Novosibirsk State University Journal of Information Technologies
Scientic Journal

ISSN 2410-0420 (Online), ISSN 1818-7900 (Print)

Switch to

All Issues >> Contents: Volume 07, Issue No 4 (2009)

Scan detection in ip networks using sequential hypothesis testing
Sergei Vsevolodovich Bredikhin, Viktor Igorevich Kostin, Natalya Grigoryevna Shcherbakova

Institute of Computational Mathematics and Mathematical Geophysics SB RAS

UDC code: 004.415.532

The approaches to scan detection in IP networks are considered in the first part of the article. The information on the base methods used in the known intrusion detection systems Snort and Bro, and also applying of statistical models for anomalous traffic diagnostic is introduсed. The special attention is given to a method of the sequential analysis and to models that use this method for scan detection. The algorithm for scan detection in IP networks is introduced in the second part of the article. The algorithm is based on the method of sequential hypothesis testing by A. Wald. The results of algorithm approbation in the Internet SB RAS environement are given. The performance evaluations are presented and algorithm capabilities depending on the parameters values are investigated

Key Words
algorithm, models TRW and TAPS, sequential hypothesis testing by A. Wald, statistical methods, base systems Snort and Bro, address / port scanning, IP-based networks

How to cite:
Bredikhin S. V., Kostin V. I., Shcherbakova N. G. Scan detection in ip networks using sequential hypothesis testing // Vestnik NSU Series: Information Technologies. - 2009. - Volume 07, Issue No 4. - P. 15-35. - ISSN 1818-7900. (in Russian).

Full Text in Russian

Available in PDF

1. Gordon L. NMAP Network Scanning: The Official NMAP Project Guide to Network Discovery and Security Scanning. 2009. P. 468.
2. Staniford S., Hoagland J. A., McAlerney J. M. Practical Automated Detection of Stealthy Portscans // Journal of Computer Security. 2002. Vol. 10, is. 1–2. P. 105–136.
3. Niedermayer D. An Introduction to Bayesian Networks and their Contemporary Application. URL:
4. Kirkpatrick S., Gelatt C. D., Vecchi M. P. Optimization by Simulated Annealing // Science.
1983. Vol. 220. No. 4598. P. 671–680.
5. Jung J., Paxson V., Berger A. W., Balakrishnan H. Fast Portscan Detection Using Sequential Hypothesis Testing // Proceedings IEEE Symposium on Security and Privacy. 2004. P. 211–225.
6. Ertoz L., Eilertson E., Dokas P., Kumar V., Long K. Scan Detection – Revisited // Technical report AHPCRC 127, University of Minnesota – Twin Cities, 2004. P. 127.
7. Lekie C., Kotagiri R. A Probabilistic Approach to Detecting Network Scans // IEEE/IFIP Network Operations and Management Symposium (NOMS). 2002. P. 359–372.
8. Vald A. Posledovatelny analiz. M., 1960. C. 328.
9. Sridharan A., Ye T., Bhattacharyya S. Connectionless Port Scan Detection on the Backbone // IEEE International Performance, Computing and Communications Conference (IPCCC). 2006. P. 10–20.
10. Bredikhin S. V., Shcherbakova N. G. Dve komponenty analiza setevogo trafika // Vestn. Novosib. gos. un-ta. Seriya: Informatcionnyye tekhnologii. 2008. T. 6, vyp. 1. C. 10–14.
11. SPD SO RAN. Set peredachi dannykh Sibirskogo otdeleniya RAN // Informatcionnyye materialy nauchno-koordinatcionnogo soveta tcelevoi programmy «Informatcionnotelekommunikatcionnyye resursy SO RAN». Novosibirsk, 2005. C. 79.
12. Bredikhin S. V., Lyapunov V. M., Shcherbakova N. G. Analizator «setevoi pogody» // Vestn. Novosib. gos. un-ta. Seriya: Informatcionnyye tekhnologii. 2005. T. 2, vyp. 1. C. 62–67.
13. Simon G. J., Hui Xiong, Eilerton E., Kumar V. Scan Detection: A Data Mining Approach // Sixth SIAM International Conference on Data Mining. 2006. P. 118–129.
14. Ray-I Chang, Liang-Bin Lai , Wen-De Su, Jen-Chieh Wang, Jen-Shiang Kouh. Intrusion Detection by Backpropagation Neural Networks with Sample-Query and Attribute-Query // International Journal of Computational Intelligence Research. 2007. Vol. 3. No. 1. P. 6–10.
15. Wei Li. Using Genetic Algorithm for Network Intrusion Detection // Proceedings of the United States Department of Energy Cyber Security Group 2004 Training Conference, Kansas City, Kansas, May 24–27, 2004.
16. Visconti A., Fusi N, Tahayori H. Intrusion Detection via Artificial Immune System: A Performance-based Approach // IFIP International Federation for Information Processing. 2008. Vol. 268. P. 125–135.

Publication information
Main title Vestnik NSU Series: Information Technologies, Volume 07, Issue No 4 (2009).
Parallel title: Novosibirsk State University Journal of Information Technologies Volume 07, Issue No 4 (2009).

Key title: Vestnik Novosibirskogo gosudarstvennogo universiteta. Seriâ: Informacionnye tehnologii
Abbreviated key title: Vestn. Novosib. Gos. Univ., Ser.: Inf. Tehnol.
Variant title: Vestnik NGU. Seriâ: Informacionnye tehnologii

Year of Publication: 2009
ISSN: 1818-7900 (Print), ISSN 2410-0420 (Online)
Publisher: Novosibirsk State University Press
DSpace handle

|Home Page| |All Issues| |Information for Authors| |Journal Boards| |Ethical principles| |Editorial Policy| |Contact Information| |Old Site in Russian|
© 2006-2017, Novosibirsk State University.