A behavior-based method for detecting distributed scan attacks in darknets

Research output: Contribution to journalArticlepeer-review

13 Citations (Scopus)


The technologies used by attackers in the Internet environment are becoming more and more sophisticated. Of the many kinds of attacks, distributed scan attacks have become one of the most serious problems. In this study, we propose a novel method based on normal behavior modes of traffic to detect distributed scan attacks in darknet environments. In our proposed method, all the possible destination TCP and UDP ports are monitored, and when a port is attacked by a distributed scan, an alert is given. Moreover, the alert can have several levels reflecting the relative scale of the attack. To accelerate learning and updating the normal behavior modes and to realize rapid detection, an index is introduced, which is proved to be very efficient. The efficiency of our proposal is verified using real darknet traffic data. Although our proposal focuses on darknets, the idea can also be applied to ordinary networks.

Original languageEnglish
Pages (from-to)527-538
Number of pages12
JournalJournal of information processing
Issue number3
Publication statusPublished - 2013

All Science Journal Classification (ASJC) codes

  • Computer Science(all)


Dive into the research topics of 'A behavior-based method for detecting distributed scan attacks in darknets'. Together they form a unique fingerprint.

Cite this