• Journal of the Korean Institute of Intelligent Systems
• /
• v.18 no.5
• /
• pp.679-684
• /
• 2008

The slow port scan attack detection is the one of the important topics in the network security. We suggest an abnormal traffic control framework to detect slow port scan attacks using fuzzy rules. The abnormal traffic control framework acts as an intrusion prevention system to suspicious network traffic. It manages traffic with a stepwise policy: first decreasing network bandwidth and then discarding traffic. In this paper, we show that our abnormal traffic control framework effectively detects slow port scan attacks traffic using fuzzy rules and a stepwise policy.

• Journal of the Korea Society for Simulation
• /
• v.21 no.4
• /
• pp.91-102
• /
• 2012

Network port scan attack is the method for finding ports opening in a local network. Most existing IDSs(intrusion detection system) record the number of packets sent to a system per unit time. If port scan count from a source IP address is higher than certain threshold, it is regarded as a port scan attack. The degree of risk about source IP address performing network port scan attack depends on attack count recorded by IDS. However, the measurement of risk based on the attack count may reduce port scan detection rates due to the increased false negative for slow port scan. This paper proposes a method of summarizing 4 types of information to differentiate network port scan attack more precisely and comprehensively. To integrate the riskiness, we present a risk index that quantifies the risk of port scan attack by using PCA. The proposed detection method using risk index shows superior performance than Snort for the detection of network port scan.

• The KIPS Transactions:PartC
• /
• v.8C no.5
• /
• pp.543-550
• /
• 2001

In this paper, an improved detection system for the network vulnerability scan attacks is proposed. The proposed system improves the methodology for detecting the network vulnerability scan attacks and provides a global detection and response capability that can counter attacks occurring across an entire network enterprize. Through the simulation, we show that the proposed system can detect vulnerable port attacks, coordinated attacks, slow scans and slow coordinated attacks. We also show our system can achieve more global and hierarchical response to attacks through the correlation between server and agents than a stand-alone system can make.