Title :
Automated Classification of Port-Scans from Distributed Sensors
Author :
Kikuchi, Hiroaki ; Fukuno, Naoya ; Kobori, Tomohiro ; Terada, Masato ; Pikulkaew, Tangtisanon
Author_Institution :
Tokai Univ., Tokai
Abstract :
Computer worms randomly perform port-scans to find vulnerable hosts to intrude over the Internet. Malicious software varies its port-scan strategy, e.g., some hosts intensively perform scans on a particular target and some hosts scan uniformly over IP address blocks. In this paper, we propose a new automated worm classification scheme from distributed observations. Our proposed scheme can detect some statistics of worm behavior with a simple decision tree consisting of some nodes to classify source addresses with optimal threshold values. The choice of thresholds is automated to minimize the entropy gain of classification. Once a tree is constructed, the classification can be done very quickly and accurately. In this paper, we analyze a set of source addresses observed by the distributed sensors in IS- DAS observed with 30 sensors in one year in order to clarify a primary statistics of worms. Based on the statistical characteristics, we present the proposed classification and show th e performance of the proposed scheme.
Keywords :
decision trees; distributed sensors; invasive software; IP address blocks; Internet; automated worm classification scheme; computer worms; distributed sensors; malicious software; port-scan automated classification; port-scan strategy; statistical characteristics; Classification tree analysis; Computer worms; Decision trees; Internet; Intrusion detection; Machine learning; Monitoring; Sensor phenomena and characterization; Space technology; Statistical distributions; classification; port-scan; sensor;
Conference_Titel :
Advanced Information Networking and Applications, 2008. AINA 2008. 22nd International Conference on
Conference_Location :
Okinawa
Print_ISBN :
978-0-7695-3095-6
DOI :
10.1109/AINA.2008.73
