New Sequential Methods for Detecting Portscanners
This work addresses network security for system administrators by providing incremental improvements in detection algorithms.
The paper tackles the problem of detecting port-scan attackers by proposing new sequential methods that control false positive probabilities and offer faster performance with bounded observational time, achieving significant speed improvements over existing solutions.
In this paper, we propose new sequential methods for detecting port-scan attackers which routinely perform random "portscans" of IP addresses to find vulnerable servers to compromise. In addition to rigorously control the probability of falsely implicating benign remote hosts as malicious, our method performs significantly faster than other current solutions. Moreover, our method guarantees that the maximum amount of observational time is bounded. In contrast to the previous most effective method, Threshold Random Walk Algorithm, which is explicit and analytical in nature, our proposed algorithm involve parameters to be determined by numerical methods. We have developed computational techniques such as iterative minimax optimization for quick determination of the parameters of the new detection algorithm. A framework of multi-valued decision for testing portscanners is also proposed.