IP networks are constantly targeted by new techniques of denial of service attacks (SYN flooding, port scan, UDP\nflooding, etc), causing service disruption and considerable financial damage. The on-line detection of DoS attacks in\nthe current high-bit rate IP traffic is a big challenge. We propose in this paper an on-line algorithm for port scan\ndetection. It is composed of two complementary parts: First, a probabilistic counting part, where the number of\ndistinct destination ports is estimated by adapting a method called ââ?¬Ë?sliding HyperLogLogââ?¬â?¢ to the context of port scan\nin IP traffic. Second, a decisional mechanism is performed on the estimated number of destination ports in order to\ndetect in real time any behavior that could be related to a malicious traffic. This latter part is mainly based on the\nexponentially weighted moving average algorithm (EWMA) that we adapted to the context of on-line analysis by\nadding a learning step (supposed without attacks) and improving its update mechanism. The obtained port scan\ndetecting method is tested against real IP traffic containing some attacks. It detects all the port scan attacks within a\nvery short time response (of about 30 s) and without any false positive. The algorithm uses a very small total memory\nof less than 22 kb and has a very good accuracy on the estimation of the number of destination ports (a relative error\nof about 3.25%), which is in agreement with the theoretical bounds provided by the sliding HyperLogLog algorithm.
Loading....