Port Scanning Attack Analysis with Dempster-Shafer Evidence Theory

摘要

Port scanning is a process of probing networks, finding vulnerabilities and than infiltrate IT recourses. It is often the fundamental method utilized by intruder prior to initiate a targeted cyber attack. Port scan attack traffic does not contain any specific signature, therefore IDS based detection may suffer by generating many/false alerts. Manual examination is an error prone, labor intensive and time consuming process. This work presented an approach to detect port scanning attack based on the entropy and failed connection attempt made by each host. To analyze and prioritize the observed evidence, Dempster-Shafer theory is utilized to calculate combined belief of each host in support of the proposed hypothesis. A proof of concept prototype has been implemented using open source SNORT IDS system which uses, internet traffic data injected with crafted scans to validate the system. It is observed that the proposed approach correctly identifies and prioritize the crafted scans injected into real traffic.