There is a certain level of requirements for system performance that intrusion detection systems on the Internet need. One of them is to lower the rate of "False Positive" and "False Negative." Another one is to have a convenient user interface so that users can manage system security easily with the detection systems. However, scan detection systems on public domain show a high rate of false detection and have difficulty in detecting various scanning techniques. In addition, since current scan detection systems are based on the command interface, the systems have been poor at user interface and therefore it is difficult to apply them to system security management. Hence, we first propose a set of new filter rules, which detect various scan attacks based on port scanning techniques. Secondly, a set of ABP-Rules derived from attacker's behavioral patterns is proposed in order to minimize the False Positive rate. With these methods, we implement a new real-time scan detection system, overcoming the limitations of current real-time scan detection systems. Also the implemented system contains a GUI interface for user's convenience of managing the network security, which was developed with Tcl/Tk.
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Copy
Joong-seok SONG, Yong-jin KWON, "An RTSD System against Various Attacks for Low False Positive Rate Based on Patterns of Attacker's Behaviors" in IEICE TRANSACTIONS on Information,
vol. E89-D, no. 10, pp. 2637-2643, October 2006, doi: 10.1093/ietisy/e89-d.10.2637.
Abstract: There is a certain level of requirements for system performance that intrusion detection systems on the Internet need. One of them is to lower the rate of "False Positive" and "False Negative." Another one is to have a convenient user interface so that users can manage system security easily with the detection systems. However, scan detection systems on public domain show a high rate of false detection and have difficulty in detecting various scanning techniques. In addition, since current scan detection systems are based on the command interface, the systems have been poor at user interface and therefore it is difficult to apply them to system security management. Hence, we first propose a set of new filter rules, which detect various scan attacks based on port scanning techniques. Secondly, a set of ABP-Rules derived from attacker's behavioral patterns is proposed in order to minimize the False Positive rate. With these methods, we implement a new real-time scan detection system, overcoming the limitations of current real-time scan detection systems. Also the implemented system contains a GUI interface for user's convenience of managing the network security, which was developed with Tcl/Tk.
URL: https://global.ieice.org/en_transactions/information/10.1093/ietisy/e89-d.10.2637/_p
Copy
@ARTICLE{e89-d_10_2637,
author={Joong-seok SONG, Yong-jin KWON, },
journal={IEICE TRANSACTIONS on Information},
title={An RTSD System against Various Attacks for Low False Positive Rate Based on Patterns of Attacker's Behaviors},
year={2006},
volume={E89-D},
number={10},
pages={2637-2643},
abstract={There is a certain level of requirements for system performance that intrusion detection systems on the Internet need. One of them is to lower the rate of "False Positive" and "False Negative." Another one is to have a convenient user interface so that users can manage system security easily with the detection systems. However, scan detection systems on public domain show a high rate of false detection and have difficulty in detecting various scanning techniques. In addition, since current scan detection systems are based on the command interface, the systems have been poor at user interface and therefore it is difficult to apply them to system security management. Hence, we first propose a set of new filter rules, which detect various scan attacks based on port scanning techniques. Secondly, a set of ABP-Rules derived from attacker's behavioral patterns is proposed in order to minimize the False Positive rate. With these methods, we implement a new real-time scan detection system, overcoming the limitations of current real-time scan detection systems. Also the implemented system contains a GUI interface for user's convenience of managing the network security, which was developed with Tcl/Tk.},
keywords={},
doi={10.1093/ietisy/e89-d.10.2637},
ISSN={1745-1361},
month={October},}
Copy
TY - JOUR
TI - An RTSD System against Various Attacks for Low False Positive Rate Based on Patterns of Attacker's Behaviors
T2 - IEICE TRANSACTIONS on Information
SP - 2637
EP - 2643
AU - Joong-seok SONG
AU - Yong-jin KWON
PY - 2006
DO - 10.1093/ietisy/e89-d.10.2637
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E89-D
IS - 10
JA - IEICE TRANSACTIONS on Information
Y1 - October 2006
AB - There is a certain level of requirements for system performance that intrusion detection systems on the Internet need. One of them is to lower the rate of "False Positive" and "False Negative." Another one is to have a convenient user interface so that users can manage system security easily with the detection systems. However, scan detection systems on public domain show a high rate of false detection and have difficulty in detecting various scanning techniques. In addition, since current scan detection systems are based on the command interface, the systems have been poor at user interface and therefore it is difficult to apply them to system security management. Hence, we first propose a set of new filter rules, which detect various scan attacks based on port scanning techniques. Secondly, a set of ABP-Rules derived from attacker's behavioral patterns is proposed in order to minimize the False Positive rate. With these methods, we implement a new real-time scan detection system, overcoming the limitations of current real-time scan detection systems. Also the implemented system contains a GUI interface for user's convenience of managing the network security, which was developed with Tcl/Tk.
ER -