A Study on Risk Index to Analyze the Impact of Port Scan and to Detect Slow Port Scan in Network Intrusion Detection

Network port scan attack is a tool with which to identify any opened port in a system within the internal network. In most existing instances of the intrusion detection system, the port scan attack has been considered 'executed' against the source IP address for the outgoing packets whose count is higher than the threshold set according to the record of packets sent to the system or network per unit of time. That is, the risk level of a source IP address performing the network port scan attack has relied on the count of port scan attacks recorded by IDSs. However, the risk measurement solely based on the count of port scan attacks yields low port scan detection rates for the increased false negatives on slow port scan attacks. In this study, four different forms of the information are highlighted to accurately and comprehensively identify the network port scan attacks. A risk index quantifying such information through the Principal Component Analysis (PCA) is hereby proposed to express integrated risks on the port scan attacks. The detection using the risk index proposed through the experimentation demonstrates superior port scan detection rates than Snort.