In this paper we analyze the coordinated port scan attack where a single adversary coordinates a Group of Attackers (GoA) in order to obtain information on a set of target networks. Such orchestration aims at avoiding Local Intrusion Detection Systems checks allowing each host of the GoA to send a very few number of probes to hosts of the target network. In order to detect this complex attack we propose a collaborative architecture where each target network deploys local sensors that send alarms to a collaborative layer. This, in turn, correlates this data with the aim of (i) identifying coordinated attacks while (ii) reducing false positive alarms and (iii) correctly separating GoAs that act concurrently on overlapping targets. The soundness of our approach is tested on real network traces. Tests show that collaboration among networks domains is mandatory to achieve accurate detection of coordinated attacks and sharp separation between GoAs that execute concurrent attacks on the same targets. © Springer-Verlag 2013.

Collaborative detection of coordinated port scans / Baldoni, Roberto; DI LUNA, GIUSEPPE ANTONIO; Querzoni, Leonardo. - 7730 LNCS:(2013), pp. 102-117. (Intervento presentato al convegno 14th International Conference on Distributed Computing and Networking, ICDCN 2013 tenutosi a Mumbai nel 3 January 2013 through 6 January 2013) [10.1007/978-3-642-35668-1_8].

Collaborative detection of coordinated port scans

BALDONI, Roberto;DI LUNA, GIUSEPPE ANTONIO;QUERZONI, Leonardo
2013

Abstract

In this paper we analyze the coordinated port scan attack where a single adversary coordinates a Group of Attackers (GoA) in order to obtain information on a set of target networks. Such orchestration aims at avoiding Local Intrusion Detection Systems checks allowing each host of the GoA to send a very few number of probes to hosts of the target network. In order to detect this complex attack we propose a collaborative architecture where each target network deploys local sensors that send alarms to a collaborative layer. This, in turn, correlates this data with the aim of (i) identifying coordinated attacks while (ii) reducing false positive alarms and (iii) correctly separating GoAs that act concurrently on overlapping targets. The soundness of our approach is tested on real network traces. Tests show that collaboration among networks domains is mandatory to achieve accurate detection of coordinated attacks and sharp separation between GoAs that execute concurrent attacks on the same targets. © Springer-Verlag 2013.
2013
14th International Conference on Distributed Computing and Networking, ICDCN 2013
04 Pubblicazione in atti di convegno::04b Atto di convegno in volume
Collaborative detection of coordinated port scans / Baldoni, Roberto; DI LUNA, GIUSEPPE ANTONIO; Querzoni, Leonardo. - 7730 LNCS:(2013), pp. 102-117. (Intervento presentato al convegno 14th International Conference on Distributed Computing and Networking, ICDCN 2013 tenutosi a Mumbai nel 3 January 2013 through 6 January 2013) [10.1007/978-3-642-35668-1_8].
File allegati a questo prodotto
File Dimensione Formato  
VE_2013_11573-515752.pdf

solo gestori archivio

Tipologia: Versione editoriale (versione pubblicata con il layout dell'editore)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 628.15 kB
Formato Adobe PDF
628.15 kB Adobe PDF   Contatta l'autore

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11573/515752
 Attenzione

Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo

Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 7
  • ???jsp.display-item.citation.isi??? ND
social impact