The spread of malicious, self-propagating code, popularly known as worms, continues to pose a grave threat to the security of the Internet. These worms exploit software vulnerabilities on certain service ports to compromise end-hosts and to install malicious code on the hosts. Subsequently, the compromised hosts may be used to launch a wide-range of malicious activities such as launching denial of service attacks and sending spam emails.
Stopping the propagation of these worms is a daunting task. Once a new software vulnerability is discovered, new worms exploiting the vulnerability appear in rapid succession and spread throughout the Internet in a matter of hours. Further, even when a vulnerability is known, it is infeasible to ensure that the millions of hosts on the Internet are all properly configured and patched so as to provide security against the known vulnerabilities.
With the speed of worm promulgation and the vast number of computers on the Internet, worm containment strategies often seek to limit the spread of worms at an early stage of propagation. Typically, the spread of a worm is preceded by a reconnaissance phase where infected hosts scan for new hosts that are vulnerable. This scanning activity (known as port scanning) takes the form of probe packets targeted at specific ports on target hosts. If the target host responds, then the scanner may initiate the process of uploading the malicious code onto the target host.
A variety of techniques currently exist for port scan detection. However, the current methods are not acceptable for use on large or transit networks. Indeed, port scan detection algorithms today generally operate at the point of entry into a stub network (e.g., an enterprise network or a campus network). For example, the SNORT algorithm is a popular port scan detection algorithm. This algorithm marks a source IP address as a scanner if it contacts more than K distinct IP addresses within T seconds. While SNORT is widely used for enterprise-level networks, it has been shown to be inadequate for use with the traffic mix typically found in a large transit network. In such an environment, application of the SNORT algorithm often yields a large number of false positive results. Another exemplary algorithm is the Threshold Random Walk (TRW) algorithm. This algorithm assumes a bi-directional view of traffic and complete knowledge of the configuration of all end-hosts (e.g., as with an enterprise-level network). Of course, such information is not readily available in a transit network. Accordingly, there is a need for improved systems and methods for detecting port scanning behavior on a network.