Using Bayesian Decision Making to Detect Slow Scans

Abstract

In a targeted cyberattack, attackers perform a search for vulnerable hosts in the internal network of targeting organization. Then, they try to increase the number of hosts that can be used as stepping stone for further attacks. Attackers would like to perform these activities in hidden from networkbased security appliances such as firewalls and network intrusion detection systems (NIDSs). One of the methods to hide their reconnaissance is a slow scan, which can be search and spread over several months mixed with large-scale normal live traffic. The method is very simple but it is effective to evade general firewalls or NIDSs. In this paper, we focus on a slow scan activities and we propose a simple and an efficient approach to detect a slow scan using Bayesian decision making within live network traffic. Our method enables to detect a slow scan as early as possible and to stop attackers' reconnoitering the internal network quickly.