Document Actions
B Irwin and J P Riel (2008)
Using InetVis to Evaluate Snort and Bro Scan Detection on a Network Telescope
In: VizSEC 2007: Proceedings of the Workshop on Visualization for Computer Security, Date-Added = 2008-06-24 09:46:43 -0400, Date-Modified = 2008-06-24 09:46:52 -0400, edited by Goodall, J. R. and Conti, G. and Ma, K. L.. Springer, pages 255-273.
This paper presents an investigative analysis of network scans and scan detection algorithms. Visualisation is employed to review network telescope traffic and identify incidents of scan activity. Some of the identified phenomena appear to be novel forms of host discovery. Scan detection algorithms used by the Snort and Bro intrusion detection systems are critiqued by comparing the visualised scans with alert output. Where human assessment disagrees with the alert output, explanations are sought by analysing the detection algorithms. The Snort and Bro algorithms are based on counting unique connection attempts to destination addresses and ports. For Snort, notable false positive and false negative cases result due to a grossly oversimplified method of counting unique destination addresses and ports.
10.1007/978-3-540-78243-8_17
Forgot your password?
New user?
Applied Security Visualization book
ChicagoCon
