A practical approach to portscan detection in very high-speed links

4Citations
Citations of this article
11Readers
Mendeley users who have this article in their library.
Get full text

Abstract

Port scans are continuously used by both worms and human attackers to probe for vulnerabilities in Internet facing systems. In this paper, we present a new method to efficiently detect TCP port scans in very high-speed links. The main idea behind our approach is to early discard those handshake packets that are not strictly needed to reliably detect port scans. We show that with just a couple of Bloom filters to track active servers and TCP handshakes we can easily discard about 85% of all handshake packets with negligible loss in accuracy. This significantly reduces both the memory requirements and CPU cost per packet. We evaluated our algorithm using packet traces and live traffic from 1 and 10 GigE academic networks. Our results show that our method requires less than 1 MB to accurately monitor a 10 Gb/s link, which perfectly fits in the cache memory of nowadays' general-purpose processors. © 2011 Springer-Verlag.

Cite

CITATION STYLE

APA

Mikians, J., Barlet-Ros, P., Sanjuàs-Cuxart, J., & Solé-Pareta, J. (2011). A practical approach to portscan detection in very high-speed links. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 6579 LNCS, pp. 112–121). https://doi.org/10.1007/978-3-642-19260-9_12

Register to see more suggestions

Mendeley helps you to discover research relevant for your work.

Already have an account?

Save time finding and organizing research with Mendeley

Sign up for free