P. 1
Using Netflows for slow portscan detection

Using Netflows for slow portscan detection

|Views: 867|Likes:
Published by Michael Thomas
This thesis aims to investigate if Netflow analysis is more suitable for detecting slow
portscans than two traditional systems for intrusion detection, Snort and Network Flight
Recorder.
This thesis aims to investigate if Netflow analysis is more suitable for detecting slow
portscans than two traditional systems for intrusion detection, Snort and Network Flight
Recorder.

More info:

Categories:Types, Research
Published by: Michael Thomas on Mar 31, 2013
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

03/31/2013

pdf

text

original

In [1], D. Denning presents a model for real-time intrusion detection that is based on the
hypothesis that exploitation of a system’s vulnerabilities involves abnormal use of the
system and that security violations can be detected from abnormal patterns in system
usage. The article outlines metrics that can be used to measure the state, and thus to
determine if the state is normal or abnormal. The problem is of course that there may be
very many states in computer network or computer system. It may be difficult to know
if a particular state is normal or abnormal. One particular state, or set of states, may be
normal in one information system while abnormal in another.

In [12], Bierman et al. define a computer intrusion to be any set of actions that attempt
to compromise the Confidentiality, Integrity or Availability (abbreviated CIA) of a resource.
In [24], R. Heady et al. give the same definition. This may seem to be a high granularity
definition. The ’CIA’ triangle of security attributes may be the fundament for all other
attributes and mechanisms, but one would expect to find non-repudiation and authen-
ticity in the definition as well. Policy violations should also be classified as a security
intrusion/misuse.

In [32], the following definition of an intrusion is found:
A security event or a combination of multiple security events that constitutes a security
incident in which an intruder gains, or attempts to gain access to a system (or system
resource) without having authorization to do so.

In [21], Ulf Lindquist defines an intrusion to be "... a successful event from the attacker’s
point of view and consists of:

1. an attack in which a vulnerability is exploited, resulting in

2. a breach which is a violation of the explicit or implicit security policy of the system."

This definition should be extended to encompass all violations of the security policies,
not just the ones where a vulnerability is exploited (i.e. a policy may state that browsing
racist or pornographic web-sites is a violation of the security policy. Per se it is not an
exploited vulnerability.)

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->