A systematic approach for detecting and clustering distributed cyber scanning
2013
We present in this paper an approach that is composed of two techniques that respectively tackle the issues of detecting corporate cyber scanning and clustering distributed reconnaissance activity. The first employed technique is based on a non-attribution anomaly detection approach that focuses on is being scanned rather than is performing the scanning. The second technique adopts a statistical time series approach that is rendered by observing the correlation status of a traffic signal to perform the identification and clustering. To empirically validate both techniques, we utilize and examine two real network traffic datasets and implement two experimental environments. The first dataset comprises of unsolicited one-way telescope/darknet traffic while the second dataset has been captured in our lab through a customized setup. The results show, on one hand, that for a class C network with 250 active hosts and 5 monitored servers, the training period of the proposed detection technique required a stabilization time of less than 1 s and a state memory of 80 bytes. Moreover, in comparison with Snort’s sfPortscan technique, it was able to detect 4215 unique scans and yielded zero false negative. On the other hand, the proposed clustering technique is able to correctly identify and cluster the scanning machines with high accuracy even in the presence of legitimate traffic. We further validate this clustering technique by formulating the presented scenario as a machine learning problem. Specifically, we compare our proposed technique with an unsupervised data clustering technique that adopts the -means and the expectation maximization approach. The results authenticate our clustering technique rendering it feasible for adoption.
- Correction
- Source
- Cite
- Save
- Machine Reading By IdeaReader
0
References
0
Citations
NaN
KQI