Detector SherLOCK: Enhancing TRW with Bloom filters under memory and performance constraints

Abstract

Computer worms and bots are significant threats to large networks because they can spread very rapidly and are used for DDoS. The first phase of worms and bots begins by scanning vulnerable hosts. Missing on-going scanning activity can significantly deteriorate network performance. We propose a new scanning detection scheme, SherLOCK, based on the connection attempt success ratio. The proposed scheme can detect scanners with guaranteed false positive and false negative probabilities and with a limited memory size. Detection of scanners at high-speed links requires a high-speed memory and such memory devices are expensive and limited in size. We reduce the memory requirement by applying the Bloom filter, We show how slow scanner, can be detected with a guaranteed performance for a given offered traffic load and memory size. This study can help to design the system that satisfies the target performance requirement. The detection performance is guaranteed under the assumption that malicious scanners and benign hosts have distinct behaviors in terms of the connection success ratio. We extend the proposed detector with a sampling mechanism to detect more intelligent scanners with guaranteed performance. These include scanners that use a list of pre-acquired IP addresses. We evaluate the performance of the proposed scheme through experiment using well-known traffic traces. (C) 2008 Elsevier B.V. All rights reserved.