This preview shows pages 1–2. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: Fast Portscan Detection Using Sequential Hypothesis Testing Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan MIT Computer Science and Artificial Intelligence Laboratory Cambridge, MA USA jyjung, awberger, hari @csail.mit.edu ICSI Center for Internet Research and Lawrence Berkeley National Laboratory Berkeley, CA USA [email protected] Abstract Attackers routinely perform random “portscans” of IP ad- dresses to find vulnerable servers to compromise. Network Intru- sion Detection Systems (NIDS) attempt to detect such behavior and flag these portscanners as malicious. An important need in such systems is prompt response : the sooner a NIDS detects mal- ice, the lower the resulting damage. At the same time, a NIDS should not falsely implicate benign remote hosts as malicious. Balancing the goals of promptness and accuracy in detecting malicious scanners is a delicate and difficult task. We develop a connection between this problem and the theory of sequential hy- pothesis testing and show that one can model accesses to local IP addresses as a random walk on one of two stochastic pro- cesses, corresponding respectively to the access patterns of be- nign remote hosts and malicious ones. The detection problem then becomes one of observing a particular trajectory and inferring from it the most likely classification for the remote host. We use this insight to develop TRW (Threshold Random Walk), an on- line detection algorithm that identifies malicious remote hosts. Us- ing an analysis of traces from two qualitatively different sites, we show that TRW requires a much smaller number of connection at- tempts (4 or 5 in practice) to detect malicious activity compared to previous schemes, while also providing theoretical bounds on the low (and configurable) probabilities of missed detection and false alarms. In summary, TRW performs significantly faster and also more accurately than other current solutions. 1. Introduction Many Internet attacks seen today begin with a reconnais- sance phase in which the attacker probes a set of addresses at a site looking for vulnerable servers. In principle, this pattern of port scanning manifests quite differently from le- gitimate remote access to the site, and thus holds promise for providing a means by which a network intrusion detec- tion system (NIDS) can identify an attacker at a stage early enough to allow for some form of protective response to mitigate or fully prevent damage. A numberof difficulties arise, however,when we attempt to formulate an effective algorithm for detecting port scan- ning. The first is that there is no crisp definition of the activ- ity. For example, clearly an attempted HTTP connection to the site’s main Web server is okay, while a sweep through the entire address space looking for HTTP servers is not okay (though see below). But what about connections to a few addresses, some of which succeed and some of which fail?...
View Full Document
This note was uploaded on 08/25/2011 for the course CDA 6938 taught by Professor Zou,c during the Fall '08 term at University of Central Florida.
- Fall '08