1. Field of the Invention
Embodiments of the present invention generally relate to network monitoring and, more particularly, to a method and apparatus for port scan detection in a network.
2. Description of the Related Art
Networks typically monitor for abnormal activities that may suggest some type of malicious attack is underway. One type of monitored activity is port scanning. A port scanner is a software application that searches a network host for open ports. The most common protocol stack used by networks is transmission control protocol/internet protocol (TCP/IP). In TCP/IP, hosts are referenced using an IP address and a port number. There are 65,535 distinct and usable port numbers. In some literature, a “port scan” is referred to as a single source IP address searching through all 65,535 ports on a system to detect an open port. A “port sweep” is referred to as a source IP searching multiple systems for open ports. The term “port scan”, as used herein, is meant to encompass both activities.
The information gathered by a port scan has many legitimate uses, including the ability to verify the security of a network. Port scanning can however also be used by those who intend to compromise security. Hackers rely on port scans to locate open ports and flood the host with large quantities of data. Hackers may exploit known vulnerabilities by cleverly crafting a packet in a way that overflows memory, and loads exploit code. They may then send this to targeted computers to gain access. Such behavior can compromise the security of a network and the computers therein, resulting in the loss or exposure of sensitive information and the ability of the network to function.
Current detections of scan activity analyze reporting devices in the network, by type, e.g., firewall analysis, network flow data analysis, etc. However, clever hackers may slow down and arrange the scanning in a way that a threshold may not be reached to signal an alarm for a specific device. Accordingly there is a need in the art for analyzing scan activity by looking across various devices in an attempt to detect scan activity that would not otherwise be detected by the individual systems.