A Comparative Evaluation of Anomaly Detectors under Portscan Attacks

Ashfaq, Ayesha Binte; Robert, Maria Joseph; Mumtaz, Asad; Ali, Muhammad; Sajjad, Ali; Khayam, Syed Ali

doi:10.1007/978-3-540-87403-4_19

Cited by 25 publications

(22 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As such, so has the prevalence of port scanning, a method many of these systems employ to ascertain their next victims [6]. Due to this increase, and the direct correlation with network attacks [4], many detection mechanisms have been developed.…”

Section: A Port Scansmentioning

confidence: 99%

“…As the growth of these malware attacks continues (136% alone between 2007 and 2008 [5]), so does the prevalence of port scans. To this end much work has been done towards the detection of such activity, with varying degrees of success and application [6]- [9]. The port scan is a well understood network activity, as such allows us to validate the success of our GP in creating network traffic.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Evolving TCP/IP packets: A case study of port scans

LaRoche

Zincir-Heywood

Heywood

2009

2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications

View full text Add to dashboard Cite

In this work, we investigate the ability of genetic programming techniques to evolve valid network packets, including all relevant header values, towards a specific goal. We see this as a first step in building a fuzzing system that can learn to adapt for vulnerability analysis. By developing a system that learns the packets that are required to be transmitted towards targets, using feedback from an external network source, we make a step towards having a system that can intelligently explore the capabilities of a given security system. In order to validate our system's capabilities we evolve a variety of port scan patterns while running the packets through an IDS, with the goal to minimizes the alarms raised during the scanning process. Results show that the system not only successfully evolves valid TCP packets, but also remains stealthy in its activity.

show abstract

Section: A Port Scansmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Evolving TCP/IP packets: A case study of port scans

LaRoche

Zincir-Heywood

Heywood

2009

2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications

View full text Add to dashboard Cite

show abstract

“…Many methods have been developed for network intrusion detection, such as machine learning, data mining, neural networks, statistical methodology, wavelet analysis, etc. [7,[12][13][14][15][16]. Though intrusion detection systems (IDSs) are not developed for forensic analysis, investigators have recognized that IDSs are an important evidence source for network forensics because it is probably the most likely candidate to provide first-hand information about security violations in the network [6].…”

Section: Intrusion Detection Systems and Some Novel Attacksmentioning

confidence: 99%

“…Malware, botnets, spam, phishing, and denial-of-server attacks have become continuous and imminent threats for today's networks and hosts [7,8]. For example, 76% used a keystroke-logging component to steal information such as online banking account credentials in 2008 [8].…”

Section: Intrusion Detection Systems and Some Novel Attacksmentioning

confidence: 99%

Network forensics based on fuzzy logic and expert system

Nian-dong

Tian

Wang

2009

Computer Communications

View full text Add to dashboard Cite

“…Section 3 gives a brief description of the evaluated anomaly detection systems and the datasets used. Section 4 provides the comparative performance evaluation results in the form of ROC curves on the two datasets [53]. Section 5 provides the lessons learnt from the comparative performance evaluation of prominent NADSs.…”

Section: Introductionmentioning

confidence: 99%

Accuracy improving guidelines for network anomaly detection systems

2009

Self Cite

View full text Add to dashboard Cite

An unprecedented growth in computer and communication systems in the last two decades has resulted in a proportional increase in the number and sophistication of network attacks. In particular, the number of previouslyunseen attacks has increased exponentially in the last few years. Due to the rapidly evolving nature of network attacks, a considerable paradigm shift has taken place in the intrusion detection community. The main focus is now on Network Anomaly Detection Systems (NADSs) which model and flag deviations from normal/benign behavior of a network and can hence detect previously-unseen attacks. Contemporary NADS borrow concepts from a variety of theoretical fields (e.g., Information theory, stochastic and machine learning, signal processing, etc.) to model benign behavior. These NADSs, however, fall short of achieving acceptable performance levels as therefore widespread commercial deployments. Thus, in this paper, we firstly evaluate the performance of eight prominent network-based anomaly detectors under malicious portscan attacks to identify which NADSs perform better than others and why. These NADSs are evaluated on three criteria: accuracy (ROC curves), scalability (with respect to varying normal and attack traffic rates, and deployment points) and detection delay. These criteria are evaluated using two independently collected datasets with complementary strengths. We then propose novel methods and promising guidelines to improve the accuracy

show abstract

A Comparative Evaluation of Anomaly Detectors under Portscan Attacks

Cited by 25 publications

References 29 publications

Evolving TCP/IP packets: A case study of port scans

Evolving TCP/IP packets: A case study of port scans

Network forensics based on fuzzy logic and expert system

Accuracy improving guidelines for network anomaly detection systems

Contact Info

Product

Resources

About