this is my thesis presentation on Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection System using Snort

1. Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection
System using Snort
A
DISSERTATION
Presented
In partial fulfillment of the requirement for the award of degree of
MASTER OF TECHNOLOGY
IN
CYBER SECURITY
Submitted by
SATYENDRA KUMAR PATEL
(0901CS14MT30)
Under the supervision of
ABHILASH SONKER
Assistant Professor
Department of Computer Science & Engineering and Information Technology
Madhav Institute of Technology & Science, Gwalior (MP) - 474005
Session 2014-2016

2. Outlines
 Introduction to intrusion detection system
 Overview of Snort Tool
 Port scan technique
 Idle Stealth Port Scan
 Literature Review
 Problem Statement
 Proposed Work
 Experimental Setup and Results
 Conclusion and Future Work
 References
 List of Publications

3. Introduction to intrusion detection system
 An intrusion detection system (IDS) is an ad-hoc network security solution to
protect flawed in computer systems or network [1]. Intrusion detection system
works like a burglar alarm that goes off whenever someone to tampers with or
manages to get past other security mechanisms like authentication, authorization of
network.
 The major tasks of IDS are to collect data from a computer system, analyze these
data to find security relative events, and report the results to the administrator [2].
Figure 1: Typical Locations for an Intrusion Detection System

4. Methods of Intrusion Detection
• There are three ways to detect intruders in different categories:
 Signature based Detection Policy: In this technique predefine signature
matches the network traffic it sees against a list of attack signatures in a packet.
The main drawback of this policy is that, it look predefine signatures and therefore
it can miss newly developed attacks which may contain malicious activity. Properly
tuned signature detection IDS might be high on false negative, but can be low on
false positive [3].
 Anomaly based Detection Policy: It learns what “normal” traffic for your
network looks like and it has no predefine signature for match the packet trace and
will then alert you when it sees something abnormal. In this technique some time
anything new or something different might have the chance of being labelled as
abnormal traffic, so properly tuned anomaly detection IDS might be high on false
positive, but low on false negative [4].
 Hybrid Detection Policy: This technique is a combination of anomaly and
signature and takes the best features of both the techniques used for detection
purpose. This combined approach gives existence of single IDS for monitoring the
attacks in network [5].

5. Categories of Intrusion Detection System
• There are three categories to detect intruders-
 Host Intrusion Detection System (HIDS): A host-based intrusion detection
system (HIDS) is a system that monitors a computer system on which it is installed
to detect an intrusion, and responds by logging the activity and notifying the
designated authority.. Host based intrusion detection systems has ability to log
analysis, integrity management checking, detection of root kit and alerting [6].
 Network Intrusion Detection System (NIDS): A network-based IDS
(NIDS) analyzes packets coming across a network connection for data that look
like its part of an attack. NIDS analyze network traffic for attacks, using signature
or anomaly detection (or both). Its network interface card (NIC) runs in
promiscuous mode, which means that it captures all network traffic that goes by its
NIC, not just the traffic destined for the IDS system itself. [7].
 Distributed Intrusion Detection System(DIDS): Distributed Intrusion
Detection System (DIDS) is a combination of NIDS sensors and HIDS sensors, or
both, distributed across your organization, and they reporting to a central
correlation system. Attacks are logged either periodically or continuously that
generated on the sensors to the server station where they can be stored in a central
database [8].

6. Overview of Snort Tool
 Snort is an open source and freely available network based intrusion detection and
prevention system [9] (available at http:// www.snort.org/snort-downloads?). It can
analyze the packet in real-time traffic on any network. It analyzes protocol and also
has the ability to detect different type of attacks in network. Intrusion detection
process of snort based on rule, basically snort rule written by user apply to checks
against packet. Snort can be configured to run in following three modes:
 Sniffer mode simply reads the packets of the network and display packet detail
to user in a console (screen).
 Packet Logger mode used to logs the packets to disk in given format.
 Network Intrusion Detection System (NIDS) mode used to performs detection
and analysis of packet in real time network traffic and generate alert if any
suspicious activity found. This is the most complex and configurable mode.
 Components of Snort: Snort is basically divided into five components and
these components work together for every packet to detect particular attacks and to
generate alert and output in appropriate format from the detection system [10]. A
Snort-based Intrusion Detection System consists of the following major
components shows in figure.

7. Contd…
Figure 2: Components of Snort
Packet decoder: The packet decoder takes the Layer 2 data sent over from the packet
capture library and takes it apart. First it decodes the Data Link frame (such as
Ethernet, Token Ring, or 802.11), then the IP protocol, then the TCP or UDP packet.
When finished decoding, Snort has all the protocols information in all the right places
for further processing [11].
Preprocessors: These are components or plug-ins which performed after packet
decoder and it can be mixed with Snort to modify or arrange data packets to specific
protocol before those packets reach to the detection engine execute some operation to
find out if the packet is being used by an intruder and send it specific task.

8. Contd…
Detection engine: The detection engine is the heart of Snort. It takes information from
the packet decoder and preprocessors and operates on it at the transport and application
layers, comparing what’s in the packet to information in its rules-based detection plug-
in. These rules contain signatures for attacks [12].
Logging and Alerting System: Logging and altering system working depends on the
output phase of the detection engine. It used to log the activity and generate the alert
based on the previous component of snort.
Output Modules: Plug-ins of output modules are performed various operations for the
output generated by the logging and alerting system of Snort. Output modules are very
useful when we show the attacks in web based user interface using third party tools like
BASE, Snorby and SGUIL [13].
Snort Rules: Most intruder activity has some sort of signature like viruses. We create
Snort rules to detect intruders using information about these signatures [14]. Signatures
may be present in the payload or in the header parts of a packet. Snort’s network
intrusion detection system is based on rules and these rules are based on intruder
signatures. These rules can be used to check various parts of a data packet and rules
looks like as follows.
alert ip any any  any any (msg:“snort bad rule”;content:hello; sid:10000099;)
rule header rule option

9. Contd…
 Structure of a Rule: There are two logical sections in a rule, one is rule header
and other is rule options.
Figure 3: Basic Structures of Snort Rules
The rule header contains information about what action are taken by rule. It also
contains criteria for matching a rule against data packets.
Figure 4: Structure of Snort Rule Header
 The options part of rules also contains some additional criteria for matching a rule
against inspected data packets. A rule can be detected one type or multiple types of
intrusion activity in a network. An intelligent rule should be able to apply for
multiple intrusion signatures at a time [15].

10. Port scan technique
 Fundamentally, a port scan consists of sending the message to each port, one at a
time and the kind of acknowledgement received indicates what port is used and can
be used for attack [16].
 It would be considered direct probing in the field of network security. It allows an
attacker to determine which ports is open and what services are running on specific
machine [17].
 It can be also done for local and organizational network and it gives an idea to the
scanner where to probe for security weaknesses. Here we categorized port scanning
in two parts- Non Stealth scan and Stealth Scan
 Non Stealth Scan: These technique uses known TCP flag, it can be easily
detected by routers and firewalls and follow three way handshake process of port
scan [18].
Full Open Scan: This types of scan uses connect() method, it’s a system call provided by the
operating system to open a connection to a remote host. The TCP connect () uses the 3-way
handshake and will succeed if the port being scanned is listening, otherwise it will fail.
Half Open Scan: This is occurring when port scanning terminates before Completing the
three-way handshake process, as such, these scan method often go to unlogged by the
destination application.`

11. Contd…
 Stealth Scan: Any scan that bypassing filter, firewall, router and behaving as
casual network traffic are considered as stealth port scanning. Mostly used stealth
scan techniques are discussed here [19].
SYN/ACK Scan: It is relatively fast scan method that avoids the use of three way handshake.
In this scan type source sends a SYN with ACK flag to the target. For a closed port, the target
will replay with a RST packet (A TCP packet with reset flag set) while a request to an open
port will not generate a response.
FIN Scan: In the FIN scan, a packet is sent with just the FIN flag set. If the port is closed, the
host sends back a RST flag, whereas an open port simply ignores the packet and nothing is
returned to the client. Figure 7 (b) show the process of FIN (stealth) scan.
Figure 5: full Open Scan Figure 6: Half Open Scan

12. Contd…
XMAS Tree Scan: In XMAS tree scan source send 3 packet header flags together, which are the
FIN, URG (Urgent), and PSH (Push) to destination. In XMAS tree scan a closed port will
return a RST packet, whereas an open port will ignore the packet. This type of scan is very
similar to the FIN scan.
NULL Scan: The Null scan produces a reaction similar to the FIN and Xmas tree scans, but
differs in packet header flags [20]. It just sends a packet with no flag set. This again causes a
RST packet to be sent to the client if a port is closed, but is ignored if the port is open.
(a) (b) (c) (d)
Figure 7: (a) ACK/SYN Scan (b) FIN scan (c) Xmas Scan and (d) NULL Scan

13. Idle Stealth Port Scan
In order to find out which services are running on a specific host and can be
attacked without revealing his own IP address .The idle stealth scan (or zombie
scan) is a stealthy port scanning technique which allows an attacker to scan a target
machine ports without the need of sending a single IP packet containing his own IP
address directly to target. Instead he uses the IP address of a third host (zombie)
[21]. The zombie host also known as idle host for port scans. Effectively, an idle
port scan consists of three steps that are repeated for each port.
 Internet Protocol Identification (IP ID): In IPv4, the Identification (ID) field
is a 16-bit value that is unique for every datagram for a given source address,
destination address, and protocol, such that it does not repeat within the maximum
datagram lifetime [RFC6864]. The IPv4 ID field was originally intended for
fragmentation and reassembly.

14. Attacker Zombie Target
Step 1. Probe the zombie's IP ID and records it.
The attacker sends a SYN/ACK to zombie. The zombie not expecting SYN/ACK, send back a RST, disclosing it IP ID.
Step 2. Forge a SYN packet from the zombie.
The target sends a SYN/ACK to zombie in response to the SYN that appear to come from the zombie. The not
expecting it, send back a RST, incrementing it IP ID in the process [22].
Step 3. Probe the zombie IP ID again.
The zombie IP ID has increased by 2 since step 1, so the port is open.
Figure 8: Idle Stealth Port Scan for Open Port

15. Step 1. Probe the zombie's IP ID and records it.
The attacker sends a SYN/ACK to zombie. The zombie not expecting SYN/ACK, send back a RST, disclosing it IP
ID.
Step 2. Forge a SYN packet from the zombie.
The target sends a RST (the port is closed) in response to the SYN that appear to come from the zombie host. The
zombie ignores the unsolicited RST, leaving its IP ID unchanged.
Step 3. Probe the zombie IP ID again.
The zombie IP ID has increased by only 1 since step 1, so the port is not open.
Figure 9: Idle Stealth Port Scan for Closed Port

16. Literature Review
 Z. Jammes and M. Papadaki [23] this research explores the evasion technique
provided by Nmap, a Metasploit Framework and port scanner, an exploit launcher
against famous intrusion detection system named Snort. The result provided by this
approach tends to prove that Snort has the full ability to detect port scan and exploit
on condition to have a good configuration of pre-processor on Snort and signature
for the exploit. The only inconvenient with snort is that it requires knowledge of
rules and protocols and basic configuration requires some changes to be really
efficient.
 Wassim El-Hajj et al. [24, 25] In this work fuzzy logic controller is designed and
integrated with Snort tool in order to improve the functionality of port scanning
detection. Their results show that using fuzzy logic tends to the accuracy of
determining bad traffic in network. However, it gives a level of degree for each and
every type of port scanning attack. The aim behind integrating Snort with a
customized Fuzzy Logic controller is to better detection of port scanning and to
reduce the false positive and false negative alarms. The choice of using Fuzzy
Logic was based on two main reasons: (1) there is no clear boundaries exist
between normal and abnormal events, (2) fuzzy logic rules are helpful in smoothing
the abrupt separation of normal and abnormal events.

17. Contd…
 Jaekwang Kim and Jee-Hyong Lee [26] proposed a framework for abnormal traffic
control to detect slow port scan attacks using fuzzy rule set. The abnormal traffic
control framework work as an intrusion prevention system to malicious network
traffic. Technique manages traffic with a stepwise policy: under this approach first
decrease network bandwidth then discards their traffic. In this technique framework
for abnormal traffic control effectively detects and prevents slow port scan attacks
traffic using fuzzy rules and a stepwise policy. This approach has also an effect on
slow port scan attacks as well as normal port scan attacks.
 Jaeyeon Jung et al. [27] The theory of sequential hypothesis testing show that one
can model uses to local IP addresses as a random walk on one of the two stochastic
processes, to access the corresponding respectively patterns of benign remote hosts
and suspicious ones. Then detection problem becomes one of observing a distinct
path and inferring from it the mostly same classification for the remote host. They
use this insight to develop Threshold Random Walk (TRW), an online detection
approach that determines malicious remote hosts. After investigating traces from
two qualitatively different sites, they show that Threshold Random Walk requires
four or five number of connection attempts to detect suspicious activity compared
to previous methods, and also providing theoretical bounds on the low probabilities
of missed detection and false positive alarms.

18. Contd…
 Stuart staniford et al. [28] research begins with an analysis of the port scan
detection problem, and then introduces a novel technique named as Stealthy
Probing and Intrusion Correlation Engine (SPICE). Architecturally SPICE has two
kinds of components: one is anomaly sensor and another is correlator. The
anomaly sensor monitors the network and assigns an anomaly score to each event.
Sufficiently anomalous Events are passed along with their anomaly scores to the
spice correlator and this correlator combine event together and report scan. This
approach also maintains record of event likelihood from which we nearest the
anomalousness of the given packet. To clustering anomalous packet together for
port scanning uses heuristics developed from true scan researchers used simulated
annealing
 Rajni Ranjan Singh and Deepak Singh Tomar [29], proposed a system to detect
stealth port scanning attack which is carried out on the basis of forensic principles.
This research consist of two main modules, one is capturing module which captures
fine grained evidences from the network traffic and another is analysis module that
classifies each and every packet based on the predefined signature of packets. This
work presented a storage efficient capturing system that captures relevant packets
and an analysis system that perform precise classification of suspicious packets.
Snort rules are developed for the analysis of network traffic.

19. Problem Statement
 Some researchers used port scan detection techniques based on connection count to
detect attack which are used SYS flag in their packet that tend to false alarm due to
normal scan connection [27].
 In [29] researcher ignore SYN and RST flag but Idle scan used SYN and RST flag
during attack so it can not possible to detect this attack without using these flags.
 Adversary uses some technique of port scan to scan target machine without
revealing their own IP address that is called idle stealth port scan.
 They also used some method of port scan stealthy which is used by security expert
during penetration testing and use flags like SYN and RST to establish connection
which used in normal TCP connect() method .
 Generating huge amount of false positive and false negative alarm due to ping
activity.

20. Proposed Work
 Our proposed work divided in two parts. In the first part of our proposed work; we
used method first to improve the detection rate and efficiency of existing technique
using efficient port scan detection rules. In existing work researcher detect FIN,
XMAS and NULL stealth port scan attack.
 In second part of our work we proposed an internet protocol identification number
based network intrusion detection technique to detect idle stealth port scan attack
using snort. Internet protocol identification number is also known as IP ID which is
a part of IPv4 header present in packet data.
 Stealth Port Scan Attack Detection in Existing Work: Rules used by the
researcher in existing stealth port scan attack detection technique are not efficient
to detect stealth scan and they also used same SID for rule 2, 3, 4 and 5, which is
not a right way to write the rules.
1. Rule 1: alert tcp any any <> any any (msg:“scan detected”;flags:!RSA; sid: 7987659;)
2. Rule 2: alert tcp any any <> any any (msg: “ NULL Scan Detected”;flags:0;
sid: 7987660;)
3. Rule 3: alert tcp any any <> any any (msg: “ XMAS Scan Detected”;flags:FPU;
sid: 7987660;)
4. Rule 4: alert tcp any any <> any any (flags:*FPU; sid: 7987660;)
5. Rule 5: alert tcp any any <> any any (msg: “ FIN Scan Detected”;flags:!PU;
sid: 7987660;)

21. Contd…
 Stealth Port Scan Attack Detection in Proposed Work: In our proposed
technique to detect stealth port scan attack, we are applying some Efficient Port
Scan Detection Rules (EPSDR) to detect port scan attacks on real time network as
well pre-defined dataset which are useful to generate more number of alert compare
to existing rules when port scanning occur and our rules are look like as follows.
Method1: Using Efficient Port Scan Detection Rules
Rule 1: alert tcp any any <> any any (msg:"NULL Scan"; flags:0; sid : 1000001;)
Rule 2: alert tcp any any <> any any (msg:"XMAS attack"; flags:FPU;
sid:1000002;)
Rule 3: alert tcp any any <> any any (msg:"FIN Scan"; flags: F!PU;
sid: 1000003;)
Method2: Idle Stealth Port Scan Attack Detection (ISPSAD): To detect this
cleaver attack we proposed an IP ID and SYN, RST flag based detection algorithm
to detect idle stealth port scan attack. In our IP ID based technique we are using
two phases to detect the attack. First one is packet capturing and pre-processing and
another is analysis and detection phase.

22. Contd…
Packet Capturing and Pre-Processing Phase: In this phase our technique will identify the
significant packet for analysis and detection phase of idle scan attack.
1. If a captured packet contains TCP protocols then it will eligible for further process.
2. In captured TCP packet must have SYN or RST flags.
3. If in TCP packet IP ID available then
4. Mark the packet is significant for next phase otherwise insignificant packet and passes it.
 Following pseudo code represent the complete process of this phase.
 Variable used: Var: i, proto (pi), flag (pi) //where i is index value
 Input: Packet *p // Incoming packets
 Output: Packet *Significant_Packet_Array
1. Initialize: i: = 0, Significant_Packet_Array [p1,p2...pn]:=[0,0…0]
2. Repeat step 3 to step 7 while p != 0
3. Process incoming packet
4. if(proto(pi)=TCP) then go to step 5 else increment Index go to step 3
5. if(flag(pi)=SYN or RST) then go to 6 else increment Index go to step 3
6. if(GET_IPH_ID(pi)!=NULL) then go to step 7 else increment Index go to step 3
7. Significant_Packet_Array := pi/* add packet to array */ go to step 3
8. return Significant_Packet_Array

23. Contd…
Figure 10: Flow Chart of Packet Capturing and Preprocessing Phase

24. Contd...
Analysis and Detection Phase: After completing first phase of our proposed methodology we
have limited significant packet to this phase and we need to analyze only significant packet.
1. If TCP packet has SYN flag then store the packet destination IP address in array.
2. If TCP packet has RST flag but no destination IP address stored in array then drop the
packet because occurring RST without at least one SYN packet is useless. But if the
stored destination IP address contain any IP address then.
3. Check stored destination IP address is equal to destination IP address of current Packet, if
it is equal and IP ID field incremented by 2 then
4. Mark the packet as idle scan attack detected.
 Following pseudo code represent the complete process of analysis and detection phase.
 Variable used: Var: i, j, Pkt_Dst_Ip /* where I and j are index variable and Pkt_Dst_Ip
is an array to store packet destination IP*/
 Input: Significant_Packet_Array
 Output: Idle_Scan_Attack_Packet_Array
1. Initialize: i:=0, j:=0, Pkt_Dst_Ip:=NULL, Pkt_Ip_Id := NULL
Idle_Scan_Attack_Packet_Array p1,p2…pn]:=[0,0…0]
2. Repeat step 3 to 10 while Significant_Packet_Array!=0
3. if(flag(pi)=SYN) then go to step 4 else go to step 6

25. Contd...
4. Pkt_Dst_Ip[j]:= GET_DST_IP(pi)
5. Pkt_Ip_Id := GET_IPH_ID(pi)
6. if((flag(pi)=RST)&&( Pkt_Dst_Ip!=NULL)) then go to step 7 else go to step 3
7. Var: k=0 /* Initialize local variable for loop */
8. Repeat step 9 to 10 while k<=j /* for loop*/
9. if((Pkt_Dst_Ip[k]=GET_DST_IP(pi))&& (GET_IPH_ID(pi)=Pkt_Ip_Id+2)) then go to
10 else go to 3
10. Idle_Scan_Attack_Packet_Array = pi
11. return Idle_Scan_Attack_Packet_Array
 The following SNORT rules are used to generate the alarm for above idle stealth port
scan attack
1. Rule 1: activate tcp any any <> any any (msg:“Idle scan detected”; flags:S; exist-
ipid:!; activates:1;sid:10009011;)
2. Rule 2: dynamic tcp any any <> any any ( flags:R; exist-ipid:!;
activated_by:1;count:20;)
 Here “exist-ipid” is a new keyword used as detection plug-in in snort rules to generate
the alarm for IP_ID based idle stealth port scan attack. Functionality of “exist-ipid”
keyword is based on detection and analysis phase of our proposed technique.

26. Contd…
Figure 11: Flow Chart of Analysis and Detection Phase

27. Experimental Setup and Results
 Experimental Environment of Proposed Technique: Our implementation
is based on SNORT, an open source tools for Intrusion Detection and Prevention
System (IDS/IPS) and Nmap [7]. Nmap is very useful tool to perform port scan
attack in any machine using specific commands for particular scan. Command used
for idle scan is g
 Nmap -sI [zombie host] -Pn [target machine], where sI indicates for scan and
Idle respectively and Pn used to ignore the ping request during scan.
 In our testing scenario for scanner 1, host 192.168.1.1 is used as a zombie, host
192.168.1.8 used as target and host 192.168.1.9 used by attacker and for scanner 2,
host 192.168.1.1 is used as a zombie, host 192.168.1.9 used as target and host
192.168.1.8 used by attacker to perform idle stealth port scanning. Following figure
shows the scanned test topology and result respectively for idle scan attack in
Nmap.
Figure 12: Scan Test Topology Setup

28. Contd…
Figure 13: Result of Open Ports For Idle Scan using Nmap
 Results of Proposed and Existing Techniques: In this section, we evaluate
the performance of stealth port scan attack detection technique using Snort and
Nmap. We also perform the detection of idle stealth port scan attack using our
proposed technique. The results confirm that the number of generated alerts is
increasing and packet processing time is decreasing in proposed techniques. The
performance of Existing [29] technique is compare with efficient port scan
detection rule (ESPDR) technique and idle stealth port scan attack detection
(ISPSAD) technique.

29. Contd…
 Method 1: EPSDR based Technique
Result Analysis for Number of Generated Alerts: Proposed technique applying
three rules for same port scan attack and it detected more number of alerts compare
to existing. Figure 14 shows the number of generated alert in BASE [30].
Figure 14: Generated Alerts on BASE for Existing and EPSDR Technique
• In Table 1 comparison given on the bases of total number of detected attacks,
detected attacks percentage and number of unique source and destination IP
addresses for both existing and EPSDR technique.

30. Contd…
Table 1: Comparison between Existing and EPSDR Technique based on Source IP, Destination
IP and Total Number of Attacks
S.
No.
Total
Analyzed
TCP Packet
Port
Scanning
Method
Total
Stealth Port Scan
Attack Detected
No. Of
Source IP
Address
No. Of
Destination IP
Address
% Of Total
Detected
Attack
1. 90
Using
Existing
Technique
18 1 13 20
2. 90
Using
EPSDR
Technique
27 2 16 30
In Figure 15 clearly shows that proposed EPSDR technique detecting 10% more attacks
compare to existing technique for analyzed ninety TCP packets.
Figure 15: Detected attacks parentage of between existing and EPSDR technique

31. Contd…
 Analysis of Time Efficiency for TCP Packet: Reduction of rules is
beneficial to save the time of snort detection engine and detect the packet
efficiency. Table 2 shows the efficiency improvement for packet processing of
proposed technique compare to existing technique.
S. No. Number of TCP
packet processed
Processing time (second) Time difference between
existing and EPSDR
technique
Existing technique EPSDR technique
1 5000 21.612 21.570 .042
2 10000 38.781 38.666 .115
3 25000 113.681 112.980 .401
4 50000 120.488 119.487 1.001
In this table analysis we are taking same set of 5000, 10000, 25000 and 50000
TCP packets for both Existing and proposed technique and they produce the time
difference .042, .115, .401 and 1.001 second respectively. For 50000 TCP packet
Existing technique takes 120.488 and EPSDR takes 119.487 second and reducing
the time more than one second within two minutes.
Table 2: Comparison of Packet Processing Time between Existing and EPSDR Technique using Snort

32. Contd…
 Method 2: ISPSAD Technique: After designing detection plug-in for idle scan port
scan attack and using in SNORT tool, as a Network Intrusion Detection System, we have seen
it has the full ability to detect idle port scan attack and figure show the alerts for idle stealth
port scan attack in the console of Snort with its respective SID.
Figure 16: TCP Packet Processing Time of Existing and EPSDR Technique

33. Contd…
Figure 17: Alert Generated for Idle Stealth Port Scan Attack in Snort Console
Table 3: Comparison of Existing, EPSDR and ISPSAD Techniques for Number of
Detected Attack and Percentages of Detected Attacks
S. No. Total
No. of TCP
Packets
Analyzed
Port Scanning
Techniques
Total Detected
Port Scan
Attacks
% Of Total
Detected Port
Scan Attacks
1. 250
Existing 63 25.2
EPSDR 79 31.6
EPSDR+ ISPSAD 88 35.2
2. 560
Existing 218 38.9
EPSDR 241 43.03
EPSDR+ISPSAD 267 47.6

34. Contd…
• During packet capturing process in real time network, we perform the FIN,
XMUS, NULL and idle stealth port scan attack together in Nmap tool for both 250
and 560 packets set, but existing techniques are not able to detect idle stealth port
scan attack therefore generated alert for different attacks are less compare to our
proposed (ISPSAD) technique. In figure 18 shows percentage of detected attack for
Existing, EPSDR and ISPSAD technique.
Figure 18: Percentage of Detected Attacks for different Techniques

35. Conclusion and Future Work
 SNORT has full capability to detect port scan attacks, after using our detection
plug-in for idle port scan attack; we are able to detect idle stealth port scan attack in
real time network. Our proposed technique is useful to detect and generate the
alarm for idle port scan attack in snort with the help of SYN and RST flags. In the
result of proposed technique clearly show that generated alert percentage is better
compare to existing techniques because result of our technique also includes the
generated alert of idle scan attack.
 In our technique we used IP ID number to detect idle stealth port scan which is the
part of IPv4 header of TCP/IP. In future our purpose is to detect idle port scan
attack in IPv6 header which is not used IP ID field but idle port scan is possible in
IPv6 header of TCP/IP.

36. References
[1] Dorothy E. Denning “An Intrusion-Detection Model” IEEE Transactions On Software Engineering, Vol.
Se-13, No. 2, pp. 222-232, February 1987.
[2] Peyman Kabiri And Ali A. Ghorbani “Research On Intrusion Detection And Response: A Survey”
International Journal Of Network Security, Vol.1, No.2, Pp.84–102, Sep. 2005.
[3] Gordeev, Mikhail. "Intrusion Detection Techniques and Approaches." URL: http://www. infosys. tuwien.
ac. at/Teaching/Courses/AK2/vor99/t13 2004.
[4] Talasila Vamsidhar, Reddyboina Ashok And Rayalavenkat “ Intrusion Detection System For Web
Applications With Attack Classification” Journal Of Global Research In Computer Science Volume 3, No.
12, December 2012.
[5] Gómez, Julio, Consolación Gil, N. Padilla, Raul Baños, and C. Jiménez. "Design of a snort-based hybrid
intrusion detection system." In International Work-Conference on Artificial Neural Networks, Springer
Berlin Heidelberg, pp. 515-522, 2009.
[6] Hossein Jadidoleslamy “Weaknesses, Vulnerabilities And Elusion Strategies Against Intrusion Detection
Systems” International Journal Of Computer Science & Engineering Survey (Ijcses) Vol.3, No.4, August
2012.
[7] Bilal Maqbool Beigh, Uzair Bashir And Manzoor Chachoo “ Intrusion Detection And Prevention System:
Issues And Challenges” International Journal Of Computer Applications (0975 – 8887) Volume 76–
No.17, August 2013.
[8] Brennan, Michael P. "Using Snort For a Distributed Intrusion Detection System." SANS Institute, pp. 1-12,
2002.
[9] Manual, SNORT Users. "2.9. 0." The Snort Project (2011).
[10] Sharma, Sakshi, and Manish Dixit. "A Review on Network Intrusion Detection System Using Open
Source Snort." International Journal of Database Theory and Application 9, no. 4, 61-70, 2016.

37. Contd…
[11] Beale, Jay, Andrew R. Baker, and Joel Esler. Snort: IDS and IPS toolkit. Syngress.
[12] Snort 2.1 intrusion detection. Syngress, 2004.
[13] Koziol, Jack. Intrusion detection with Snort. Sams Publishing, 2003.
[14] Aickelin, Uwe, Jamie Twycross, and Thomas Hesketh-Roberts. "Rule generalisation in intrusion detection
systems using SNORT." International Journal of Electronic Security and Digital Forensics 1, no. 1, pp.
101-116, 2007.
[15] R. U. Rafeeq, “Intrusion detection systems with Snort: advanced IDS techniques using Snort, Apache,
MySQL, PHP, and ACID”, Prentice Hall Professional, 2003.
[16] Gates, Carrie. Co-ordinated port scans: a model, a detector and an evaluation methodology. Dalhousie
University, 2006.
[17] Donald L. Brinkley and Roger R. Schell. “What is there to worry about? an introduction to the computer
security problem” Information Security: An Integrated Collection of Essays, pp 11- 39, 1995.
[18] B. Claypool “Stealth Port Scanning Methods” Global Information Assurance Certification Paper – 2002.
[19] R. Christopher “Port Scanning Techniques and the Defence Against Them” SANS Institute InfoSec
Reading Room - 2001.
[20] S. K. Patel and A. Sonker “Rule-Based Network Intrusion Detection System for Port Scanning with
Efficient Port Scan Detection Rules Using Snort” International Journal of Future Generation
Communication and Network Vol. 9, No. 6, pp.339-350, 2016.
[21] Spijker, Roelof. "A Distributed Approach to Port Scan Detection." (2009).

38. Contd…
[22] Z. Durumeric, E. Wustrow and J.A. Halderman, “Nmap Network Scanning: The Official Nmap Project
Guide to Network Discovery and Security Scanning” Insecure, 2009
[23] Jammes, Z., and M. Papadaki. "Snort IDS Ability to Detect Nmap and Metasploit Framework Evasion
Techniques." Advances in Communications, Computing, Networks and Security Volume 10, 104, 2013.
[24] El. Hajj, Wassim, Hazem Hajj, Zouheir Trabelsi, and Fadi Aloul. "Updating snort with a customized
controller to thwart port scanning." Security and Communication Networks 4, no. 8, pp. 807-814, 2011.
[25] El-Hajj, Wassim, Fadi Aloul, Zouheir Trabelsi, and Nazar Zaki. "On detecting port scanning using fuzzy
based intrusion detection system." In IEEE International Wireless Communications and Mobile Computing
Conference, pp. 105-110, 2008.
[26] Kim, Jaekwang, and Jee-Hyong Lee. "A slow port scan attack detection mechanism based on fuzzy logic
and a stepwise p1olicy." In Intelligent Environments, IET 4th International Conference on, pp. 1-5, 2008.
[27] Jung, Jaeyeon, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan. "Fast portscan detection using
sequential hypothesis testing." In Security and Privacy, 2004. Proceedings. IEEE Symposium on, pp. 211-
225, 2004.
[28] Staniford, Stuart, James A. Hoagland, and Joseph M. McAlerney. "Practical automated detection of
stealthy portscans." Journal of Computer Security10, no. 1-2, pp. 105-136, 2002.
[29] R. R. Singh and D. S. Tomar “Network Forensics: Detection and Analysis of Stealth Port Scanning
Attack” International Journal of Computer Networks and Communications Security Vol. 3, N0o 2,
February 2015, 33–42.
[30] http://www.oracle.com/technetwork/systems/articles/snort-base-jsp-138895.html

39. List of Publications
1. Satyendra Kumar Patel and Abhilash Sonker “Rule-Based Network Intrusion
Detection System for Port Scanning with Efficient Port Scan Detection Rules Using
Snort” International Journal of Future Generation Communication and Network
Vol. 9, No. 6, pp.339-350, June 2016.
2. Satyendra Kumar Patel and Abhilash Sonker “Internet Protocol Identification
Number based Ideal Stealth Port Scan Detection using Snort” IEEE 8th
International
Conference on Computational Intelligence and Communication Networks (CICN)
2016. (In press)
3. Satyendra Kumar Patel and Abhilash Sonker “A Comparative Study of Current
Intrusion Detection System” 3rd
National conference on Advance in Information and
Communication Technology, FEB. 2016. (presented)
4. Satyendra Kumar Patel, Sakshi Sharma, Saumya Gupta and Rajeev Kumar Singh
“A Study Report on Social media- A place of cyber crimes” 2nd
National
Conference on Advance in Information and Communication Technology, FEB.
2015. (presented)

40. Any Question ?Any Question ?