TCP and UDP ports are monitored, and when a port is attacked by a distributed scan, an alert is given. Moreover, the alert can have several levels reflecting the relative scale of the attack. To accelerate learning and updating the normal behavior modes and to realize rapid detection, an index is introduced, which is proved to be very efficient. The efficiency of our proposal is verified using real darknet traffic data. Although our proposal focuses on darknets, the idea can also be applied to ordinary networks.

Original languageEnglish
Pages (from-to)527-538
Number of pages12
JournalJournal of information processing
Volume21
Issue number3
DOIs
Publication statusPublished - Jul 19 2013

Fingerprint

Internet

All Science Journal Classification (ASJC) codes

  • Computer Science(all)

Cite this

A behavior-based method for detecting distributed scan attacks in darknets. / Feng, Yaokai; Hori, Yoshiaki; Sakurai, Kouichi; Takeuchi, Jun'ichi.

In: Journal of information processing, Vol. 21, No. 3, 19.07.2013, p. 527-538.

Research output: Contribution to journalArticle

@article{73bd0787c2884ebdbf1e3d65990e0e9e,
title = "A behavior-based method for detecting distributed scan attacks in darknets",
abstract = "The technologies used by attackers in the Internet environment are becoming more and more sophisticated. Of the many kinds of attacks, distributed scan attacks have become one of the most serious problems. In this study, we propose a novel method based on normal behavior modes of traffic to detect distributed scan attacks in darknet environments. In our proposed method, all the possible destination TCP and UDP ports are monitored, and when a port is attacked by a distributed scan, an alert is given. Moreover, the alert can have several levels reflecting the relative scale of the attack. To accelerate learning and updating the normal behavior modes and to realize rapid detection, an index is introduced, which is proved to be very efficient. The efficiency of our proposal is verified using real darknet traffic data. Although our proposal focuses on darknets, the idea can also be applied to ordinary networks.",
author = "Yaokai Feng and Yoshiaki Hori and Kouichi Sakurai and Jun'ichi Takeuchi",
year = "2013",
month = "7",
day = "19",
doi = "10.2197/ipsjjip.21.527",
language = "English",
volume = "21",
pages = "527--538",
journal = "Journal of Information Processing",
issn = "0387-6101",
publisher = "Information Processing Society of Japan",
number = "3",

}

TY - JOUR

T1 - A behavior-based method for detecting distributed scan attacks in darknets

AU - Feng, Yaokai

AU - Hori, Yoshiaki

AU - Sakurai, Kouichi

AU - Takeuchi, Jun'ichi

PY - 2013/7/19

Y1 - 2013/7/19

N2 - The technologies used by attackers in the Internet environment are becoming more and more sophisticated. Of the many kinds of attacks, distributed scan attacks have become one of the most serious problems. In this study, we propose a novel method based on normal behavior modes of traffic to detect distributed scan attacks in darknet environments. In our proposed method, all the possible destination TCP and UDP ports are monitored, and when a port is attacked by a distributed scan, an alert is given. Moreover, the alert can have several levels reflecting the relative scale of the attack. To accelerate learning and updating the normal behavior modes and to realize rapid detection, an index is introduced, which is proved to be very efficient. The efficiency of our proposal is verified using real darknet traffic data. Although our proposal focuses on darknets, the idea can also be applied to ordinary networks.

AB - The technologies used by attackers in the Internet environment are becoming more and more sophisticated. Of the many kinds of attacks, distributed scan attacks have become one of the most serious problems. In this study, we propose a novel method based on normal behavior modes of traffic to detect distributed scan attacks in darknet environments. In our proposed method, all the possible destination TCP and UDP ports are monitored, and when a port is attacked by a distributed scan, an alert is given. Moreover, the alert can have several levels reflecting the relative scale of the attack. To accelerate learning and updating the normal behavior modes and to realize rapid detection, an index is introduced, which is proved to be very efficient. The efficiency of our proposal is verified using real darknet traffic data. Although our proposal focuses on darknets, the idea can also be applied to ordinary networks.

UR - http://www.scopus.com/inward/record.url?scp=84880150397&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84880150397&partnerID=8YFLogxK

U2 - 10.2197/ipsjjip.21.527

DO - 10.2197/ipsjjip.21.527

M3 - Article

AN - SCOPUS:84880150397

VL - 21

SP - 527

EP - 538

JO - Journal of Information Processing

JF - Journal of Information Processing

SN - 0387-6101

IS - 3

ER -