Abstract

Today’s society relies on computer networks. More and more data of vital importance are transmitted over them each day. Because of that, networks have become an interesting target for attackers, from ordinary criminals to foreign organizations and states. This has forced equipment providers and network administrators to make computer networks more robust. To this end, various countermeasures against cyber attacks are performed. One of the most commonly used ones is application of Intrusion Detection Systems (IDS). These systems are capable of classifying network traffic into several categories, according to the traffic features determined in advance. The basic classification performed by them is the classification in two classes – benign traffic and malicious traffic.

The classification methods that IDS implement are different, but classic pattern/signature matching and statistical parametric decision making are used very often. According to the intrusion detection model, IDS are classified into two categories: misuse detection systems and anomaly detection systems. Misuse detection systems use a database of known attacks and report if they recognize signatures of known attacks in the incoming traffic. Anomaly detection systems define profiles of normal host/network behavior and report discrepancies from that.

This thesis concentrates on methods of detection of special kind of reconnaissance activity in computer networks – so called port scanning, which tries to determine what services are active on a target host. In addition, the scans are considered slow – this means that the time delay between scanning two ports is relatively long – from several minutes to several days. The IDS of particular interest in this context is Bro – an open-source system that detects intrusions by semantic, highly stateful traffic analysis. This system also has advanced protocol detection capabilities. It can be configured to be either misuse or anomaly detection system, even a combination of both at the same time. As such, it has attracted much attraction of the scientific community in the recent years. The goal of the thesis is to develop a method for slow port scanning detection with Bro and compare the capabilities of the new method with slow port scanning detection methods applied on other IDS, especially in the presence of noise.

Link to my study: Master in Information Security – Gjøvik University College