Collaborative Detection of Coordinated Port Scans

Abstract

In this paper we analyze the coordinated port scan attack where a single adversary coordinates a Group of Attackers (GoA) in order to obtain information on a set of target networks. Such orchestration aims at avoiding Local Intrusion Detection Systems checks allowing each host of the GoA to send a very few number of probes to hosts of the target network. In order to detect this complex attack we propose a collaborative architecture where each target network deploys local sensors that send alarms to a collaborative layer. This, in turn, correlates this data with the aim of (i) identifying coordinated attacks while (ii) reducing false positive alarms and (iii) correctly separating GoAs that act concurrently on overlapping targets. Locally deployed sensors adopt graph-based clustering techniques over non-established TCP connections to generate alarms. The collaborative layer employs a similarity approach to aggregate alarms and approximated optimization algorithms to separate distinct GoAs. The soundness of our approach is tested on real network traces. Tests show that collaboration among networks domains is mandatory to achieve accurate detection of coordinated attacks and sharp separation between GoAs that execute concurrent attacks on the same targets.

DOI: 10.1007/978-3-642-35668-1_8

Extracted Key Phrases

How do we use the CG? April 12

  • 2012