|
The term network scanner means a program for searching unprotected IP addresses and/or TCP/UDP ports. The following questions should be addressed when developing algorithms for detecting network scanners. Firstly one needs to distinguish a valid active program from a scanner. Secondly one needs to determine the degree of detail of scanned objects. For example it could be a set of ports of a single local address or a single port of a set of adjacent addresses. Thirdly one needs to choose the maximum amount of time for tracking an active program after which an algorithm should decide if the program is a scanner. Finally, one also needs to define what type of scanning should be considered hostile.
An implementation of such algorithm would need to work with a large volume of input data in real time. This is because the task of detecting scanners is rather a task of quick traffic analysis than a task of precise accounting. Thus one needs to take into account the specificity of the gathered data: it is valid for a fixed and usually very short time duration and results are usually updated faster than are read or used. The information about detected scanners (or rather IP-addresses of hosts that run scanners) is mostly used by network administrators because it is their job to alter and tune the network.
All algorithms for scan detection could be divided into two groups. The first group uses a metric “N suspicious events within a time interval T” (the base method) and the second group uses the mathematical methods of statistics and probability theory. The base method has some drawbacks. It is hard to choose a threshold, but it affects the number of erroneousely flagged addressses and the number of undetected scanners. Some scanners vary their scanning intervals or the activity can occur at a very slow rate. Such behavior is impossible to detect using N/T metrics. Thus methods from the second group should be considered.
It is worth noting that scan detection programs require some knowledge of active devices on the network that are legitimate senders and receivers of data. For example, such devices are DNS, Proxy and Web servers. This knowledge allows to provide the better performance of scan detection programs and to reduce the amount of false positives.
Note. Abstracts are published in author's edition
Comments
|
![[ICT SBRAS]](/picture/copan/ict-logo.gif){kind=logo}
[Home] [Conference] |
© 1996-2000, Institute of computational Techologies SB RAS, Novosibirsk
© 1996-2000, Siberian Branch of Russian Academy of Science, Novosibirsk