TW200625871A - Method, system and program for automatically detecting distributed port scans in computer networks - Google Patents
Method, system and program for automatically detecting distributed port scans in computer networksInfo
- Publication number
- TW200625871A TW200625871A TW094124490A TW94124490A TW200625871A TW 200625871 A TW200625871 A TW 200625871A TW 094124490 A TW094124490 A TW 094124490A TW 94124490 A TW94124490 A TW 94124490A TW 200625871 A TW200625871 A TW 200625871A
- Authority
- TW
- Taiwan
- Prior art keywords
- subset
- values
- detection
- packets
- response system
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A detection and response system including a set of algorithms for detecting within a stream of normal computer traffic a subset of (should focus on network traffic eliciting response) TCP or UDP packets with one IP Source Address (SA) value, one or a few Destination Address (DA) values, and a number exceeding a threshold of distinct Destination Port (DP) values. A lookup mechanism such as a Direct Table and Patricia search tree record and trace sets of packets with one SA and one DA as well as the set of DP values observed for the given SA, DA combination. The detection and response system reports the existence of such a subset and the header values including SA, DA, and multiple DPs of the subset. The detection and response system also including various administrative responses to reports. A detection and response system including a set of algorithms for detecting within a stream of normal computer traffic a subset of TCP packets with one IP Source Address (SA), one Destination Port (DP), and a number exceeding a threshold of distinct Destination Address (DA). There is efficient use of a lookup mechanism such as a Direct Table and Patricia search tree to record sets of packets with one SA and one DP as well as the set of DA values observed for the given SA, DP combination. The existence of such a subset and the header values including SA, DP, and multiple DAs of the subset are reported to a network administrator. In addition, various administrative responses to reports are provided.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US10/896,733 US7957372B2 (en) | 2004-07-22 | 2004-07-22 | Automatically detecting distributed port scans in computer networks |
| US10/896,680 US7669240B2 (en) | 2004-07-22 | 2004-07-22 | Apparatus, method and program to detect and control deleterious code (virus) in computer network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| TW200625871A true TW200625871A (en) | 2006-07-16 |
| TWI364190B TWI364190B (en) | 2012-05-11 |
Family
ID=35058515
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| TW94124490A TWI364190B (en) | 2004-07-22 | 2005-07-20 | Method, system and program for automatically detecting distributed port scans in computer networks |
Country Status (3)
| Country | Link |
|---|---|
| JP (1) | JP4743901B2 (en) |
| TW (1) | TWI364190B (en) |
| WO (1) | WO2006008307A1 (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI387259B (en) * | 2008-08-01 | 2013-02-21 | Kathy T Lin | System, method, monitor product and computer readable recording medium for monitoring website application using context security |
| TWI423711B (en) * | 2009-07-21 | 2014-01-11 | Htc Corp | Mobile device and data connection method |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2009171431A (en) * | 2008-01-18 | 2009-07-30 | Oki Electric Ind Co Ltd | Traffic analyzer, traffic analyzing method, and traffic analyzing system |
| CN102591965B (en) * | 2011-12-30 | 2014-07-09 | 奇智软件(北京)有限公司 | Method and device for black chain detection |
| US9392003B2 (en) | 2012-08-23 | 2016-07-12 | Raytheon Foreground Security, Inc. | Internet security cyber threat reporting system and method |
| KR101499666B1 (en) * | 2013-08-08 | 2015-03-06 | 주식회사 시큐아이 | Apparatus and method for detecting network scanning |
| CN105306436B (en) * | 2015-09-16 | 2016-08-24 | 广东睿江云计算股份有限公司 | A kind of anomalous traffic detection method |
| GB2583114B (en) | 2019-04-17 | 2022-09-21 | F Secure Corp | Preventing UDP hole punching abuse |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA2297341A1 (en) * | 1999-08-18 | 2001-02-18 | Alma-Baba Technical Research Laboratory Co., Ltd. | System for monitoring network for cracker attack |
| JP2002124996A (en) * | 2000-10-13 | 2002-04-26 | Yoshimi Baba | Fast packet acquiring engine/security |
| US20030200441A1 (en) * | 2002-04-19 | 2003-10-23 | International Business Machines Corporation | Detecting randomness in computer network traffic |
| US7269850B2 (en) * | 2002-12-31 | 2007-09-11 | Intel Corporation | Systems and methods for detecting and tracing denial of service attacks |
| US7356587B2 (en) * | 2003-07-29 | 2008-04-08 | International Business Machines Corporation | Automatically detecting malicious computer network reconnaissance by updating state codes in a histogram |
-
2005
- 2005-07-20 TW TW94124490A patent/TWI364190B/en not_active IP Right Cessation
- 2005-07-20 JP JP2007521949A patent/JP4743901B2/en not_active Expired - Fee Related
- 2005-07-20 WO PCT/EP2005/053518 patent/WO2006008307A1/en not_active Ceased
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI387259B (en) * | 2008-08-01 | 2013-02-21 | Kathy T Lin | System, method, monitor product and computer readable recording medium for monitoring website application using context security |
| TWI423711B (en) * | 2009-07-21 | 2014-01-11 | Htc Corp | Mobile device and data connection method |
| US8842590B2 (en) | 2009-07-21 | 2014-09-23 | Htc Corporation | Mobile device and data connection method thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| TWI364190B (en) | 2012-05-11 |
| JP2008507222A (en) | 2008-03-06 |
| JP4743901B2 (en) | 2011-08-10 |
| WO2006008307A1 (en) | 2006-01-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Luo et al. | Prototyping fast, simple, secure switches for etha | |
| CN101848197B (en) | Detection method and device and network with detection function | |
| WO2004012393A3 (en) | Identifying network routers and paths | |
| WO2005048027A3 (en) | Dynamic unknown l2 flooding control with mac limits | |
| WO2006011987A3 (en) | Interferring server state in a stateless communication protocol | |
| CA2460530A1 (en) | Method, apparatus and computer program for the decapsulation and encapsulation of packets with multiple headers | |
| EP1162788A3 (en) | Trunking and mirroring across stacked gigabit switches | |
| WO2006096315A3 (en) | Methods and devices for improving the multiple spanning tree protocol | |
| WO2007109398A3 (en) | Methods and apparatus for data packet transmission on a network | |
| DE602005011221D1 (en) | Network bridge with overflow protection for MAC address tables | |
| WO2007038462A9 (en) | Method for dynamic sensor network processing | |
| WO2008107883A3 (en) | Prevention of frame duplication in interconnected ring networks | |
| IL201726A0 (en) | Method and apparatus for detecting port scans with fake source address | |
| CA2469169A1 (en) | Method and apparatus for determination of network topology | |
| BRPI0413475A (en) | internet packet, connection point support node, packet radio network, internet packet router, method for operating a connection point support node, signal, signal support medium, use of an alert option header ipv6 router, computer program, and, computer program product | |
| CN106341418A (en) | Domain name system (DNS) distributed reflection denial of service attack (DRDoS) detection and defense methods and systems | |
| WO2007035655A3 (en) | Using overlay networks to counter denial-of-service attacks | |
| WO2007100388A3 (en) | Techniques for network protection based on subscriber-aware application proxies | |
| TW200625871A (en) | Method, system and program for automatically detecting distributed port scans in computer networks | |
| CN102510414A (en) | Host name transfer method and device adopting same | |
| CN109120602A (en) | A kind of IPv6 attack source tracing method | |
| AU2001271689A1 (en) | Apparatus and method for efficient hashing in networks | |
| IL310636A (en) | Network compromise activity monitoring system | |
| CN106027549A (en) | Early warning method and device for ARP flood attack in local area network | |
| GB0707915D0 (en) | Recovering from a failure in a communications network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| MM4A | Annulment or lapse of patent due to non-payment of fees |