Two Pass Port Scan Detection Technique Based on Connection Pattern and Status on Sampled Data


Anomaly detection is now very important in the network because the increasing use of the internet and security of a network or user is a main concern of any network administrator. As the use of the internet increases, so the chances of having a threat or attack in the network are also increasing day by day and traffic in the network is also increasing. It is very difficult to analyse all the traffic data in network for finding the anomaly in the network and sampling provides a way to analyse the anomalies in network with less traffic data. In this paper, we propose a port scan detection approach called CPST uses connection status and pattern of the connections to detect a particular source is scanner or benign host. We also show that this approach works efficiently under different sampling methods.

Share and Cite:

Kumar, S. , Dutta, K. and Asati, A. (2015) Two Pass Port Scan Detection Technique Based on Connection Pattern and Status on Sampled Data. Journal of Computer and Communications, 3, 1-8. doi: 10.4236/jcc.2015.39001.

Conflicts of Interest

The authors declare no conflicts of interest.


[1] Claise, B. (2004) Cisco Systems Net Flow Services Export Version, RFC 3954 (Informational).
[2] Jung, J., Paxson, V., Berger, A.W. and Balakrishnan, H. (2004) Fast Ports Can Detection Using Sequential Hypothesis Testing. Proceeding of the IEEE Symposium on Security and Privacy, Oakland, 9-12 May 2004, 221-225.
[3] Roesch, M. (1999) Snort-Lightweight Intrusion Detection for Networks. Proceedings of 13th USENIX Conference on System Administration, USENIX Association, Seattle, 7-12 November 1999, 229-238.
[4] Snort.
[5] Sridharan, A., Ye, T. and Bhattacharyya, S. (2006) Connectionless Port Scan Detection on the Backbone. 25th IEEE International Performance, Computing, and Communications Conference (IPC-CC 2006), Mesa, 10-12 April 2006, 10-19.
[6] Spitzner, L. (2001) The Value of Honeypots, Part One: Definitions and Values of Honeypots. Security Focus.
[7] Lee, C.B., Roedel, C. and Silenok, E. (2003) Detection and Characterization of Port Scan Attacks. Department of Computer Science and Engineering, University of California, San Diego.
[8] Bhuyan, M.H., Bhattacharyya, D.K. and Kalita, J.K. (2011) Surveying Port Scans and Their Detection Methodologies. The Computer Journal, 54, 1565-1581.
[9] Mai, J., Sridharan, A., Chuah, C.N., Zang, S.M.H. and Ye, T. (2006) Impact of Packet Sampling on Ports Can Detection. IEEE Journal on Selected Areas in Communications, 24, 2285-2298.
[10] Mai, J., Chuah, C.N., Sridharan, A., Ye, T. and Zang, H. (2006) Is Sampled Data Sufficient for Anomaly Detection? Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement, Rio de Janeiro, New York, 165-176.
[11] IETF Packet Sampling (PSAMP) Working Group.
[12] Zseby, T., Molina, M., Duffield, N., Niccolini, S. and Raspall, F. (2009) Sampling and Filtering Techn-iques for IP Packet Selection (RFC 5475).
[13] Brownlee, N. (1997) Traffic Flow Measurement: Experiences with Ne Tra Met (RFC2123).
[14] Duffield, N. (2004) Sampling for Passive Internet Measurement: A Review. Statistical Science, 19, 472-498.
[15] Lippmann, R.P., Fried, D.J., Graf, I., Haines, J.W., Kendall, K.R., McClung, D., Weber, D., Webster, S.E., Wyschogrod, D., Cunningham, R.K. and Zissman, M.A. (2000) Evaluating Intrusion Detection Systems: The 1998 DARPA Off-Line Intrusion Detection Evaluation. Proceedings of the IEEE DARPA Information Survivability Conference and Exposition, 2, 12-26.

Copyright © 2023 by authors and Scientific Research Publishing Inc.

Creative Commons License

This work and the related PDF file are licensed under a Creative Commons Attribution 4.0 International License.