There is a certain level of requirements for system performance that intrusion detection systems on the Internet need. One of them is to lower the rate of "False Positive" and "False Negative." Another one is to have a convenient user interface so that users can manage system security easily with the detection systems. However, scan detection systems on public domain show a high rate of false detection and have difficulty in detecting various scanning techniques. In addition, since current scan detection systems are based on the command interface, the systems have been poor at user interface and therefore it is difficult to apply them to system security management. Hence, we first propose a set of new filter rules, which detect various scan attacks based on port scanning techniques. Secondly, a set of ABP-Rules derived from attacker's behavioral patterns is proposed in order to minimize the False Positive rate. With these methods, we implement a new real-time scan detection system, overcoming the limitations of current real-time scan detection systems. Also the implemented system contains a GUI interface for user's convenience of managing the network security, which was developed with Tcl/Tk.
展开▼
