FDF: Frequency detection-based filtering of scanning worms

Byungseung Kim, Hyogon Kim, Saewoong Bahk

Research output: Contribution to journalArticle

4 Citations (Scopus)

Abstract

In this paper, we propose a simple algorithm for detecting scanning worms with high detection rate and low false positive rate. The novelty of our algorithm is inspecting the frequency characteristic of scanning worms instead of counting the number of suspicious connections or packets from a monitored network. Its low complexity allows it to be used on any network-based intrusion detection system as a real-time detection module for high-speed networks. Our algorithm need not be adjusted to network status because its parameters depend on application types, which are generally and widely used in any networks such as web and P2P services. By using real traces, we evaluate the performance of our algorithm and compare it with that of SNORT. The results confirm that our algorithm outperforms SNORT with respect to detection rate and false positive rate.

Original languageEnglish
Pages (from-to)847-857
Number of pages11
JournalComputer Communications
Volume32
Issue number5
DOIs
Publication statusPublished - 2009 Mar 27

Fingerprint

Scanning
HIgh speed networks
Intrusion detection

Keywords

  • Autocorrelation
  • Frequency characteristic
  • Intrusion detection system
  • Scanning worm

ASJC Scopus subject areas

  • Computer Networks and Communications

Cite this

FDF : Frequency detection-based filtering of scanning worms. / Kim, Byungseung; Kim, Hyogon; Bahk, Saewoong.

In: Computer Communications, Vol. 32, No. 5, 27.03.2009, p. 847-857.

Research output: Contribution to journalArticle

Kim, Byungseung ; Kim, Hyogon ; Bahk, Saewoong. / FDF : Frequency detection-based filtering of scanning worms. In: Computer Communications. 2009 ; Vol. 32, No. 5. pp. 847-857.
@article{43cf7494734a4903a648794636c8c499,
title = "FDF: Frequency detection-based filtering of scanning worms",
abstract = "In this paper, we propose a simple algorithm for detecting scanning worms with high detection rate and low false positive rate. The novelty of our algorithm is inspecting the frequency characteristic of scanning worms instead of counting the number of suspicious connections or packets from a monitored network. Its low complexity allows it to be used on any network-based intrusion detection system as a real-time detection module for high-speed networks. Our algorithm need not be adjusted to network status because its parameters depend on application types, which are generally and widely used in any networks such as web and P2P services. By using real traces, we evaluate the performance of our algorithm and compare it with that of SNORT. The results confirm that our algorithm outperforms SNORT with respect to detection rate and false positive rate.",
keywords = "Autocorrelation, Frequency characteristic, Intrusion detection system, Scanning worm",
author = "Byungseung Kim and Hyogon Kim and Saewoong Bahk",
year = "2009",
month = "3",
day = "27",
doi = "10.1016/j.comcom.2008.12.010",
language = "English",
volume = "32",
pages = "847--857",
journal = "Computer Communications",
issn = "0140-3664",
publisher = "Elsevier",
number = "5",

}

TY - JOUR

T1 - FDF

T2 - Frequency detection-based filtering of scanning worms

AU - Kim, Byungseung

AU - Kim, Hyogon

AU - Bahk, Saewoong

PY - 2009/3/27

Y1 - 2009/3/27

N2 - In this paper, we propose a simple algorithm for detecting scanning worms with high detection rate and low false positive rate. The novelty of our algorithm is inspecting the frequency characteristic of scanning worms instead of counting the number of suspicious connections or packets from a monitored network. Its low complexity allows it to be used on any network-based intrusion detection system as a real-time detection module for high-speed networks. Our algorithm need not be adjusted to network status because its parameters depend on application types, which are generally and widely used in any networks such as web and P2P services. By using real traces, we evaluate the performance of our algorithm and compare it with that of SNORT. The results confirm that our algorithm outperforms SNORT with respect to detection rate and false positive rate.

AB - In this paper, we propose a simple algorithm for detecting scanning worms with high detection rate and low false positive rate. The novelty of our algorithm is inspecting the frequency characteristic of scanning worms instead of counting the number of suspicious connections or packets from a monitored network. Its low complexity allows it to be used on any network-based intrusion detection system as a real-time detection module for high-speed networks. Our algorithm need not be adjusted to network status because its parameters depend on application types, which are generally and widely used in any networks such as web and P2P services. By using real traces, we evaluate the performance of our algorithm and compare it with that of SNORT. The results confirm that our algorithm outperforms SNORT with respect to detection rate and false positive rate.

KW - Autocorrelation

KW - Frequency characteristic

KW - Intrusion detection system

KW - Scanning worm

UR - http://www.scopus.com/inward/record.url?scp=61349143044&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=61349143044&partnerID=8YFLogxK

U2 - 10.1016/j.comcom.2008.12.010

DO - 10.1016/j.comcom.2008.12.010

M3 - Article

AN - SCOPUS:61349143044

VL - 32

SP - 847

EP - 857

JO - Computer Communications

JF - Computer Communications

SN - 0140-3664

IS - 5

ER -