American University of Beirut
Port scanning is the most popular reconnaissance technique attackers use to discover services they can break into. Port scanning detection has received a lot of attention by researchers. However a slow port scan attack can deceive most of the existing Intrusion Detection Systems (IDS). In this paper, the authors present a new, simple, and efficient method for detecting slow port scans. Their proposed method is mainly composed of two phases: a feature collection phase that analyzes network traffic and extracts the features needed to classify a certain IP as malicious or not. A classification phase that divides the IPs, based on the collected features, into three groups: normal IPs, suspicious IPs and scanner IPs.