Paper Info
Title
Statistical cross-relation approach for detecting TCP and UDP random and sequential network scanning SCANS
Abstract
Network scanning is considered to be the first step taken by attackers trying to gain access to a targeted network. System and network administrators find it useful if they are able to identify the targets scanned by network attackers. Resources and services can be further protected by patching or installing security measures, such as a firewall, an intrusion detection system, or some alternative computer system. This paper presents a statistical ‘cross-relation’ approach for detecting network scanning and identifying its targets. Our approach is based on using TCP RST packets for detecting TCP sequential scanning and ICMP type 3 port unreachable packets for detecting UDP sequential scanning. TCP or UDP random scanning is confirmed when there is a ‘cross-relation’ between an ICMP type 3, code 1 host unreachable and the TCP RST counts per source IP address and between an ICMP type 3, code 3 port unreachable and an ICMP type 3, code 1 host unreachable. We tested the proposed approach with the DARPA 1998 data set and confirmed that our method was more effective in detecting TCP and UDP scanning than the existing approaches, and it also provided better detection accuracy.
Year
DOI
Venue
2012
10.1080/00207160.2012.696621
Int. J. Comput. Math.
Keywords
Field
DocType
network attacker,port unreachable packet,port unreachable,tcp rst packet,icmp type,network administrator,sequential network,targeted network,tcp sequential,host unreachable,statistical cross-relation approach,tcp rst,intrusion detection system
Ip address,Firewall (construction),Network packet,Computer network,Installation,Internet Control Message Protocol,Intrusion detection system,Mathematics,TCP sequence prediction attack
Journal
Volume
Issue
ISSN
89
15
0020-7160
Citations 
PageRank 
References 
1
0.36
9
Authors
3
Name
Order
Citations
PageRank
Mohammed Anbar1169.05
Ahmed M. Manasrah294.36
Selvakumar Manickam38512.75