TW200625871A - Method, system and program for automatically detecting distributed port scans in computer networks - Google Patents
Method, system and program for automatically detecting distributed port scans in computer networksInfo
- Publication number
- TW200625871A TW200625871A TW094124490A TW94124490A TW200625871A TW 200625871 A TW200625871 A TW 200625871A TW 094124490 A TW094124490 A TW 094124490A TW 94124490 A TW94124490 A TW 94124490A TW 200625871 A TW200625871 A TW 200625871A
- Authority
- TW
- Taiwan
- Prior art keywords
- subset
- values
- detection
- packets
- response system
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Abstract
A detection and response system including a set of algorithms for detecting within a stream of normal computer traffic a subset of (should focus on network traffic eliciting response) TCP or UDP packets with one IP Source Address (SA) value, one or a few Destination Address (DA) values, and a number exceeding a threshold of distinct Destination Port (DP) values. A lookup mechanism such as a Direct Table and Patricia search tree record and trace sets of packets with one SA and one DA as well as the set of DP values observed for the given SA, DA combination. The detection and response system reports the existence of such a subset and the header values including SA, DA, and multiple DPs of the subset. The detection and response system also including various administrative responses to reports. A detection and response system including a set of algorithms for detecting within a stream of normal computer traffic a subset of TCP packets with one IP Source Address (SA), one Destination Port (DP), and a number exceeding a threshold of distinct Destination Address (DA). There is efficient use of a lookup mechanism such as a Direct Table and Patricia search tree to record sets of packets with one SA and one DP as well as the set of DA values observed for the given SA, DP combination. The existence of such a subset and the header values including SA, DP, and multiple DAs of the subset are reported to a network administrator. In addition, various administrative responses to reports are provided.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/896,680 US7669240B2 (en) | 2004-07-22 | 2004-07-22 | Apparatus, method and program to detect and control deleterious code (virus) in computer network |
US10/896,733 US7957372B2 (en) | 2004-07-22 | 2004-07-22 | Automatically detecting distributed port scans in computer networks |
Publications (2)
Publication Number | Publication Date |
---|---|
TW200625871A true TW200625871A (en) | 2006-07-16 |
TWI364190B TWI364190B (en) | 2012-05-11 |
Family
ID=35058515
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW94124490A TWI364190B (en) | 2004-07-22 | 2005-07-20 | Method, system and program for automatically detecting distributed port scans in computer networks |
Country Status (3)
Country | Link |
---|---|
JP (1) | JP4743901B2 (en) |
TW (1) | TWI364190B (en) |
WO (1) | WO2006008307A1 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TWI387259B (en) * | 2008-08-01 | 2013-02-21 | Kathy T Lin | System and method for scenario security of web application programs and program product and computer readable recording medium thereof |
TWI423711B (en) * | 2009-07-21 | 2014-01-11 | Htc Corp | Mobile device and data connection method |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2009171431A (en) * | 2008-01-18 | 2009-07-30 | Oki Electric Ind Co Ltd | Traffic analyzer, traffic analyzing method, and traffic analyzing system |
CN102591965B (en) * | 2011-12-30 | 2014-07-09 | 奇智软件(北京)有限公司 | Method and device for detecting black chain |
US9392003B2 (en) | 2012-08-23 | 2016-07-12 | Raytheon Foreground Security, Inc. | Internet security cyber threat reporting system and method |
KR101499666B1 (en) * | 2013-08-08 | 2015-03-06 | 주식회사 시큐아이 | Apparatus and method for detecting network scanning |
CN105306436B (en) | 2015-09-16 | 2016-08-24 | 广东睿江云计算股份有限公司 | A kind of anomalous traffic detection method |
GB2583114B (en) * | 2019-04-17 | 2022-09-21 | F Secure Corp | Preventing UDP hole punching abuse |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TW453072B (en) * | 1999-08-18 | 2001-09-01 | Alma Baba Technical Res Lab Co | System for montoring network for cracker attacic |
JP2002124996A (en) * | 2000-10-13 | 2002-04-26 | Yoshimi Baba | Fast packet acquiring engine/security |
US20030200441A1 (en) * | 2002-04-19 | 2003-10-23 | International Business Machines Corporation | Detecting randomness in computer network traffic |
US7269850B2 (en) * | 2002-12-31 | 2007-09-11 | Intel Corporation | Systems and methods for detecting and tracing denial of service attacks |
US7356587B2 (en) * | 2003-07-29 | 2008-04-08 | International Business Machines Corporation | Automatically detecting malicious computer network reconnaissance by updating state codes in a histogram |
-
2005
- 2005-07-20 WO PCT/EP2005/053518 patent/WO2006008307A1/en active Application Filing
- 2005-07-20 TW TW94124490A patent/TWI364190B/en not_active IP Right Cessation
- 2005-07-20 JP JP2007521949A patent/JP4743901B2/en not_active Expired - Fee Related
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TWI387259B (en) * | 2008-08-01 | 2013-02-21 | Kathy T Lin | System and method for scenario security of web application programs and program product and computer readable recording medium thereof |
TWI423711B (en) * | 2009-07-21 | 2014-01-11 | Htc Corp | Mobile device and data connection method |
US8842590B2 (en) | 2009-07-21 | 2014-09-23 | Htc Corporation | Mobile device and data connection method thereof |
Also Published As
Publication number | Publication date |
---|---|
JP4743901B2 (en) | 2011-08-10 |
TWI364190B (en) | 2012-05-11 |
JP2008507222A (en) | 2008-03-06 |
WO2006008307A1 (en) | 2006-01-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
TW200625871A (en) | Method, system and program for automatically detecting distributed port scans in computer networks | |
WO2006019536A3 (en) | Obtaining path information related to a virtual private lan services (vpls) based network | |
WO2004012393A3 (en) | Identifying network routers and paths | |
WO2006011987A3 (en) | Interferring server state in a stateless communication protocol | |
HK1067821A1 (en) | Method, apparatus and computer program for the decapsulation and encapsulation of packets with multiple headers | |
WO2005048027A3 (en) | Dynamic unknown l2 flooding control with mac limits | |
WO2008016558A3 (en) | Technique for multiple path forwarding of label-switched data traffic | |
CN106341418B (en) | The detection of DNS distributed reflection type Denial of Service attack, defence method and system | |
EP1408655A3 (en) | Method and device for double tagging of data packets | |
WO2007038462A9 (en) | Method for dynamic sensor network processing | |
WO2006096315A3 (en) | Methods and devices for improving the multiple spanning tree protocol | |
AU2003287649A1 (en) | Method and apparatus to perform translation in a modular system comprising network nodes and a switching fabric | |
CN109672669A (en) | The filter method and device of traffic messages | |
WO2006083412A3 (en) | Mpls cookie label | |
WO2008107883A3 (en) | Prevention of frame duplication in interconnected ring networks | |
WO2005067532A3 (en) | Managing processing utilization in a network node | |
CA2640842A1 (en) | Virtual root bridge | |
WO2007111824A3 (en) | Logical group endpoint discovery for data communication network | |
IL201726A0 (en) | Method and apparatus for detecting port scans with fake source address | |
WO2007100388A3 (en) | Techniques for network protection based on subscriber-aware application proxies | |
WO2007036786A3 (en) | Application layer metrics monitoring | |
WO2007035655A3 (en) | Using overlay networks to counter denial-of-service attacks | |
CN103166866A (en) | Method of generating table items, method of receiving messages and relative devices and systems | |
EP1511248A3 (en) | System and method for discovery of BGP router topology | |
EP1737196A3 (en) | IP address obtaining method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
MM4A | Annulment or lapse of patent due to non-payment of fees |