View article

Current Network Scan Detection Systems (NSDS), usually implement detection schemes which depend on the ability to analyze every single network packet in detail. In order to scale NSDS to high speed networks, processing gigabits every second, a different approach is required since packet level inspection is no longer feasible.

In this paper we will investigate the possibilities of using netflow data, comprising an aggregation of the information contained in multiple packets, as a means to detect network scanners. The usage of netflow data imposes restrictions on the detection approaches since detailed packet information is lost. The main contribution of this paper is the identification of detection approaches applicable in high speed networks. The approaches elaborated generalize the ideas behind conventional detection approaches. In addition, a new detection approach is added, based on observed connection patterns. To analyze the results achieved while putting our detection approaches into practice, a set of real-life netflow records is used. Final validation of the results is performed by comparing the results of distinctive detection approaches mutually. It turns out that, although in many cases the information in the netflow records is not sufficient to identify scan attempts with absolute certainty, the approaches are quite capable of filtering out a set of suspicious hosts.