In this paper we analyze the coordinated port scan attack where a single adversary coordinates a Group of Attackers (GoA) in order to obtain information on a set of target networks. Such orchestration aims at avoiding Local Intrusion Detection Systems checks allowing each host of the GoA to send a very few number of probes to hosts of the target network. In order to detect this complex attack we propose a collaborative architecture where each target network deploys local sensors that send alarms to a collaborative layer. This, in turn, correlates this data with the aim of (i) identifying coordinated attacks while (ii) reducing false positive alarms and (iii) correctly separating GoAs that act concurrently on overlapping targets. The soundness of our approach is tested on real network traces. Tests show that collaboration among networks domains is mandatory to achieve accurate detection of coordinated attacks and sharp separation between GoAs that execute concurrent attacks on the same targets. © Springer-Verlag 2013.
Collaborative detection of coordinated port scans / Baldoni, Roberto; DI LUNA, GIUSEPPE ANTONIO; Querzoni, Leonardo. - 7730 LNCS:(2013), pp. 102-117. (Intervento presentato al convegno 14th International Conference on Distributed Computing and Networking, ICDCN 2013 tenutosi a Mumbai nel 3 January 2013 through 6 January 2013) [10.1007/978-3-642-35668-1_8].
Collaborative detection of coordinated port scans
BALDONI, Roberto;DI LUNA, GIUSEPPE ANTONIO;QUERZONI, Leonardo
2013
Abstract
In this paper we analyze the coordinated port scan attack where a single adversary coordinates a Group of Attackers (GoA) in order to obtain information on a set of target networks. Such orchestration aims at avoiding Local Intrusion Detection Systems checks allowing each host of the GoA to send a very few number of probes to hosts of the target network. In order to detect this complex attack we propose a collaborative architecture where each target network deploys local sensors that send alarms to a collaborative layer. This, in turn, correlates this data with the aim of (i) identifying coordinated attacks while (ii) reducing false positive alarms and (iii) correctly separating GoAs that act concurrently on overlapping targets. The soundness of our approach is tested on real network traces. Tests show that collaboration among networks domains is mandatory to achieve accurate detection of coordinated attacks and sharp separation between GoAs that execute concurrent attacks on the same targets. © Springer-Verlag 2013.| File | Dimensione | Formato | |
|---|---|---|---|
|
VE_2013_11573-515752.pdf
solo gestori archivio
Tipologia:
Versione editoriale (versione pubblicata con il layout dell'editore)
Licenza:
Tutti i diritti riservati (All rights reserved)
Dimensione
628.15 kB
Formato
Adobe PDF
|
628.15 kB | Adobe PDF | Contatta l'autore |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
