The Modeling and Detection of Distributed Port Scans: A Thesis Proposal


Carrie Gates

Author Addresses: 

Faculty of Computer Science
Dalhousie University
6050 University Ave.
PO Box 15000
Halifax, Nova Scotia, Canada
B3H 4R2


Before attacking an unknown computer network, an adversary will often port scan the target network to determine the computers and services available. This information can be used by the adversary to determine potential vulnerabilities in the target network. Detecting that a port scan has occurred can provide a network administrator with an early warning system, allowing a pro-active approach to computer security.

Distributed port scans have recently been developed, where the targets to be scanned are distributed across multiple sources. To a target network it appears that several different people have each performed a small port scan, and so it is less likely that an alarm will be raised. However, were the network administrator to know that these multiple scans was actually one large, co-ordinated scan, then it is more likely that proactive security measures would be taken.

The hypothesis of this thesis is that distributed port scans can be represented by a model. Once a model has been developed, it can be used as a basis for tools to detect distributed port scans in network traffic. This paper presents some background research and motivation for investigating this problem. This is followed by the presentation of a two-pronged approach to creating a model, consisting of an analysis of known distributed port scanners and data exploration of a large amount of real network traffic data. The issues surrounding validation of the model are also addressed.

Tech Report Number: 
Report Date: 
January 17, 2003
PDF icon CS-2003-01.pdf604.82 KB