A proposal of port scan detection method based on Packet-In Messages in OpenFlow networks and its evaluation

Abstract

By quickly detecting a port scan and blocking the culprit host from the network, it is possible to minimize the spread of the damage by infected hosts and malicious users. In the past, various Software-Defined Networking (SDN)-based methods have been proposed, whose main advantage is the lower overhead compared to traditional methods that collect and analyze all captured traffic. On the other hand, due to the polling process used in these methods, it is necessary to set a short interval (e.g., few seconds) to keep the attacks' detection as short as possible. However, when the attack frequency is very low compared to normal traffic, there is an unnecessary overhead. In this paper, we propose a port scan detection method that considers the characteristics of Packet-In messages sent from the OpenFlow (OF) switch to the controller. This allows a prompt detection and with less overhead than conventional polling methods. The evaluation was conducted using both simulated and real traffic data. Results confirm that the proposed method can detect port scans with lower overhead than existing methods.