Scanner Detection Based on Connection Attempt Success Ratio with Guaranteed False Positive and False Negative Probabilities

Since the link rate is very high up to 40Gbps these days, scanning packets can spread very fast. At this high speed, only a small chance of missing on-going scanning activity can lead to catastrophic results. Thus, fast and accurate detection of scanners is a very important problem. High-speed packet processing usually requires high-speed memory, SRAM, and the size of SRAM is very limited compared with DRAM. We propose a connection attempt success ratio based scanning detection scheme which guarantees false positive and false negative probabilities under a memory-limited environment. Our scheme can also detect slow scanners with guaranteed performance. A sampling-based extended version can overcome the limitation of short-history-based scanning detection schemes and detects enhanced scanners with a list of pre-acquired IP addresses with guaranteed performance. The proposed scheme reduces the required memory size from O(N2) to O(N), where N is the number of active hosts. We apply Bloom filter in order to further reduce the memory size. We evaluate the performance of the proposed scheme through simulation.