Home > Published Issues > 2013 > Volume 8, No. 11, November 2013 >

On Detection for Scarcely Collided Super-Slow Port Scannings in IDSs' Log-Data

Kazuyoshi Furukawa1, Satoru Shimizu2, Masahiko Takenaka1 , and Satoru Toriil1
1.Fujitsu Laboratories Ltd., Kawasaki, 211-8588, Japan
2.Fujitsu Social Science Laboratory Limited, Kawasaki, 211-0063, Japan

Abstract—Recently, cyber-attacks against governments and enterprises more intensified, these have already taken on “Cyber-warfare.” Because the attack technics are more artful, it is too difficult to defend them perfectly. We began this research because super-slow port scannings are extracted from IDSs’ log-data placed in our managed networks for 4 months. In order to extract similar scannings from large log-data, a systematical detection method is required. In this paper, we propose a detection method of scarcely collided super-slow port scannings. This method uses only x2-value of number of accesses per each port without relying on time rate of traffic count. And, we report that plural kinds of scarcely collided super-slow port scannings can be detected in the IDSs’ log-data.

Index Terms—super-slow port scannings, detection method, x2-value

Cite: Kazuyoshi Furukawa, Satoru Shimizu, Masahiko Takenaka, and Satoru Toriil, "On Detection for Scarcely Collided Super-Slow Port Scannings in IDSs' Log-Data," Journal of Communications, vol. 8, no. 11, pp. 788-794, 2013. doi: 10.12720/jcm.8.11.788-794