Fast portscan detection using sequential hypothesis testing

Abstract

Attackers routinely perform random "portscans" of IP ad- dresses to find vulnerable servers to compromise. Network Intru- sion Detection Systems (NIDS) attempt to detect such behavior and flag these portscanners as malicious. An important need in such systems is prompt response: the sooner a NIDS detects mal- ice, the lower the resulting damage. At the same time, a NIDS should not falsely implicate benign remote hosts as malicious. Balancing the goals of promptness and accuracy in detecting malicious scanners is a delicate and difficult task. We develop a connection between this problem and the theory of sequential hy- pothesis testing and show that one can model accesses to local IP addresses as a random walk on one of two stochastic pro- cesses, corresponding respectively to the access patterns of be- nign remote hosts and malicious ones. The detection problem then becomes one of observing a particular trajectory and inferring from it the most likely classification for the remote host. We use this insight to develop TRW (Threshold Random Walk), an on- line detection algorithm that identifies malicious remote hosts. Us- ing an analysis of traces from two qualitatively different sites, we show that TRW requires a much smaller number of connection at- tempts (4 or 5 in practice) to detect malicious activity compared to previous schemes, while also providing theoretical bounds on the low (and configurable) probabilities of missed detection and false alarms. In summary, TRW performs significantly faster and also more accurately than other current solutions.