Open Access  Subscription Access

Cloud computing provides a paradigm to enable convenient and on-demand network access to a shared pool of configurable computing resources. The security challenges related to cloud computing become a critical concern. Especially, port scanning is the reconnaissance activity of network intrusion attack to cloud servers. By port scanning especially stealthy scan an attacker can identify the vulnerable ports on the targeted hosts in the network without being noticed. Thus it is critical for defenders to accurately detect malicious and stealthy port scanning activities early in order to take necessary reaction to stop potential intruders. All existing port scanning detection techniques have shared a similar problem: high rate of false alarm due to lacking the capability to extract the ＂intelligence information＂ embedded in both high levels and low levels of network traffic. We propose a new port scanning detection technique, which is based on a Logistic Regression (LR) model with a set of specifically designed predicator variables targeted to the difference between two sequential packets, to create a recognizable LR model to distinct anomalous packets from the normal ones; by integrated that model with the Hidden Markov Model together, we can also effectively detect the stealthy scans with much bigger scanning interval than those of the normal port scans, and based on which we can also build up a general solution to detect port scanning with any length of scan interval. The experiment results showed that we've successfully detected malicious and stealthy network probing in a relatively low false alert rate by integrating the two mathematic models together.

Cloud computing security; Stealthy port scanning; Intrusion detection; Hiden Markov Model; Logistic regression