New Sequential Methods for Detecting Portscanners

TL;DR

This paper introduces new sequential detection methods for portscanners that offer faster performance, controlled false positives, and bounded observational time, improving upon existing solutions with a novel algorithm and computational parameter tuning.

Contribution

The paper presents a new sequential detection algorithm with numerical parameter optimization and a multi-valued decision framework, enhancing speed and reliability over previous methods.

Findings

Faster detection compared to existing solutions

Controlled false positive rate

Bounded observational time

Abstract

In this paper, we propose new sequential methods for detecting port-scan attackers which routinely perform random "portscans" of IP addresses to find vulnerable servers to compromise. In addition to rigorously control the probability of falsely implicating benign remote hosts as malicious, our method performs significantly faster than other current solutions. Moreover, our method guarantees that the maximum amount of observational time is bounded. In contrast to the previous most effective method, Threshold Random Walk Algorithm, which is explicit and analytical in nature, our proposed algorithm involve parameters to be determined by numerical methods. We have developed computational techniques such as iterative minimax optimization for quick determination of the parameters of the new detection algorithm. A framework of multi-valued decision for testing portscanners is also proposed.