
doi: 10.1007/11767480_1
Network attacks often employ scanning to locate vulnerable hosts and services. Fast and accurate detection of local scanners is key to containing an epidemic in its early stage. Existing scan detection schemes use statically determined detection criteria, and as a result do not respond well to traffic perturbations. We present two adaptive scan detection schemes, Success Based (SB) and Failure Based (FB), which change detection criteria based on traffic statistics. We evaluate the proposed schemes analytically and empirically using network traces. Against fast scanners, the adaptive schemes render detection precision similar to the traditional static schemes. For slow scanners, the adaptive schemes are much more effective, both in terms of detection precision and speed. SB and FB have non-linear properties not present in other schemes. These properties permit a lower Sustained Scanning Threshold and a robustness against perturbations in the background traffic.
| selected citations These citations are derived from selected sources. This is an alternative to the "Influence" indicator, which also reflects the overall/total impact of an article in the research community at large, based on the underlying citation network (diachronically). | 1 | |
| popularity This indicator reflects the "current" impact/attention (the "hype") of an article in the research community at large, based on the underlying citation network. | Average | |
| influence This indicator reflects the overall/total impact of an article in the research community at large, based on the underlying citation network (diachronically). | Average | |
| impulse This indicator reflects the initial momentum of an article directly after its publication, based on the underlying citation network. | Average |
