Date of Original Version

6-20-2006

Type

Technical Report

Abstract or Description

Since the link rate is very high up to 40Gbps these days, scanning packets can spread very fast. At this high speed, only a small chance of missing on-going scanning activity can lead to catastrophic results. Thus, fast and accurate detection of scanners is a very important problem. High-speed packet processing usually requires high-speed memory, SRAM, and the size of SRAM is very limited compared with DRAM. We propose a connection attempt success ratio based scanning detection scheme which guarantees false positive and false negative probabilities under a memory-limited environment. Our scheme can also detect slow scanners with guaranteed performance. A sampling-based extended version can overcome the limitation of short-history-based scanning detection schemes and detects enhanced scanners with a list of pre-acquired IP addresses with guaranteed performance. The proposed scheme reduces the required memory size from O(N2) to O(N), where N is the number of active hosts. We apply Bloom filter in order to further reduce the memory size. We evaluate the performance of the proposed scheme through simulation.

Comments

CMU-CyLab-06-011

Share

COinS