+1(978)310-4246 credencewriters@gmail.com


Please write a survey paper (make sure it is a survey paper not just a normal paper) that discusses the issue and it should contain more than one solution. I will attach one paper that should be used and added to the reference in addition please add at least 4 more references that are from IEEE or an equivalent academic source. The 4 more references that you will please share them with me as PDF so I can add them in the end note when i submit the paper.

2017 IEEE Dynamics of Systems, Mechanisms and Maсhines (Dynamics) (Omsk, Russia)
14 Nov–16 Nov 2017
Port Scanning Detection Based on Anomalies
Evgeny V. Ananin
Arina V. Nikishova
Irina S. Kozhevnikova
Department of Information Security
Volgograd State University
Volgograd, Russia
Department of Information Security
Volgograd State University
Volgograd, Russia
Department of Telekommunication
Volgograd State University
Volgograd, Russia
Abstract—Modern companies can’t operate and conduct
business without using a developed and stable functioning
information system, which includes a network. To monitor
network performance characteristics of network traffic are often
defined, the values of them determine the performance of the
network. Mostly these characteristics values vary slightly within
predetermined time intervals. A significant change in their values
indicates a violation of network performance or the presence of
anomalies. This article reviews the type of network anomalies,
which is made by port scan. The article describes main types of
port scans, and the peculiarities of the implementation of various
types of scans. This data was used to construct a mathematical
model for detecting anomalies caused by a port scan. An
algorithm that implements the proposed mathematical model for
detecting port scanning has been made. Software implementation
of the algorithm makes it possible not only to determine the fact
of the port scanning, but also to identify the source – IP-address
of the attacker performing a scan.
A peculiarity of network attacks is to perform a series of
steps to achieve the goals of the attack (fig.2) [2].
Keywords—network attacks, traffic anomaly, animaly detection;
information security; scanning methods
Network technologies have become an integral part of life
in modern society. Thus for efficient network operation it is
very important for reliable data transmission channels.
Statistics show that the main channel of information leakage is
a network (fig.1) [1].
Fig. 2. The attack scheme
A common attack consists of four stages. Suppressing the
first stage – the stage of reconnaissance (exploration), will stop
all further actions and the consequences of an attack. The first
stage is characterized by a large number of packets sent by an
attacker in order to get the most useful information about the
object of attack. Such amount of packets leads to the anomalies
formation in the traffic [3]. The anomaly is a significant change
in some characteristics of the object. Then, traffic anomaly
means occurrence of packets other than the average intensity or
the header fields, which have non-typical values [4, 5].
Anomalies in the network traffic can be caused by faulty of
network equipment, accidental or deliberate actions of users,
improper operation of the application, malicious acts, etc [6].
Fig. 1. Leaks by channel, H1 – 2016
Figure 3 is a schematic diagram of network anomaly
detection based on network traffic indicators [7].
Authorized licensed use limited to: Consortium – Saudi Arabia SDL. Downloaded on February 24,2021 at 11:28:49 UTC from IEEE Xplore. Restrictions apply.
2017 IEEE Dynamics of Systems, Mechanisms and Maсhines (Dynamics) (Omsk, Russia)
14 Nov–16 Nov 2017
The general algorithm to identify network anomalies can be
described as follows. Initial data for network traffic analysis is
presented by a set of network packets, generally fragmented on
IP level [8]. The collected data is a source of necessary
information for further analysis. Then, current profile of the
network or system activity profile is created using the collected
data. Created set of attributes is compared with the normal
activity of a set of system characteristics – the normal pattern of
behavior. If there is a significant discrepancy between the
compared parameters, network anomaly is recorded [9].
1) Ping-scan: The attacker sends an Echo-message using
ICMP ping utility and scans the entire network or sending
Echo-messages to the broadcast address. Instead of Echomessage TCP-segments with RST flag can be used, these are
the answers on DNS-queries which are not exist. If the scanner
will receive ICMP DestinationUnreachable packet in return
with the code “1” (host_unreachable), it means that the test
unit is turned off or not connected to the network[14].
2) Syn-scan: Instead of using the network operating
system functions, port scanner itself generates IP packets, and
monitors the responses to them. This technique is often called
as Scan using the half-open connections, as full TCP
connection is never opened. A port scanner generates a SYN
packet. If the port on the target host is open, it will respond
with a SYN-ACK packet. Host scanner sends the RST packet,
closing the connection before the connection process
Using self-generated network packets has several
advantages, allowing scanning program full control on sending
packets and responding to them, delays in the responses, and
allowing attacker to get detailed results of the scan.
Fig. 3. Network anomaly scheme for detecting
Otherwise the normal behavior pattern is updated by
changing the settings based on the current profile of the
observed network activity [10]. The effectiveness of this
method will depend on the correct pattern of normal behavior.
This task is time consuming and not always feasible. Thus, in
practice it turns out that not every abnormal behavior is an
attack [11]. For example, a network administrator can use the
debugging tools to diagnose network environment. Actions of
this kind are not malicious, but anomaly detection engines
consider this as anomalous activity.
One of the attacks carried out on the stage of reconnaissance is
port scanning. Port scan – this is the process of circulation to
all ports of the network hosts [12, 13]. From port scanning
results, you can obtain the following information:
x List of open ports;
x List of closed ports;
x List of services;
x Type and version of OS detection.
Currently, the main and most available for realization port
scan types are:
3) TCP-scan: This method uses a simple network
operating system functions, and is used when the SYNscanning for one reason or another is not feasible. The
operating systems, if the port is open, completes the three step
procedure of connection and then close the connection at once.
Otherwise, an error code is returned.
The advantage of this method is that it does not require any
special permission. However, the use of network operating
system functions does not allow low-level control, so this type
is not used so widely.
The main drawback of this method is the large number of
open and immediately interrupted connections, creating a load
on the scanned system [14].
4) ACK-scan: This scan is used to determine if the port is
filtered or not, and is particularly effective for determining the
presence of firewalls and determine their rules. Simple packet
filtering will allow the passage of a package with the ACK bit
set (used for already established connections), while more
sophisticated firewalls – no [16].
5) FIN-scan: Some servers can attempt to trace SYN-scan
of their ports. For example, an attempt to SYN-scanning can
be detected by entering “fake” SYN-packets to closed ports
protected server, and in the case of polling several ports server
disconnects to prevent scanning. Scanning with the FINpacket allows attacker to bypass these protections. On arriving
FIN-packet on a closed port the server should send back RST.
FIN-packets send on open ports should be ignored by the
server. According to this distinction, it is possible to
distinguish the closed port from the open [17].
Authorized licensed use limited to: Consortium – Saudi Arabia SDL. Downloaded on February 24,2021 at 11:28:49 UTC from IEEE Xplore. Restrictions apply.
2017 IEEE Dynamics of Systems, Mechanisms and Maсhines (Dynamics) (Omsk, Russia)
14 Nov–16 Nov 2017
6) XMAS-scan: Operating principle is similar to the FINscan, only FIN, PSH, and URG flags are set [18].
Signs of port scanning is the large number of packets with
non-standard or rare combination of TCP flags [19].
Let the analyzed traffic represented by a set Π =
is an intercepted packet, = 1, ,
( , , … , ), where
where – number of analyzed packets. Traffic is characterized
by index of anomaly = (Π). First, anomaly index of normal
traffic is calculated. If the index of traffic anomaly ∈ ( −
+ ), belongs – environs of , then traffic is admitted
as free of anomalies, else, the traffic is recognized as possible
To detect port scans, IP-address of the sender, and TCP
flags are allocated from the intercepted packet , forming a
= ( , ). From the set of vectors
the table
corresponding to the sender IP-addresses and flag
combinations is formed: =< , >, where are 2 equal
tables of correspondence, contains of IP-addresses and
flags. Two tables are used to handle one while the other is
filling with data. To detect port scans, 6 combinations . Those
combinations correspond every type of scan.
It is assumed that we know the normal traffic patterns of
the protected network hosts and ports, i.e. if the packet contains
combination of flags , then the frequency of its occurrence
( ) is known.
We define the anomaly index of packets , which contains
flag combination via negative likelihood logarithm.
( )=–
Where ( ) is a frequency of the combination of flags
in the packet . Anomaly index of the set Π = ( , , … , )
is defined as:
( ).
Packets, gathered during time t are used to analyze traffic.
So, the more unusual combination the scanner use, the faster it
is detected. In case ∉ ( − ;
+ ), the search over the
table is done for combinations
→ , where
is a search function, T-IP,
address and TCP flags combination table of correspondence.
table T row, which
If ∃ < , >∈ , where
and packet flags combinations , then
contains IP-address
IP-address of attacker is detected and the message,which
-ip-address of attacker, is displayed on the user’s
The mathematical model was implemented in software.
General block diagram of the program is shown in figure 4.
Fig. 4. A flowchart of detecting port scanning
The predefined packet capture process is connected to the
network interface, and is intercepting all incoming and
outgoing packets.
Predefined building process reference model of network
behavior anomaly index calculates by the formula (2) and
stores it for later comparison with the current index anomaly.
The predefined packet analysis process analyzes the
captured packets, using a mathematical model described above.
Predefined process intruder detection detects anomalies in
traffic, getting current anomaly index and comparing it with the
reference index, compiled by the module for calculating the
network reference model. Then it searches for flags
combinations x through tables T. After detecting them, the
module shows the IP-address of the attacker, who carried out
the port scan [21].
The experiments were carried out with the using the
program called Nmap, to carry out various types of port
scanning. Scanning will be conducted with the host having the
For reference index anomaly 100000 packets of network
traffic are collected.
Those scan types are conducted: Syn, Fin, Xmas, Ack,
TCP, Ping.
During the experiment, port scanning detection speed
(time) will be analyzed.
Authorized licensed use limited to: Consortium – Saudi Arabia SDL. Downloaded on February 24,2021 at 11:28:49 UTC from IEEE Xplore. Restrictions apply.
2017 IEEE Dynamics of Systems, Mechanisms and Maсhines (Dynamics) (Omsk, Russia)
14 Nov–16 Nov 2017
The aim of the experimental investigations is to determine
the rate of detection intruder’s IP-addresses for different types
of port scanning.
x ACK – 19;
The software faster detected scan with combinations of
flags, which had the lowest frequency. The more unusual
combination of the flags used in the packets, the faster the scan
detected. And, conversely, the more natural the packets looked
during a port scan, the detection was slower. Thereby, XMASscan was the fastest to be detected, whereas Syn-scan was the
x SYN – 28;
The average time of detection scans for 5 types of scans
ports in seconds (fig.5):
x TCP – 26;
x FIN – 27;
x XMAS – 4;
x Ping – 5.
Fig. 5. Results of experimental research
The developed software successfully detected the IPaddress of the attacker at all scan types (fig.6).
Fig. 6. Program interface “Port scan detection”
InfoWatch Analytical Center group, (2016), Global Data Leakage
Report, H1 2016. InfoWatch. Russia. [Online] Available:
P. Kabiri, A. A. Ghorbani, “Research on Intrusion Detection and
Response: A Survey”. International Journal of Network Security. vol. 1,
no. 2, pp. 84–102, Sep.2005.
S. Panjwani, S. Tan, K. Jarrin, and M. Cukier, “An Experimental
Evaluation to Determine if Port Scans are Precursors to an Attack,” in
International Conference on Dependable Systems and Networks, 2005,
pp. 602–611.
Z. Jun, H. Ming, , Z. Hong.2004. “A new Method of Data Preprocessing
and Anomaly Detection,” in Third International Conference on Machine
Learning and cybernetics, Shanghai, 2004, pp. 2685-2690.
Y. Liao, R. Vemuri and A. Pasos, ”Adaptive anomaly detection with
evolving connectionist Systems,” Journal of Network and Computer
Applications. vol.30, no.1, pp. 60–80, June 2005.
Y.Wang, “A multinomial logistic regression modeling approach for
anomaly intrusion detection,” Computers & Security. vol. 24. Issue 8,
pp. 662–674, Nov. 2005.
A. A. Ghorbani, W. Lu, M. Tavallaee. Network Intrusion Detection and
Prevention. New York: Springer Dordrecht Heidelberg London, New
York, 2010, pp. 35–36.
R. Pang, M. Allman, M. Bennett, J. Lee, V. Paxson, and B. Tierney. “A
first look at modern enterprise traffic,” in IMC’05: Proceedings of the
Internet Measurement Conference 2005 on Internet Measurement
Conference, 2005, pp 2–2.
A. Lukatskii. (2011). Network counterintelligence: how to detect
S. X. Wu, W. Banzhaf. “The Use of Computational Intelligence in
Intrusion Detection Systems: A Review,” Applied Soft Computing. vol.
10, Issue 1, pp. 1–35, Jan. 2010.
M. Gyanchandani, J. L. Rana, R. N. Yadav. “Taxonomy of Anomaly
Based Intrusion Detection System: A Review,” International Journal of
Scientific and Research Publications. vol. 2, Issue 12, pp. 1–13, Dec.
Mike. (2005, Sep.). Countermeasures: protection from port scanning.
US. [Online] Available: http://256bit.ru/Secure/Glava%202/Index6.html.
C. Gates, J. J. McNutt, J. B. Kadane, and M. I. Kellner. “Scan detection
on very large networks using logistic regression modeling,” in ISCC ’06:
Proceedings of the 11th IEEE Symposium on Computers and
Communications, 2006, pp 402–408.
J. Messer. (2007) Secrets of Network Cartography: A Comprehensive
Pand0m, (2012, Dec.), TCP SYN Scanning. CA. [Online] Available:
SANS Institute InfoSec Reading Room, (2001, Oct.), Port Scanning
Techniques and the Defense Against Them. SANS. MD. [Online]
Rajni Ranjan Singh and Deepak Singh Tomar. “Network forensics:
detection and analysis of stealth port scanning attack,” International
Authorized licensed use limited to: Consortium – Saudi Arabia SDL. Downloaded on February 24,2021 at 11:28:49 UTC from IEEE Xplore. Restrictions apply.
2017 IEEE Dynamics of Systems, Mechanisms and Maсhines (Dynamics) (Omsk, Russia)
14 Nov–16 Nov 2017
Journal of Computer Networks and Communications Security. vol. 3,
no. 2, pp. 33-42, Feb. 2015.
[18] Jarryd Boyd, (2015, Dec.), Understanding Xmas Scans. Plixer. US.
[19] S. Staniford, J. Hoagland, and J. McAlerney. “Practical automated
detection of stealthy portscans,” in 7th ACM Conference on Computer
and Communications Security, 2002, pp. 105-136.
[20] S.V. Bredikhin, V.I. Kostin, N.G. Shcherbakova. “Scan Detection in IP
Networks Using Sequential Hypothesis Testing,” Vestnik NGU, vol. 7,
no. 4, pp. 15-35, March, 2013.
[21] E.V. Ananin, I.S. Kozhevnikova, I. A. Kuznetsov, “Port scanning
detection software,” in IX Worldwide practical scientific conference,
2016, pp. 53-57.
Authorized licensed use limited to: Consortium – Saudi Arabia SDL. Downloaded on February 24,2021 at 11:28:49 UTC from IEEE Xplore. Restrictions apply.

Purchase answer to see full

error: Content is protected !!