Detection of Idle Stealth Port Scan Attack in Network Intrusion Detection System using Snort

ADISSERTATION

PresentedIn partial fulfillment of the requirement for the award of degree of

MASTER OF TECHNOLOGYIN

CYBER SECURITY

Submitted bySATYENDRA KUMAR PATEL

(0901CS14MT30)

 Under the supervision ofABHILASH SONKER

Assistant Professor

Department of Computer Science & Engineering and Information TechnologyMadhav Institute of Technology & Science, Gwalior (MP) - 474005

  Session 2014-2016

Outlines

Introduction to intrusion detection system Overview of Snort Tool Port scan technique Idle Stealth Port Scan Literature Review Problem Statement Proposed Work Experimental Setup and Results Conclusion and Future Work References List of Publications

Introduction to intrusion detection system An intrusion detection system (IDS) is an ad-hoc network security solution to

protect flawed in computer systems or network [1]. Intrusion detection system works like a burglar alarm that goes off whenever someone to tampers with or manages to get past other security mechanisms like authentication, authorization of network.

The major tasks of IDS are to collect data from a computer system, analyze these data to find security relative events, and report the results to the administrator [2].

Figure 1: Typical Locations for an Intrusion Detection System

Methods of Intrusion Detection

• There are three ways to detect intruders in different categories: Signature based Detection Policy: In this technique predefine signature

matches the network traffic it sees against a list of attack signatures in a packet. The main drawback of this policy is that, it look predefine signatures and therefore it can miss newly developed attacks which may contain malicious activity. Properly tuned signature detection IDS might be high on false negative, but can be low on false positive [3].

Anomaly based Detection Policy: It learns what “normal” traffic for your network looks like and it has no predefine signature for match the packet trace and will then alert you when it sees something abnormal. In this technique some time anything new or something different might have the chance of being labelled as abnormal traffic, so properly tuned anomaly detection IDS might be high on false positive, but low on false negative [4].

Hybrid Detection Policy: This technique is a combination of anomaly and signature and takes the best features of both the techniques used for detection purpose. This combined approach gives existence of single IDS for monitoring the attacks in network [5].

Categories of Intrusion Detection System

• There are three categories to detect intruders- Host Intrusion Detection System (HIDS): A host-based intrusion detection

system (HIDS) is a system that monitors a computer system on which it is installed to detect an intrusion, and responds by logging the activity and notifying the designated authority.. Host based intrusion detection systems has ability to log analysis, integrity management checking, detection of root kit and alerting [6].

Network Intrusion Detection System (NIDS): A network-based IDS (NIDS) analyzes packets coming across a network connection for data that look like its part of an attack. NIDS analyze network traffic for attacks, using signature or anomaly detection (or both). Its network interface card (NIC) runs in promiscuous mode, which means that it captures all network traffic that goes by its NIC, not just the traffic destined for the IDS system itself. [7].

Distributed Intrusion Detection System(DIDS): Distributed Intrusion Detection System (DIDS) is a combination of NIDS sensors and HIDS sensors, or both, distributed across your organization, and they reporting to a central correlation system. Attacks are logged either periodically or continuously that generated on the sensors to the server station where they can be stored in a central database [8].

Overview of Snort Tool Snort is an open source and freely available network based intrusion detection and

prevention system [9] (available at http:// www.snort.org/snort-downloads?). It can analyze the packet in real-time traffic on any network. It analyzes protocol and also has the ability to detect different type of attacks in network. Intrusion detection process of snort based on rule, basically snort rule written by user apply to checks against packet. Snort can be configured to run in following three modes: Sniffer mode simply reads the packets of the network and display packet detail

to user in a console (screen). Packet Logger mode used to logs the packets to disk in given format. Network Intrusion Detection System (NIDS) mode used to performs detection

and analysis of packet in real time network traffic and generate alert if any suspicious activity found. This is the most complex and configurable mode.

Components of Snort: Snort is basically divided into five components and these components work together for every packet to detect particular attacks and to generate alert and output in appropriate format from the detection system [10]. A Snort-based Intrusion Detection System consists of the following major components shows in figure.

Contd…

Figure 2: Components of Snort

Packet decoder: The packet decoder takes the Layer 2 data sent over from the packet capture library and takes it apart. First it decodes the Data Link frame (such as Ethernet, Token Ring, or 802.11), then the IP protocol, then the TCP or UDP packet. When finished decoding, Snort has all the protocols information in all the right places for further processing [11].Preprocessors: These are components or plug-ins which performed after packet decoder and it can be mixed with Snort to modify or arrange data packets to specific protocol before those packets reach to the detection engine execute some operation to find out if the packet is being used by an intruder and send it specific task.

Contd…Detection engine: The detection engine is the heart of Snort. It takes information from the packet decoder and preprocessors and operates on it at the transport and application layers, comparing what’s in the packet to information in its rules-based detection plug-in. These rules contain signatures for attacks [12].Logging and Alerting System: Logging and altering system working depends on the output phase of the detection engine. It used to log the activity and generate the alert based on the previous component of snort. Output Modules: Plug-ins of output modules are performed various operations for the output generated by the logging and alerting system of Snort. Output modules are very useful when we show the attacks in web based user interface using third party tools like BASE, Snorby and SGUIL [13]. Snort Rules: Most intruder activity has some sort of signature like viruses. We create Snort rules to detect intruders using information about these signatures [14]. Signatures may be present in the payload or in the header parts of a packet. Snort’s network intrusion detection system is based on rules and these rules are based on intruder signatures. These rules can be used to check various parts of a data packet and rules looks like as follows. alert ip any any any any (msg:“snort bad rule”;content:hello; sid:10000099;) rule header rule option

Contd…

Structure of a Rule: There are two logical sections in a rule, one is rule header and other is rule options.

Figure 3: Basic Structures of Snort Rules

The rule header contains information about what action are taken by rule. It also contains criteria for matching a rule against data packets.

Figure 4: Structure of Snort Rule Header

The options part of rules also contains some additional criteria for matching a rule against inspected data packets. A rule can be detected one type or multiple types of intrusion activity in a network. An intelligent rule should be able to apply for multiple intrusion signatures at a time [15].

Port scan technique Fundamentally, a port scan consists of sending the message to each port, one at a

time and the kind of acknowledgement received indicates what port is used and can be used for attack [16].

It would be considered direct probing in the field of network security. It allows an attacker to determine which ports is open and what services are running on specific machine [17].

It can be also done for local and organizational network and it gives an idea to the scanner where to probe for security weaknesses. Here we categorized port scanning in two parts- Non Stealth scan and Stealth Scan

Non Stealth Scan: These technique uses known TCP flag, it can be easily detected by routers and firewalls and follow three way handshake process of port scan [18].

Full Open Scan: This types of scan uses connect() method, it’s a system call provided by the operating system to open a connection to a remote host. The TCP connect () uses the 3-way handshake and will succeed if the port being scanned is listening, otherwise it will fail.

Half Open Scan: This is occurring when port scanning terminates before Completing the three-way handshake process, as such, these scan method often go to unlogged by the destination application.`

Contd…

Stealth Scan: Any scan that bypassing filter, firewall, router and behaving as casual network traffic are considered as stealth port scanning. Mostly used stealth scan techniques are discussed here [19].

SYN/ACK Scan: It is relatively fast scan method that avoids the use of three way handshake. In this scan type source sends a SYN with ACK flag to the target. For a closed port, the target will replay with a RST packet (A TCP packet with reset flag set) while a request to an open port will not generate a response.

FIN Scan: In the FIN scan, a packet is sent with just the FIN flag set. If the port is closed, the host sends back a RST flag, whereas an open port simply ignores the packet and nothing is returned to the client. Figure 7 (b) show the process of FIN (stealth) scan.

Figure 5: full Open Scan Figure 6: Half Open Scan

Contd…XMAS Tree Scan: In XMAS tree scan source send 3 packet header flags together, which are the

FIN, URG (Urgent), and PSH (Push) to destination. In XMAS tree scan a closed port will return a RST packet, whereas an open port will ignore the packet. This type of scan is very similar to the FIN scan.

NULL Scan: The Null scan produces a reaction similar to the FIN and Xmas tree scans, but differs in packet header flags [20]. It just sends a packet with no flag set. This again causes a RST packet to be sent to the client if a port is closed, but is ignored if the port is open.

(a) (b) (c) (d)

Figure 7: (a) ACK/SYN Scan (b) FIN scan (c) Xmas Scan and (d) NULL Scan

Idle Stealth Port Scan

In order to find out which services are running on a specific host and can be attacked without revealing his own IP address .The idle stealth scan (or zombie scan) is a stealthy port scanning technique which allows an attacker to scan a target machine ports without the need of sending a single IP packet containing his own IP address directly to target. Instead he uses the IP address of a third host (zombie) [21]. The zombie host also known as idle host for port scans. Effectively, an idle port scan consists of three steps that are repeated for each port.

Internet Protocol Identification (IP ID): In IPv4, the Identification (ID) field is a 16-bit value that is unique for every datagram for a given source address, destination address, and protocol, such that it does not repeat within the maximum datagram lifetime [RFC6864]. The IPv4 ID field was originally intended for fragmentation and reassembly.

Attacker Zombie Target

Step 1. Probe the zombie's IP ID and records it.

The attacker sends a SYN/ACK to zombie. The zombie not expecting SYN/ACK, send back a RST, disclosing it IP ID.

Step 2. Forge a SYN packet from the zombie.

The target sends a SYN/ACK to zombie in response to the SYN that appear to come from the zombie. The not

expecting it, send back a RST, incrementing it IP ID in the process [22].

Step 3. Probe the zombie IP ID again.

The zombie IP ID has increased by 2 since step 1, so the port is open.

Figure 8: Idle Stealth Port Scan for Open Port

Step 1. Probe the zombie's IP ID and records it.

The attacker sends a SYN/ACK to zombie. The zombie not expecting SYN/ACK, send back a RST, disclosing it IP

ID.

Step 2. Forge a SYN packet from the zombie.

The target sends a RST (the port is closed) in response to the SYN that appear to come from the zombie host. The

zombie ignores the unsolicited RST, leaving its IP ID unchanged.

Step 3. Probe the zombie IP ID again.

The zombie IP ID has increased by only 1 since step 1, so the port is not open.

Figure 9: Idle Stealth Port Scan for Closed Port

Literature Review Z. Jammes and M. Papadaki [23] this research explores the evasion technique

provided by Nmap, a Metasploit Framework and port scanner, an exploit launcher against famous intrusion detection system named Snort. The result provided by this approach tends to prove that Snort has the full ability to detect port scan and exploit on condition to have a good configuration of pre-processor on Snort and signature for the exploit. The only inconvenient with snort is that it requires knowledge of rules and protocols and basic configuration requires some changes to be really efficient.

Wassim El-Hajj et al. [24, 25] In this work fuzzy logic controller is designed and integrated with Snort tool in order to improve the functionality of port scanning detection. Their results show that using fuzzy logic tends to the accuracy of determining bad traffic in network. However, it gives a level of degree for each and every type of port scanning attack. The aim behind integrating Snort with a customized Fuzzy Logic controller is to better detection of port scanning and to reduce the false positive and false negative alarms. The choice of using Fuzzy Logic was based on two main reasons: (1) there is no clear boundaries exist between normal and abnormal events, (2) fuzzy logic rules are helpful in smoothing the abrupt separation of normal and abnormal events.

Contd… Jaekwang Kim and Jee-Hyong Lee [26] proposed a framework for abnormal traffic

control to detect slow port scan attacks using fuzzy rule set. The abnormal traffic control framework work as an intrusion prevention system to malicious network traffic. Technique manages traffic with a stepwise policy: under this approach first decrease network bandwidth then discards their traffic. In this technique framework for abnormal traffic control effectively detects and prevents slow port scan attacks traffic using fuzzy rules and a stepwise policy. This approach has also an effect on slow port scan attacks as well as normal port scan attacks.

Jaeyeon Jung et al. [27] The theory of sequential hypothesis testing show that one can model uses to local IP addresses as a random walk on one of the two stochastic processes, to access the corresponding respectively patterns of benign remote hosts and suspicious ones. Then detection problem becomes one of observing a distinct path and inferring from it the mostly same classification for the remote host. They use this insight to develop Threshold Random Walk (TRW), an online detection approach that determines malicious remote hosts. After investigating traces from two qualitatively different sites, they show that Threshold Random Walk requires four or five number of connection attempts to detect suspicious activity compared to previous methods, and also providing theoretical bounds on the low probabilities of missed detection and false positive alarms.

Contd… Stuart staniford et al. [28] research begins with an analysis of the port scan detection

problem, and then introduces a novel technique named as Stealthy Probing and Intrusion Correlation Engine (SPICE). Architecturally SPICE has two kinds of components: one is anomaly sensor and another is correlator. The anomaly sensor monitors the network and assigns an anomaly score to each event. Sufficiently anomalous Events are passed along with their anomaly scores to the spice correlator and this correlator combine event together and report scan. This approach also maintains record of event likelihood from which we nearest the anomalousness of the given packet. To clustering anomalous packet together for port scanning uses heuristics developed from true scan researchers used simulated annealing

Rajni Ranjan Singh and Deepak Singh Tomar [29], proposed a system to detect stealth port scanning attack which is carried out on the basis of forensic principles. This research consist of two main modules, one is capturing module which captures fine grained evidences from the network traffic and another is analysis module that classifies each and every packet based on the predefined signature of packets. This work presented a storage efficient capturing system that captures relevant packets and an analysis system that perform precise classification of suspicious packets. Snort rules are developed for the analysis of network traffic.

Problem Statement Some researchers used port scan detection techniques based on connection count to

detect attack which are used SYS flag in their packet that tend to false alarm due to normal scan connection [27].

In [29] researcher ignore SYN and RST flag but Idle scan used SYN and RST flag during attack so it can not possible to detect this attack without using these flags.

Adversary uses some technique of port scan to scan target machine without revealing their own IP address that is called idle stealth port scan.

They also used some method of port scan stealthy which is used by security expert during penetration testing and use flags like SYN and RST to establish connection which used in normal TCP connect() method .

Generating huge amount of false positive and false negative alarm due to ping activity.

Proposed Work Our proposed work divided in two parts. In the first part of our proposed work; we

used method first to improve the detection rate and efficiency of existing technique using efficient port scan detection rules. In existing work researcher detect FIN, XMAS and NULL stealth port scan attack.

In second part of our work we proposed an internet protocol identification number based network intrusion detection technique to detect idle stealth port scan attack using snort. Internet protocol identification number is also known as IP ID which is a part of IPv4 header present in packet data.

Stealth Port Scan Attack Detection in Existing Work: Rules used by the researcher in existing stealth port scan attack detection technique are not efficient to detect stealth scan and they also used same SID for rule 2, 3, 4 and 5, which is not a right way to write the rules.1. Rule 1: alert tcp any any <> any any (msg:“scan detected”;flags:!RSA; sid: 7987659;)2. Rule 2: alert tcp any any <> any any (msg: “ NULL Scan Detected”;flags:0;\ sid: 7987660;) 3. Rule 3: alert tcp any any <> any any (msg: “ XMAS Scan Detected”;flags:FPU;\ sid: 7987660;)4. Rule 4: alert tcp any any <> any any (flags:*FPU; sid: 7987660;)5. Rule 5: alert tcp any any <> any any (msg: “ FIN Scan Detected”;flags:!PU;\ sid: 7987660;)

Contd…

Stealth Port Scan Attack Detection in Proposed Work: In our proposed technique to detect stealth port scan attack, we are applying some Efficient Port Scan Detection Rules (EPSDR) to detect port scan attacks on real time network as well pre-defined dataset which are useful to generate more number of alert compare to existing rules when port scanning occur and our rules are look like as follows.

Method1: Using Efficient Port Scan Detection Rules Rule 1: alert tcp any any <> any any (msg:"NULL Scan"; flags:0; sid : 1000001;) Rule 2: alert tcp any any <> any any (msg:"XMAS attack"; flags:FPU; \ sid:1000002;) Rule 3: alert tcp any any <> any any (msg:"FIN Scan"; flags: F!PU; \ sid: 1000003;)

Method2: Idle Stealth Port Scan Attack Detection (ISPSAD): To detect this cleaver attack we proposed an IP ID and SYN, RST flag based detection algorithm to detect idle stealth port scan attack. In our IP ID based technique we are using two phases to detect the attack. First one is packet capturing and pre-processing and another is analysis and detection phase.

Contd… Packet Capturing and Pre-Processing Phase: In this phase our technique will identify the

significant packet for analysis and detection phase of idle scan attack.1. If a captured packet contains TCP protocols then it will eligible for further process.2. In captured TCP packet must have SYN or RST flags.3. If in TCP packet IP ID available then 4. Mark the packet is significant for next phase otherwise insignificant packet and passes it.

Following pseudo code represent the complete process of this phase. Variable used: Var: i, proto (pi), flag (pi) //where i is index value Input: Packet *p // Incoming packets Output: Packet *Significant_Packet_Array

1. Initialize: i: = 0, Significant_Packet_Array [p1,p2...pn]:=[0,0…0]

2. Repeat step 3 to step 7 while p != 03. Process incoming packet4. if(proto(pi)=TCP) then go to step 5 else increment Index go to step 3

5. if(flag(pi)=SYN or RST) then go to 6 else increment Index go to step 3

6. if(GET_IPH_ID(pi)!=NULL) then go to step 7 else increment Index go to step 3

7. Significant_Packet_Array := pi /* add packet to array */ go to step 3

8. return Significant_Packet_Array

Contd…

Figure 10: Flow Chart of Packet Capturing and Preprocessing Phase

Contd... Analysis and Detection Phase: After completing first phase of our proposed methodology we

have limited significant packet to this phase and we need to analyze only significant packet.1. If TCP packet has SYN flag then store the packet destination IP address in array.2. If TCP packet has RST flag but no destination IP address stored in array then drop the

packet because occurring RST without at least one SYN packet is useless. But if the stored destination IP address contain any IP address then.

3. Check stored destination IP address is equal to destination IP address of current Packet, if it is equal and IP ID field incremented by 2 then

4. Mark the packet as idle scan attack detected. Following pseudo code represent the complete process of analysis and detection phase. Variable used: Var: i, j, Pkt_Dst_Ip /* where I and j are index variable and Pkt_Dst_Ip is

an array to store packet destination IP*/ Input: Significant_Packet_Array Output: Idle_Scan_Attack_Packet_Array

1. Initialize: i:=0, j:=0, Pkt_Dst_Ip:=NULL, Pkt_Ip_Id := NULL Idle_Scan_Attack_Packet_Array p1,p2…pn]:=[0,0…0]

2. Repeat step 3 to 10 while Significant_Packet_Array!=03. if(flag(pi)=SYN) then go to step 4 else go to step 6

Contd...4. Pkt_Dst_Ip[j]:= GET_DST_IP(pi) 5. Pkt_Ip_Id := GET_IPH_ID(pi)6. if((flag(pi)=RST)&&( Pkt_Dst_Ip!=NULL)) then go to step 7 else go to step 37. Var: k=0 /* Initialize local variable for loop */8. Repeat step 9 to 10 while k<=j /* for loop*/9. if((Pkt_Dst_Ip[k]=GET_DST_IP(pi))&& (GET_IPH_ID(pi)=Pkt_Ip_Id+2)) then go to

10 else go to 310. Idle_Scan_Attack_Packet_Array = pi 11. return Idle_Scan_Attack_Packet_Array

The following SNORT rules are used to generate the alarm for above idle stealth port scan attack1. Rule 1: activate tcp any any <> any any (msg:“Idle scan detected”; flags:S; exist-

ipid:!; activates:1;sid:10009011;)2. Rule 2: dynamic tcp any any <> any any ( flags:R; exist-ipid:!;

activated_by:1;count:20;) Here “exist-ipid” is a new keyword used as detection plug-in in snort rules to generate

the alarm for IP_ID based idle stealth port scan attack. Functionality of “exist-ipid” keyword is based on detection and analysis phase of our proposed technique.

Contd…

Figure 11: Flow Chart of Analysis and Detection Phase

Experimental Setup and Results

Experimental Environment of Proposed Technique: Our implementation is based on SNORT, an open source tools for Intrusion Detection and Prevention System (IDS/IPS) and Nmap [7]. Nmap is very useful tool to perform port scan attack in any machine using specific commands for particular scan. Command used for idle scan is g

Nmap -sI [zombie host] -Pn [target machine], where sI indicates for scan and Idle respectively and Pn used to ignore the ping request during scan.

In our testing scenario for scanner 1, host 192.168.1.1 is used as a zombie, host 192.168.1.8 used as target and host 192.168.1.9 used by attacker and for scanner 2, host 192.168.1.1 is used as a zombie, host 192.168.1.9 used as target and host 192.168.1.8 used by attacker to perform idle stealth port scanning. Following figure shows the scanned test topology and result respectively for idle scan attack in Nmap.

Figure 12: Scan Test Topology Setup

Contd…

Figure 13: Result of Open Ports For Idle Scan using Nmap Results of Proposed and Existing Techniques: In this section, we evaluate

the performance of stealth port scan attack detection technique using Snort and Nmap. We also perform the detection of idle stealth port scan attack using our proposed technique. The results confirm that the number of generated alerts is increasing and packet processing time is decreasing in proposed techniques. The performance of Existing [29] technique is compare with efficient port scan detection rule (ESPDR) technique and idle stealth port scan attack detection (ISPSAD) technique.

Contd… Method 1: EPSDR based Technique Result Analysis for Number of Generated Alerts: Proposed technique applying

three rules for same port scan attack and it detected more number of alerts compare to existing. Figure 14 shows the number of generated alert in BASE [30].

Figure 14: Generated Alerts on BASE for Existing and EPSDR Technique• In Table 1 comparison given on the bases of total number of detected attacks,

detected attacks percentage and number of unique source and destination IP addresses for both existing and EPSDR technique.

Contd… Table 1: Comparison between Existing and EPSDR Technique based on Source IP, Destination

IP and Total Number of Attacks

S. No.

Total Analyzed

TCP Packet

Port Scanning Method

TotalStealth Port Scan Attack Detected

No. Of Source IP Address

No. Of Destination IP

Address

% Of Total Detected Attack

1. 90Using

ExistingTechnique

18 1 13 20

2. 90Using

EPSDRTechnique

27 2 16 30

In Figure 15 clearly shows that proposed EPSDR technique detecting 10% more attacks compare to existing technique for analyzed ninety TCP packets.

Figure 15: Detected attacks parentage of between existing and EPSDR technique

Contd… Analysis of Time Efficiency for TCP Packet: Reduction of rules is

beneficial to save the time of snort detection engine and detect the packet efficiency. Table 2 shows the efficiency improvement for packet processing of proposed technique compare to existing technique.

S. No. Number of TCP packet processed

Processing time (second) Time difference between existing and EPSDR

techniqueExisting technique EPSDR technique

1 5000 21.612 21.570 .042

2 10000 38.781 38.666 .115

3 25000 113.681 112.980 .401

4 50000 120.488 119.487 1.001

In this table analysis we are taking same set of 5000, 10000, 25000 and 50000 TCP packets for both Existing and proposed technique and they produce the time difference .042, .115, .401 and 1.001 second respectively. For 50000 TCP packet Existing technique takes 120.488 and EPSDR takes 119.487 second and reducing the time more than one second within two minutes.

Table 2: Comparison of Packet Processing Time between Existing and EPSDR Technique using Snort

Contd…

Method 2: ISPSAD Technique: After designing detection plug-in for idle scan port scan attack and using in SNORT tool, as a Network Intrusion Detection System, we have seen it has the full ability to detect idle port scan attack and figure show the alerts for idle stealth port scan attack in the console of Snort with its respective SID.

Figure 16: TCP Packet Processing Time of Existing and EPSDR Technique

Contd…

Figure 17: Alert Generated for Idle Stealth Port Scan Attack in Snort Console

Table 3: Comparison of Existing, EPSDR and ISPSAD Techniques for Number of Detected Attack and Percentages of Detected Attacks

S. No. Total No. of TCP

PacketsAnalyzed

Port Scanning Techniques

Total DetectedPort Scan Attacks

% Of Total Detected Port Scan Attacks

1. 250Existing 63 25.2

EPSDR 79 31.6

EPSDR+ ISPSAD 88 35.2

2. 560Existing 218 38.9

EPSDR 241 43.03

EPSDR+ISPSAD 267 47.6

Contd…

• During packet capturing process in real time network, we perform the FIN, XMUS, NULL and idle stealth port scan attack together in Nmap tool for both 250 and 560 packets set, but existing techniques are not able to detect idle stealth port scan attack therefore generated alert for different attacks are less compare to our proposed (ISPSAD) technique. In figure 18 shows percentage of detected attack for Existing, EPSDR and ISPSAD technique.

Figure 18: Percentage of Detected Attacks for different Techniques

Conclusion and Future Work

SNORT has full capability to detect port scan attacks, after using our detection plug-in for idle port scan attack; we are able to detect idle stealth port scan attack in real time network. Our proposed technique is useful to detect and generate the alarm for idle port scan attack in snort with the help of SYN and RST flags. In the result of proposed technique clearly show that generated alert percentage is better compare to existing techniques because result of our technique also includes the generated alert of idle scan attack.

In our technique we used IP ID number to detect idle stealth port scan which is the part of IPv4 header of TCP/IP. In future our purpose is to detect idle port scan attack in IPv6 header which is not used IP ID field but idle port scan is possible in IPv6 header of TCP/IP.

References [1] Dorothy E. Denning “An Intrusion-Detection Model” IEEE Transactions On Software Engineering, Vol.

Se-13, No. 2, pp. 222-232, February 1987.[2] Peyman Kabiri And Ali A. Ghorbani “Research On Intrusion Detection And Response: A Survey”

International Journal Of Network Security, Vol.1, No.2, Pp.84–102, Sep. 2005.[3] Gordeev, Mikhail. "Intrusion Detection Techniques and Approaches." URL: http://www. infosys. tuwien.

ac. at/Teaching/Courses/AK2/vor99/t13 2004.[4] Talasila Vamsidhar, Reddyboina Ashok And Rayalavenkat “ Intrusion Detection System For Web

Applications With Attack Classification” Journal Of Global Research In Computer Science Volume 3, No. 12, December 2012.

[5] Gómez, Julio, Consolación Gil, N. Padilla, Raul Baños, and C. Jiménez. "Design of a snort-based hybrid intrusion detection system." In International Work-Conference on Artificial Neural Networks, Springer Berlin Heidelberg, pp. 515-522, 2009.

[6] Hossein Jadidoleslamy “Weaknesses, Vulnerabilities And Elusion Strategies Against Intrusion Detection Systems” International Journal Of Computer Science & Engineering Survey (Ijcses) Vol.3, No.4, August 2012.

[7] Bilal Maqbool Beigh, Uzair Bashir And Manzoor Chachoo “ Intrusion Detection And Prevention System: Issues And Challenges” International Journal Of Computer Applications (0975 – 8887) Volume 76– No.17, August 2013.

[8] Brennan, Michael P. "Using Snort For a Distributed Intrusion Detection System." SANS Institute, pp. 1-12, 2002.

[9] Manual, SNORT Users. "2.9. 0." The Snort Project (2011).[10] Sharma, Sakshi, and Manish Dixit. "A Review on Network Intrusion Detection System Using Open

Source Snort." International Journal of Database Theory and Application 9, no. 4, 61-70, 2016.

Contd…[11] Beale, Jay, Andrew R. Baker, and Joel Esler. Snort: IDS and IPS toolkit. Syngress.[12] Snort 2.1 intrusion detection. Syngress, 2004.[13] Koziol, Jack. Intrusion detection with Snort. Sams Publishing, 2003.

[14] Aickelin, Uwe, Jamie Twycross, and Thomas Hesketh-Roberts. "Rule generalisation in intrusion detection systems using SNORT." International Journal of Electronic Security and Digital Forensics 1, no. 1, pp. 101-116, 2007.

[15] R. U. Rafeeq, “Intrusion detection systems with Snort: advanced IDS techniques using Snort, Apache, MySQL, PHP, and ACID”, Prentice Hall Professional, 2003.

[16] Gates, Carrie. Co-ordinated port scans: a model, a detector and an evaluation methodology. Dalhousie University, 2006.

[17] Donald L. Brinkley and Roger R. Schell. “What is there to worry about? an introduction to the computer security problem” Information Security: An Integrated Collection of Essays, pp 11- 39, 1995.

[18] B. Claypool “Stealth Port Scanning Methods” Global Information Assurance Certification Paper – 2002.[19] R. Christopher “Port Scanning Techniques and the Defence Against Them” SANS Institute InfoSec

Reading Room - 2001.[20] S. K. Patel and A. Sonker “Rule-Based Network Intrusion Detection System for Port Scanning with

Efficient Port Scan Detection Rules Using Snort” International Journal of Future Generation Communication and Network Vol. 9, No. 6, pp.339-350, 2016.

[21] Spijker, Roelof. "A Distributed Approach to Port Scan Detection." (2009).

Contd…[22] Z. Durumeric, E. Wustrow and J.A. Halderman, “Nmap Network Scanning: The Official Nmap Project

Guide to Network Discovery and Security Scanning” Insecure, 2009[23] Jammes, Z., and M. Papadaki. "Snort IDS Ability to Detect Nmap and Metasploit Framework Evasion

Techniques." Advances in Communications, Computing, Networks and Security Volume 10, 104, 2013.[24] El. Hajj, Wassim, Hazem Hajj, Zouheir Trabelsi, and Fadi Aloul. "Updating snort with a customized

controller to thwart port scanning." Security and Communication Networks 4, no. 8, pp. 807-814, 2011.[25] El-Hajj, Wassim, Fadi Aloul, Zouheir Trabelsi, and Nazar Zaki. "On detecting port scanning using fuzzy

based intrusion detection system." In IEEE International Wireless Communications and Mobile Computing Conference, pp. 105-110, 2008.

[26] Kim, Jaekwang, and Jee-Hyong Lee. "A slow port scan attack detection mechanism based on fuzzy logic and a stepwise p1olicy." In Intelligent Environments, IET 4th International Conference on, pp. 1-5, 2008.

[27] Jung, Jaeyeon, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan. "Fast portscan detection using sequential hypothesis testing." In Security and Privacy, 2004. Proceedings. IEEE Symposium on, pp. 211-225, 2004.

[28] Staniford, Stuart, James A. Hoagland, and Joseph M. McAlerney. "Practical automated detection of stealthy portscans." Journal of Computer Security10, no. 1-2, pp. 105-136, 2002.

[29] R. R. Singh and D. S. Tomar “Network Forensics: Detection and Analysis of Stealth Port Scanning Attack” International Journal of Computer Networks and Communications Security Vol. 3, N0o 2, February 2015, 33–42.

[30] http://www.oracle.com/technetwork/systems/articles/snort-base-jsp-138895.html

List of Publications

1. Satyendra Kumar Patel and Abhilash Sonker “Rule-Based Network Intrusion Detection System for Port Scanning with Efficient Port Scan Detection Rules Using Snort” International Journal of Future Generation Communication and Network Vol. 9, No. 6, pp.339-350, June 2016. 

2. Satyendra Kumar Patel and Abhilash Sonker “Internet Protocol Identification Number based Ideal Stealth Port Scan Detection using Snort” IEEE 8th International Conference on Computational Intelligence and Communication Networks (CICN) 2016. (In press)

3. Satyendra Kumar Patel and Abhilash Sonker “A Comparative Study of Current Intrusion Detection System” 3rd National conference on Advance in Information and Communication Technology, FEB. 2016. (presented)

4. Satyendra Kumar Patel, Sakshi Sharma, Saumya Gupta and Rajeev Kumar Singh “A Study Report on Social media- A place of cyber crimes” 2nd National Conference on Advance in Information and Communication Technology, FEB. 2015. (presented)

Any Question ?Any Question ?