Automated Detection of Stealthy Portscans (Network Intrusion Detection System)
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
project topics
Active In SP
**

Posts: 2,492
Joined: Mar 2010
#1
22-04-2010, 12:05 AM


Automated Detection of Stealthy Portscans (Network Intrusion Detection System)

Portscanning is a common activity of considerable importance. It is often used by computer attackers to characterize hosts or networks which they are considering hostile activity against. Thus it is useful for system administrators and other network defenders to detect portscans as possible preliminaries to a more serious attack.

There are two general purposes that an attacker might have in conducting a portscan: a primary one, and a secondary one. The primary purpose is that of gathering information about the reachability and status of certain combinations of IP address and port (either TCP or UDP). The secondary purpose is to flood intrusion detection systems with alerts, with the intention of distracting the network defenders or preventing them from doing their jobs. We will mainly be concerned with detecting information gathering portscans.

We will use the term scan footprint for the set of port/IP combinations which the attacker is interested in characterizing. It is helpful to conceptually distinguish the footprint of the scan, from the script of the scan, which refers to the time sequence in which the attacker tries to explore the footprint. The footprint is independent of aspects of the script, such as how fast the scan is, whether it is randomized, etc. The
footprint represents the attackerâ„¢s information gathering requirements for her scan, and she designs a scan script that will meet those requirements, and perhaps other non-information-gathering requirements.

The most common type of portscan footprint at present is a horizontal scan. By this, we mean that an attacker has an exploit for a particular service, and is interested in finding any hosts that expose that service. Thus she scans the port of interest on all IP addresses in some range of interest. Also at present, this is mainly being done sequentially on TCP port 53 (DNS). There are also syn-fin scanning involves sending packets with both syn and fin flags set and Ack scanning involves sending an unsolicited packet with just the Ack flag set.

We can detect a Stealthy portscan by look for X TCP or UDP packets sent to any number of host/port combinations from a single source host in Y seconds, where X and Y are user defined values. Additionally, the portscan detector looks for single TCP packets that are not used in normal TCP operations. Such packets will have odd combinations of TCP flags set, or no flags set at all. Upon arrival, a packetâ„¢s structure is checked for soundness. The packet is then tested to see if it is part of a scan currently in progress. This is achieved by comparing the packet type and source address to those of scans currently being investigated. If it is not part of a current scan, it becomes the starting node of a new scan. Otherwise, the matching scanâ„¢s packet count is incremented, and a check is made to determine whether the threshold of X packets sent in Y seconds was exceeded. If so, the scan is reported. The scan will also be reported, regardless of the threshold

This project and implimentation can be developed in C++ or JAVA or .NET
Use Search at http://topicideas.net/search.php wisely To Get Information About Project Topic and Seminar ideas with report/source code along pdf and ppt presenaion
Reply

Important Note..!

If you are not satisfied with above reply ,..Please

ASK HERE

So that we will collect data for you and will made reply to the request....OR try below "QUICK REPLY" box to add a reply to this page

Quick Reply
Message
Type your reply to this message here.


Image Verification
Please enter the text contained within the image into the text box below it. This process is used to prevent automated spam bots.
Image Verification
(case insensitive)

Possibly Related Threads...
Thread Author Replies Views Last Post
  Automated Wish System mechanical engineering crazy 1 2,167 21-10-2014, 04:44 AM
Last Post: TcUWSeRDX
  Detection and Localization of Multiple Spoofing Attackers in Wireless Networks seminar flower 4 1,808 02-06-2014, 09:51 AM
Last Post: seminar project topic
  ON THE EFFECTIVENESS OF MONITORING FOR INTRUSION DETECTION IN MOBILE AD HOC abstract seminar tips 2 802 09-05-2014, 09:43 AM
Last Post: seminar project topic
  Wireless Sensor Network Security model using Zero Knowledge Protocol project uploader 1 1,037 28-02-2014, 01:44 AM
Last Post: mspadmini19
  OBSTACLE DETECTION AND AVOIDANCE ROBOT seminar surveyer 9 11,437 28-10-2013, 10:50 PM
Last Post: Guest
  A PARADIGM IMAGE ANALYSIS AND AUTOMATED CARTOGRAPHY FOR RELINQUISHED WIDGET REPORT seminar projects maker 0 360 24-09-2013, 02:26 PM
Last Post: seminar projects maker
  Efficient and Robust Detection of Duplicate Videos in a Large Database Report seminar projects maker 0 435 24-09-2013, 12:47 PM
Last Post: seminar projects maker
  Network Assisted Mobile Computing with Optimal Uplink Query Processing pdf seminar projects maker 0 467 20-09-2013, 04:01 PM
Last Post: seminar projects maker
  The Content-Based Image Retrieval using the Pulse Coupled Neural Network PPT seminar projects maker 0 546 14-09-2013, 01:58 PM
Last Post: seminar projects maker
  Online and Offline Intrusion Alert Aggregation pdf seminar projects maker 0 296 14-09-2013, 12:55 PM
Last Post: seminar projects maker