Coordinated Scan Detection Based on Similarities of Scan Behaviors ?

Coordinated scan can gather host information for further attack more efficiently and stealthily than single-source port scans by distributing tasks amongst multiple sources. The existing coordinated scan detection methods are mostly based on scan behavior characteristics in temporal or spatial correlation. However, these detection methods can be easily evaded with the increasingly sophisticated coordinated scan methods. In this paper, we propose an approach to detecting coordinated scans based on the similarities between the scan behavior sequences launched by the scanners. Based on the assumption that the scanners controlled by an attacker are similar in the scan behaviors, the coordinated scan detection problem can be reduced to that of recognizing the similar scan sequences. We first present a description model of coordinated scan. Then a detection algorithm is developed based on the Dynamic Time Warping (DTW) distances between the sequences and a hierarchical clustering method was used to recognize coordinated scanners. The experimental results suggest that the proposed method has an acceptable detection rate for horizontal scans, vertical scans and hybrid scans.