TY - JOUR
T1 - A proposal of port scan detection method based on Packet-In Messages in OpenFlow networks and its evaluation
AU - Ono, Daichi
AU - Guillen, Luis
AU - Izumi, Satoru
AU - Abe, Toru
AU - Suganuma, Takuo
N1 - Publisher Copyright:
© 2021 The Authors. International Journal of Network Management published by John Wiley & Sons Ltd.
PY - 2021/11/1
Y1 - 2021/11/1
N2 - By quickly detecting a port scan and blocking the culprit host from the network, it is possible to minimize the spread of the damage by infected hosts and malicious users. In the past, various Software-Defined Networking (SDN)-based methods have been proposed, whose main advantage is the lower overhead compared to traditional methods that collect and analyze all captured traffic. On the other hand, due to the polling process used in these methods, it is necessary to set a short interval (e.g., few seconds) to keep the attacks' detection as short as possible. However, when the attack frequency is very low compared to normal traffic, there is an unnecessary overhead. In this paper, we propose a port scan detection method that considers the characteristics of Packet-In messages sent from the OpenFlow (OF) switch to the controller. This allows a prompt detection and with less overhead than conventional polling methods. The evaluation was conducted using both simulated and real traffic data. Results confirm that the proposed method can detect port scans with lower overhead than existing methods.
AB - By quickly detecting a port scan and blocking the culprit host from the network, it is possible to minimize the spread of the damage by infected hosts and malicious users. In the past, various Software-Defined Networking (SDN)-based methods have been proposed, whose main advantage is the lower overhead compared to traditional methods that collect and analyze all captured traffic. On the other hand, due to the polling process used in these methods, it is necessary to set a short interval (e.g., few seconds) to keep the attacks' detection as short as possible. However, when the attack frequency is very low compared to normal traffic, there is an unnecessary overhead. In this paper, we propose a port scan detection method that considers the characteristics of Packet-In messages sent from the OpenFlow (OF) switch to the controller. This allows a prompt detection and with less overhead than conventional polling methods. The evaluation was conducted using both simulated and real traffic data. Results confirm that the proposed method can detect port scans with lower overhead than existing methods.
UR - http://www.scopus.com/inward/record.url?scp=85108360503&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85108360503&partnerID=8YFLogxK
U2 - 10.1002/nem.2174
DO - 10.1002/nem.2174
M3 - Article
AN - SCOPUS:85108360503
SN - 1055-7148
VL - 31
JO - International Journal of Network Management
JF - International Journal of Network Management
IS - 6
M1 - e2174
ER -