Coordinated Scan Detection

14 years 1 months ago
Coordinated Scan Detection
Coordinated attacks, where the tasks involved in an attack are distributed amongst multiple sources, can be used by an adversary to obfuscate his incursion. In this paper we present an approach to detecting coordinated attacks that is based on adversary modeling of the desired information gain. A detection algorithm is developed that is based on solutions to the set covering problem, where we aim to recognize coordinated activity by combining events such that a large portion of the information space is covered with minimal overlap. We demonstrate this approach by developing a coordinated scan detector, where the targets of a port scan are distributed amongst multiple coordinating sources. In this case, the adversary wishes to gain information about the active hosts and ports on a particular network. We provide an algorithm that is capable of detecting horizontal and strobe scans against contiguous address spaces. We present experimental results from testing this algorithm in a control...
Carrie Gates
Added 21 May 2010
Updated 21 May 2010
Type Conference
Year 2009
Where NDSS
Authors Carrie Gates
Comments (0)