TW200625871A - Method, system and program for automatically detecting distributed port scans in computer networks - Google Patents

Method, system and program for automatically detecting distributed port scans in computer networks

Info

Publication number
TW200625871A
TW200625871A TW094124490A TW94124490A TW200625871A TW 200625871 A TW200625871 A TW 200625871A TW 094124490 A TW094124490 A TW 094124490A TW 94124490 A TW94124490 A TW 94124490A TW 200625871 A TW200625871 A TW 200625871A
Authority
TW
Taiwan
Prior art keywords
subset
values
detection
packets
response system
Prior art date
Application number
TW094124490A
Other languages
Chinese (zh)
Other versions
TWI364190B (en
Inventor
Alan David Boulanger
Robert William Danford
Kevin David Himberger
Clark Debs Jeffries
Original Assignee
Ibm
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US10/896,680 external-priority patent/US7669240B2/en
Priority claimed from US10/896,733 external-priority patent/US7957372B2/en
Application filed by Ibm filed Critical Ibm
Publication of TW200625871A publication Critical patent/TW200625871A/en
Application granted granted Critical
Publication of TWI364190B publication Critical patent/TWI364190B/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Abstract

A detection and response system including a set of algorithms for detecting within a stream of normal computer traffic a subset of (should focus on network traffic eliciting response) TCP or UDP packets with one IP Source Address (SA) value, one or a few Destination Address (DA) values, and a number exceeding a threshold of distinct Destination Port (DP) values. A lookup mechanism such as a Direct Table and Patricia search tree record and trace sets of packets with one SA and one DA as well as the set of DP values observed for the given SA, DA combination. The detection and response system reports the existence of such a subset and the header values including SA, DA, and multiple DPs of the subset. The detection and response system also including various administrative responses to reports. A detection and response system including a set of algorithms for detecting within a stream of normal computer traffic a subset of TCP packets with one IP Source Address (SA), one Destination Port (DP), and a number exceeding a threshold of distinct Destination Address (DA). There is efficient use of a lookup mechanism such as a Direct Table and Patricia search tree to record sets of packets with one SA and one DP as well as the set of DA values observed for the given SA, DP combination. The existence of such a subset and the header values including SA, DP, and multiple DAs of the subset are reported to a network administrator. In addition, various administrative responses to reports are provided.
TW94124490A 2004-07-22 2005-07-20 Method, system and program for automatically detecting distributed port scans in computer networks TWI364190B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US10/896,680 US7669240B2 (en) 2004-07-22 2004-07-22 Apparatus, method and program to detect and control deleterious code (virus) in computer network
US10/896,733 US7957372B2 (en) 2004-07-22 2004-07-22 Automatically detecting distributed port scans in computer networks

Publications (2)

Publication Number Publication Date
TW200625871A true TW200625871A (en) 2006-07-16
TWI364190B TWI364190B (en) 2012-05-11

Family

ID=35058515

Family Applications (1)

Application Number Title Priority Date Filing Date
TW94124490A TWI364190B (en) 2004-07-22 2005-07-20 Method, system and program for automatically detecting distributed port scans in computer networks

Country Status (3)

Country Link
JP (1) JP4743901B2 (en)
TW (1) TWI364190B (en)
WO (1) WO2006008307A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI387259B (en) * 2008-08-01 2013-02-21 Kathy T Lin System and method for scenario security of web application programs and program product and computer readable recording medium thereof
TWI423711B (en) * 2009-07-21 2014-01-11 Htc Corp Mobile device and data connection method

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009171431A (en) * 2008-01-18 2009-07-30 Oki Electric Ind Co Ltd Traffic analyzer, traffic analyzing method, and traffic analyzing system
CN102591965B (en) * 2011-12-30 2014-07-09 奇智软件(北京)有限公司 Method and device for detecting black chain
US9392003B2 (en) 2012-08-23 2016-07-12 Raytheon Foreground Security, Inc. Internet security cyber threat reporting system and method
KR101499666B1 (en) * 2013-08-08 2015-03-06 주식회사 시큐아이 Apparatus and method for detecting network scanning
CN105306436B (en) 2015-09-16 2016-08-24 广东睿江云计算股份有限公司 A kind of anomalous traffic detection method
GB2583114B (en) * 2019-04-17 2022-09-21 F Secure Corp Preventing UDP hole punching abuse

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW453072B (en) * 1999-08-18 2001-09-01 Alma Baba Technical Res Lab Co System for montoring network for cracker attacic
JP2002124996A (en) * 2000-10-13 2002-04-26 Yoshimi Baba Fast packet acquiring engine/security
US20030200441A1 (en) * 2002-04-19 2003-10-23 International Business Machines Corporation Detecting randomness in computer network traffic
US7269850B2 (en) * 2002-12-31 2007-09-11 Intel Corporation Systems and methods for detecting and tracing denial of service attacks
US7356587B2 (en) * 2003-07-29 2008-04-08 International Business Machines Corporation Automatically detecting malicious computer network reconnaissance by updating state codes in a histogram

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI387259B (en) * 2008-08-01 2013-02-21 Kathy T Lin System and method for scenario security of web application programs and program product and computer readable recording medium thereof
TWI423711B (en) * 2009-07-21 2014-01-11 Htc Corp Mobile device and data connection method
US8842590B2 (en) 2009-07-21 2014-09-23 Htc Corporation Mobile device and data connection method thereof

Also Published As

Publication number Publication date
JP4743901B2 (en) 2011-08-10
TWI364190B (en) 2012-05-11
JP2008507222A (en) 2008-03-06
WO2006008307A1 (en) 2006-01-26

Similar Documents

Publication Publication Date Title
TW200625871A (en) Method, system and program for automatically detecting distributed port scans in computer networks
WO2006019536A3 (en) Obtaining path information related to a virtual private lan services (vpls) based network
WO2004012393A3 (en) Identifying network routers and paths
WO2006011987A3 (en) Interferring server state in a stateless communication protocol
HK1067821A1 (en) Method, apparatus and computer program for the decapsulation and encapsulation of packets with multiple headers
WO2005048027A3 (en) Dynamic unknown l2 flooding control with mac limits
WO2008016558A3 (en) Technique for multiple path forwarding of label-switched data traffic
CN106341418B (en) The detection of DNS distributed reflection type Denial of Service attack, defence method and system
EP1408655A3 (en) Method and device for double tagging of data packets
WO2007038462A9 (en) Method for dynamic sensor network processing
WO2006096315A3 (en) Methods and devices for improving the multiple spanning tree protocol
AU2003287649A1 (en) Method and apparatus to perform translation in a modular system comprising network nodes and a switching fabric
CN109672669A (en) The filter method and device of traffic messages
WO2006083412A3 (en) Mpls cookie label
WO2008107883A3 (en) Prevention of frame duplication in interconnected ring networks
WO2005067532A3 (en) Managing processing utilization in a network node
CA2640842A1 (en) Virtual root bridge
WO2007111824A3 (en) Logical group endpoint discovery for data communication network
IL201726A0 (en) Method and apparatus for detecting port scans with fake source address
WO2007100388A3 (en) Techniques for network protection based on subscriber-aware application proxies
WO2007036786A3 (en) Application layer metrics monitoring
WO2007035655A3 (en) Using overlay networks to counter denial-of-service attacks
CN103166866A (en) Method of generating table items, method of receiving messages and relative devices and systems
EP1511248A3 (en) System and method for discovery of BGP router topology
EP1737196A3 (en) IP address obtaining method

Legal Events

Date Code Title Description
MM4A Annulment or lapse of patent due to non-payment of fees