Litcius/Paper detail

A Comprehensive Detection Approach of Nmap: Principles, Rules and Experiments

Si Yan Liao, Chenming Zhou, Yonghui Zhao, Zhiyu Zhang, Chengwei Zhang, Yayu Gao, Guohui Zhong

202037 citationsDOI

Abstract

Recently, network attacks have occurred frequently, causing confidential data to be stolen. The first step for hackers to conduct attacks is information collection. In this stage, Nmap is one of the most widely used scanning tools to obtain information from the target host. The obtained information can be further analyzed to assist in the subsequent attack. Therefore, it is necessary to find an efficient way to detect Nmap scanning behavior. ET OPEN is a rule set widely used by the intrusion detection system (IDS) to protect hosts from malicious penetration. The Nmap detection rate is 58.3% with ET OPEN rules, but it becomes 8.3% when facing IDS evasion. Due to the low detection rate of ET OPEN, we propose the Comprehensive Nmap Detection Rules (CNDR). CNDR can detect the Nmap scanning behaviors precisely and efficiently. In the CNDR, Nmap's customizable fields are removed, and rules for operating system scanning are added. CNDR achieves 100% detection rate of normal Nmap scanning and 91.7% detection accuracy of Nmap with IDS evasion on our designed dataset. The result shows CNDR is robust even facing customized scanning and is superior to ET OPEN.

Topics & Concepts

Intrusion detection systemComputer scienceHackerData miningComputer securityNetwork Security and Intrusion DetectionAdvanced Malware Detection TechniquesInternet Traffic Analysis and Secure E-voting