Title :
An access-context based method to detect network scanning event in LAN
Author :
Wu, Di ; Yin, Ying ; Chen, Xiao-Hua ; Bu, Ning
Author_Institution :
State Key Lab. of Inf. Security, Inst. of Software Chinese Acad. of Sci., Beijing, China
Abstract :
Usually there are leading DNS resolution operations in normal network access scenarios and at the same time the relative connection success ratio is very high; but there is no leading DNS resolution operation in network scanning scenarios and the relative connection success ratio is very low. For convenience in this paper we named the network access connection attempt without leading DNS resolution operation as Suspicious Network Access (SNA). A network scanning detection approach is proposed in this paper by the analysis of SNAs´ response ratio and the randomness of their target IP addresses for each host in LAN. Since the proposed approach only takes the SNAs into account and the interference from normal network access can be decreased effectively, it can detect network scanning attacks with high accuracy and efficiency. The experiment results in simulation network scenario showed that the proposed approach support the detection of TCP-SYN and ICMP type network scanning attacks and also support the detection of stealth network scanning attacks as well.
Keywords :
local area networks; security of data; LAN; detect network scanning event; intrusion detection; network monitoring; network security; suspicious network access; Cybernetics; Event detection; Local area networks; Machine learning; Network security; intrusion detection; network monitoring; network scanning;
Conference_Titel :
Machine Learning and Cybernetics, 2009 International Conference on
Conference_Location :
Baoding
Print_ISBN :
978-1-4244-3702-3
Electronic_ISBN :
978-1-4244-3703-0
DOI :
10.1109/ICMLC.2009.5212650
