A study on risk index to analyze the impact of port scan and to detect slow port scan in network intrusion detection

Seongchul Park, Juntae Kim

Research output: Contribution to journalArticlepeer-review

1 Scopus citations

Abstract

Network port scan attack is a tool with which to identify any opened port in a system within the internal network. In most existing instances of the intrusion detection system, the port scan attack has been considered ‘executed’ against the source IP address for the outgoing packets whose count is higher than the threshold set according to the record of packets sent to the system or network per unit of time. That is, the risk level of a source IP address performing the network port scan attack has relied on the count of port scan attacks recorded by IDSs. However, the risk measurement solely based on the count of port scan attacks yields low port scan detection rates for the increased false negatives on slow port scan attacks. In this study, four different forms of the information are highlighted to accurately and comprehensively identify the network port scan attacks. A risk index quantifying such information through the Principal Component Analysis (PCA) is hereby proposed to express integrated risks on the port scan attacks. The detection using the risk index proposed through the experimentation demonstrates superior port scan detection rates than Snort.

Original languageEnglish
Pages (from-to)10329-10336
Number of pages8
JournalAdvanced Science Letters
Volume23
Issue number10
DOIs
StatePublished - Oct 2017

Keywords

  • Network intrusion detection system
  • Network port scan
  • Principal component analysis
  • Risk index
  • Slow port scan
  • Stealth port scan

Fingerprint

Dive into the research topics of 'A study on risk index to analyze the impact of port scan and to detect slow port scan in network intrusion detection'. Together they form a unique fingerprint.

Cite this