{"id":13365,"date":"2021-12-09T21:00:36","date_gmt":"2021-12-10T02:00:36","guid":{"rendered":"https:\/\/carleton.ca\/scs\/?page_id=13365"},"modified":"2021-12-09T21:00:36","modified_gmt":"2021-12-10T02:00:36","slug":"tr-11-08-revisiting-network-scanning-detection-using-sequential-hypothesis-testing","status":"publish","type":"page","link":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2011\/tr-11-08-revisiting-network-scanning-detection-using-sequential-hypothesis-testing\/","title":{"rendered":"TR-11-08: Revisiting Network Scanning Detection Using Sequential Hypothesis Testing"},"content":{"rendered":"<p>Carleton University<br \/>\n<a href=\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2011\/\">Technical Report<\/a> TR-11-08<br \/>\nJune 30, 2011<\/p>\n<h2 class=\"tr_t1\">Revisiting Network Scanning Detection Using Sequential Hypothesis Testing<\/h2>\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">Mansour Alsaleh &amp; P.C. van Oorschot<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div>\n<h3>Abstract<\/h3>\n<p>Network scanning is a common, effective technique to search for vulnerable Internet hosts and to explore the topology and trust relationships between hosts in a target network. Given that the purpose of scanning is searching for responsive hosts and network services, behaviour-based scanning detection techniques based on the state of inbound connection attempts remain effective against evasion. Many of today&#8217;s network environments, however, feature a dynamic and transient nature with several network hosts and services added or stopped (either permanently or temporarily) over time. In this paper, working with recent network traces from two different environments, we re-examine the TRW (Threshold Random Walk) scan detection algorithm and we show that the number of false positives is proportional to the transiency of the offered services. To address the limitations found, we present a modified algorithm (STRW) that utilizes active mapping of network services to take into account benign causes of failed connection attempts. STRW eliminates a significant portion of TRW false positives (e.g., 29% and 77% in two datasets studied).<\/p>\n<p><a href=\"https:\/\/carleton.ca\/scs\/wp-content\/uploads\/TR-11-08.pdf\">TR-11-08.pdf<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Carleton University Technical Report TR-11-08 June 30, 2011 Revisiting Network Scanning Detection Using Sequential Hypothesis Testing Mansour Alsaleh &amp; P.C. van Oorschot Abstract Network scanning is a common, effective technique to search for vulnerable Internet hosts and to explore the topology and trust relationships between hosts in a target network. Given that the purpose of [&hellip;]<\/p>\n","protected":false},"author":49,"featured_media":0,"parent":12489,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_relevanssi_hide_post":"","_relevanssi_hide_content":"","_relevanssi_pin_for_all":"","_relevanssi_pin_keywords":"","_relevanssi_unpin_keywords":"","_relevanssi_related_keywords":"","_relevanssi_related_include_ids":"","_relevanssi_related_exclude_ids":"","_relevanssi_related_no_append":"","_relevanssi_related_not_related":"","_relevanssi_related_posts":"","_relevanssi_noindex_reason":"","_mi_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":"","_links_to":"","_links_to_target":""},"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v21.2 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>TR-11-08: Revisiting Network Scanning Detection Using Sequential Hypothesis Testing - School of Computer Science<\/title>\n<meta name=\"description\" content=\"Carleton University Technical Report TR-11-08 June 30, 2011 Revisiting Network Scanning Detection Using Sequential Hypothesis Testing Mansour Alsaleh\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2011\/tr-11-08-revisiting-network-scanning-detection-using-sequential-hypothesis-testing\/\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2011\/tr-11-08-revisiting-network-scanning-detection-using-sequential-hypothesis-testing\/\",\"url\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2011\/tr-11-08-revisiting-network-scanning-detection-using-sequential-hypothesis-testing\/\",\"name\":\"TR-11-08: Revisiting Network Scanning Detection Using Sequential Hypothesis Testing - School of Computer Science\",\"isPartOf\":{\"@id\":\"https:\/\/carleton.ca\/scs\/#website\"},\"datePublished\":\"2021-12-10T02:00:36+00:00\",\"dateModified\":\"2021-12-10T02:00:36+00:00\",\"description\":\"Carleton University Technical Report TR-11-08 June 30, 2011 Revisiting Network Scanning Detection Using Sequential Hypothesis Testing Mansour Alsaleh\",\"breadcrumb\":{\"@id\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2011\/tr-11-08-revisiting-network-scanning-detection-using-sequential-hypothesis-testing\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2011\/tr-11-08-revisiting-network-scanning-detection-using-sequential-hypothesis-testing\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2011\/tr-11-08-revisiting-network-scanning-detection-using-sequential-hypothesis-testing\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/carleton.ca\/scs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Research\",\"item\":\"https:\/\/carleton.ca\/scs\/research\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"SCS Technical Reports\",\"item\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Technical Reports 2011\",\"item\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2011\/\"},{\"@type\":\"ListItem\",\"position\":5,\"name\":\"TR-11-08: Revisiting Network Scanning Detection Using Sequential Hypothesis Testing\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/carleton.ca\/scs\/#website\",\"url\":\"https:\/\/carleton.ca\/scs\/\",\"name\":\"School of Computer Science\",\"description\":\"Carleton University\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/carleton.ca\/scs\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"TR-11-08: Revisiting Network Scanning Detection Using Sequential Hypothesis Testing - School of Computer Science","description":"Carleton University Technical Report TR-11-08 June 30, 2011 Revisiting Network Scanning Detection Using Sequential Hypothesis Testing Mansour Alsaleh","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2011\/tr-11-08-revisiting-network-scanning-detection-using-sequential-hypothesis-testing\/","twitter_misc":{"Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2011\/tr-11-08-revisiting-network-scanning-detection-using-sequential-hypothesis-testing\/","url":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2011\/tr-11-08-revisiting-network-scanning-detection-using-sequential-hypothesis-testing\/","name":"TR-11-08: Revisiting Network Scanning Detection Using Sequential Hypothesis Testing - School of Computer Science","isPartOf":{"@id":"https:\/\/carleton.ca\/scs\/#website"},"datePublished":"2021-12-10T02:00:36+00:00","dateModified":"2021-12-10T02:00:36+00:00","description":"Carleton University Technical Report TR-11-08 June 30, 2011 Revisiting Network Scanning Detection Using Sequential Hypothesis Testing Mansour Alsaleh","breadcrumb":{"@id":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2011\/tr-11-08-revisiting-network-scanning-detection-using-sequential-hypothesis-testing\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2011\/tr-11-08-revisiting-network-scanning-detection-using-sequential-hypothesis-testing\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2011\/tr-11-08-revisiting-network-scanning-detection-using-sequential-hypothesis-testing\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/carleton.ca\/scs\/"},{"@type":"ListItem","position":2,"name":"Research","item":"https:\/\/carleton.ca\/scs\/research\/"},{"@type":"ListItem","position":3,"name":"SCS Technical Reports","item":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/"},{"@type":"ListItem","position":4,"name":"Technical Reports 2011","item":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2011\/"},{"@type":"ListItem","position":5,"name":"TR-11-08: Revisiting Network Scanning Detection Using Sequential Hypothesis Testing"}]},{"@type":"WebSite","@id":"https:\/\/carleton.ca\/scs\/#website","url":"https:\/\/carleton.ca\/scs\/","name":"School of Computer Science","description":"Carleton University","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/carleton.ca\/scs\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"acf":{"banner_image_type":"none","banner_button":"no"},"_links":{"self":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/13365"}],"collection":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/users\/49"}],"replies":[{"embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/comments?post=13365"}],"version-history":[{"count":1,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/13365\/revisions"}],"predecessor-version":[{"id":13366,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/13365\/revisions\/13366"}],"up":[{"embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/12489"}],"wp:attachment":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/media?parent=13365"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}