Detection of port scan is an important component in a network intrusion detection and prevention system. Traditional statistical methods can be easily evaded by stealthy scans and are prone to DoS attacks. This paper ...Detection of port scan is an important component in a network intrusion detection and prevention system. Traditional statistical methods can be easily evaded by stealthy scans and are prone to DoS attacks. This paper presents a new mechanism termed PSD(port scan detection), which is based on TCP packet anomaly evaluation. By learning the port distribution and flags of TCP packets arriving at the protected hosts, PSD can compute the anomaly score of each packet and effectively detect port scans including slow scans and stealthy scans. Experiments show that PSD has high detection accuracy and low detection latency.展开更多
Domain name system(DNS)amplification distributed denial of service(DDoS)attacks are one of the popular types of intrusions that involve accessing DNS servers on behalf of the victim.In this case,the size of the respon...Domain name system(DNS)amplification distributed denial of service(DDoS)attacks are one of the popular types of intrusions that involve accessing DNS servers on behalf of the victim.In this case,the size of the response is many times greater than the size of the request,in which the source of the request is substituted for the address of the victim.This paper presents an original method for countering DNS amplification DDoS attacks.The novelty of our approach lies in the analysis of outgoing traffic from the victim’s server.DNS servers used for amplification attacks are easily detected in Internet control message protocol(ICMP)packet headers(type 3,code 3)in outgoing traffic.ICMP packets of this type are generated when accessing closed user datagram protocol(UDP)ports of the victim,which are randomly assigned by the Saddam attack tool.To prevent such attacks,we used a Linux utility and a software-defined network(SDN)module that we previously developed to protect against port scanning.The Linux utility showed the highest efficiency of 99.8%,i.e.,only two attack packets out of a thousand reached the victim server.展开更多
文摘Detection of port scan is an important component in a network intrusion detection and prevention system. Traditional statistical methods can be easily evaded by stealthy scans and are prone to DoS attacks. This paper presents a new mechanism termed PSD(port scan detection), which is based on TCP packet anomaly evaluation. By learning the port distribution and flags of TCP packets arriving at the protected hosts, PSD can compute the anomaly score of each packet and effectively detect port scans including slow scans and stealthy scans. Experiments show that PSD has high detection accuracy and low detection latency.
基金Russian Foundation for Basic Research(RFBR)(20-37-90002)Andrei Sukhov acknowledge SevSU for a Research(42-01-09/253/2022-1)。
文摘Domain name system(DNS)amplification distributed denial of service(DDoS)attacks are one of the popular types of intrusions that involve accessing DNS servers on behalf of the victim.In this case,the size of the response is many times greater than the size of the request,in which the source of the request is substituted for the address of the victim.This paper presents an original method for countering DNS amplification DDoS attacks.The novelty of our approach lies in the analysis of outgoing traffic from the victim’s server.DNS servers used for amplification attacks are easily detected in Internet control message protocol(ICMP)packet headers(type 3,code 3)in outgoing traffic.ICMP packets of this type are generated when accessing closed user datagram protocol(UDP)ports of the victim,which are randomly assigned by the Saddam attack tool.To prevent such attacks,we used a Linux utility and a software-defined network(SDN)module that we previously developed to protect against port scanning.The Linux utility showed the highest efficiency of 99.8%,i.e.,only two attack packets out of a thousand reached the victim server.
