Network security is more and more important today. Port and net scan are the typical preliminary steps an attacker makes to find victims in a certain network, and are currently the most spread network anomalies. In this work, we focus on traditional approaches for port and net scan detection, previously abandoned due to their limited speed, and we use Big Data Analytics to speed them up and cope with current high-speed networks. The paper describes our approach and presents an experimental analysis in terms of detection performance and execution time of a threshold-based algorithm on Apache Spark. We use real traffic traces from MAWI archive and MAWILab anomaly detectors to compare with our results. The analysis shows that i) the threshold-based algorithm is already able to achieve detection performance higher than MAWILab (in 95% of the considered cases with the best threshold value), currently considered the gold standard in the field; ii) the execution time can be as low as 25 seconds for a 24h traffic trace collected over a 10Gbps link, which makes it usable also in real time. Moreover, we bridge an important gap in literature providing the research community with a new labeled dataset, validated using MAWILab and extended with other anomalies not detected by it.

Spark-based port and net scan detection / Affinito, A.; Botta, A.; Gallo, L.; Garofalo, M.; Ventre, G.. - (2020), pp. 1172-1179. (Intervento presentato al convegno 35th Annual ACM Symposium on Applied Computing, SAC 2020 tenutosi a cze nel 2020) [10.1145/3341105.3373970].

Spark-based port and net scan detection

Affinito A.;Botta A.;Gallo L.;Garofalo M.;Ventre G.
2020

Abstract

Network security is more and more important today. Port and net scan are the typical preliminary steps an attacker makes to find victims in a certain network, and are currently the most spread network anomalies. In this work, we focus on traditional approaches for port and net scan detection, previously abandoned due to their limited speed, and we use Big Data Analytics to speed them up and cope with current high-speed networks. The paper describes our approach and presents an experimental analysis in terms of detection performance and execution time of a threshold-based algorithm on Apache Spark. We use real traffic traces from MAWI archive and MAWILab anomaly detectors to compare with our results. The analysis shows that i) the threshold-based algorithm is already able to achieve detection performance higher than MAWILab (in 95% of the considered cases with the best threshold value), currently considered the gold standard in the field; ii) the execution time can be as low as 25 seconds for a 24h traffic trace collected over a 10Gbps link, which makes it usable also in real time. Moreover, we bridge an important gap in literature providing the research community with a new labeled dataset, validated using MAWILab and extended with other anomalies not detected by it.
2020
9781450368667
Spark-based port and net scan detection / Affinito, A.; Botta, A.; Gallo, L.; Garofalo, M.; Ventre, G.. - (2020), pp. 1172-1179. (Intervento presentato al convegno 35th Annual ACM Symposium on Applied Computing, SAC 2020 tenutosi a cze nel 2020) [10.1145/3341105.3373970].
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11588/832217
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 6
  • ???jsp.display-item.citation.isi??? 4
social impact