Port Scans: Real Numbers, Real Networks

Page Content

Carrie Gates - Carnegie Mellon University

Nov 12, 2003

RealVideo

Abstract

Port scans have traditionally received little attention in the research
literature. It is widely assumed that port scans are very common, yet there
are no studies quantifying this belief, nor is there a single agreed-upon
definition of what constitutes a port scan. Current detection methods,
including both anomaly analysis and thresholding schemes, are also widely
assumed to be sufficient for detecting port scans. Yet no studies have
determined what are appropriate thresholds, nor how well these or the
anomaly detection methods work. In this talk, I will introduce a new
research effort underway at the CERT Analysis Center that has the aim of
detecting both single-source and distributed port scans. Some initial
results from applying this new method of scan detection to the network logs
of a large organization will be presented, quantifying the amount and type
of scanning activity occuring. Finally, we will discuss some of the open
research issues still to be solved in this area, and conclude with setting
port scans in a larger research framework.

About the Speaker

Carrie Gates is a visiting scientist with the CERT Analysis Center at the
Software Engineering Institute, Carnegie Mellon University, where she is
working on her PhD dissertation in the area of distributed port scanning.
She has received numerous scholarships, including the IBM Scholars PhD
Fellowship, awarded in 2003. She holds a M.Sc. degree in Computer Science,
and has nearly 10 years of professional experience in the information
technology industry, including private industry, government, not-for-profit
organizations and academia. Most recently, she was the Systems Manager for
the Faculty of Computer Science at Dalhousie University, where she developed
her interest in network and system security.

Footer

Intranet Site