Network scan detection with LQS: a lightweight, quick and stateful algorithm

Abstract

Network scanning reveals valuable information of accessible hosts over the Internet and their offered network services, which allows significant narrowing of potential targets to attack. Addressing and balancing a set of sometimes competing desirable properties is required to make network scanning detection more appealing in practice: 1) fast detection of scanning activity to enable prompt response by intrusion detection and prevention systems; 2) acceptable rate of false alarms, keeping in mind that false alarms may lead to legitimate traffic being penalized; 3) high detection rate with the ability to detect stealthy scanners; 4) efficient use of monitoring system resources; and 5) immunity to evasion. In this paper, we present a scanning detection algorithm designed to accommodate all of these goals. LQS is a fast, accurate, and light-weight scan detection algorithm that leverages the key properties of the monitored network environment as variables that affect how the scanning detection algorithm operates. We also present what is, to our knowledge, the first automated way to estimate a reference baseline in the absence of ground truth, for use as an evaluation methodology for scan detection. Using network traces from two sites, we evaluate LQS and compare its scan detection results with those obtained by the state-of-the-art TRW algorithm. Our empirical analysis shows significant improvements over TRW in all of these properties.