摘要
Detection of port scan is an important component in a network intrusion detection and prevention system. Traditional statistical methods can be easily evaded by stealthy scans and are prone to DoS attacks. This paper presents a new mechanism termed PSD(port scan detection), which is based on TCP packet anomaly evaluation. By learning the port distribution and flags of TCP packets arriving at the protected hosts, PSD can compute the anomaly score of each packet and effectively detect port scans including slow scans and stealthy scans. Experiments show that PSD has high detection accuracy and low detection latency.
Detection of port scan is an important component in a network intrusion detection and prevention system. Traditional statistical methods can be easily evaded by stealthy scans and are prone to DoS attacks. This paper presents a new mechanism termed PSD(port scan detection), which is based on TCP packet anomaly evaluation. By learning the port distribution and flags of TCP packets arriving at the protected hosts, PSD can compute the anomaly score of each packet and effectively detect port scans including slow scans and stealthy scans. Experiments show that PSD has high detection accuracy and low detection latency.
基金
ProjectsupportedbytheNationalHigh TechnologyResearchandDevelopmentProgramofChina(GrantNo .2 0 0 2AA14 5 0 90 )
