Port Scanning is used by malicious users to map the characteristics of a network to launch further attacks. Hence, detection of port scanning assumes paramount importance. This paper investigates the effectiveness of using counts of various TCP control packets in detecting TCP SYN scanning on a single machine. The behavioural characteristics of TCP control packets are aggregated. A Neural Network is trained to capture this behaviour for normal as well as port scan data. It is seen from the investigation that the counts of TCP SYN, SYN-ACK and FIN packets show definite patterns in their behaviour for legitimate connections. A deviation from this behaviour is used to effectively detect TCP SYN scanning without maintaining state information.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.