Orthogonal Expansion of Port-scanning Packets

Abstract

Observation of port-scan packets performed over the Internet is involved with so many parameters including time, port numbers, source and destination addresses. There are some common port numbers to which many malicious codes likely use to scan, but a relationship between port numbers and the malicious codes are not clearly identified. In this paper, we propose a new attempt to figure characteristics of port-scans observed from distributed many sensors. Our method allows 1) analysis of sensors with few significant factors extracted from an orthogonal expansion of port-scan packets, rather than taking care of all possible statistics of port numbers, 2) compression of packets data, computed by linear combination of limited number of orthogonal factors, and 3) approximation of number of scanning packets at arbitrarily specified sensor and ports, made from statistical correlation between port numbers. We also evaluate the accuracy of our proposed approximation algorithm based on actually observed packets.