Collaborative Coordinated Port Scan Detection

2011 to 2012
Cyber Security
Project type: 
Project investigator: 
Roberto Baldoni

CDCPS aims at contrasting coordinated port scan attacks where a single adversary coordinates a Group of Attackers (GoA) in order to obtain information on a set of target networks. Such orchestration aims at avoiding Local Intrusion Detection Systems checks allowing each host of the GoA to send a very few number of probes to hosts of the target network.
The video shows CDCPS that detects coordinated portscans carried-out by three differents GOAs.
The video is a recording of the console at cooperative layer of CDCPS.
The cooperative layer aggregates and processes alerts coming from the local network layers that are composed by port scan detection engines that are positioned at different organizations.

The yellow dots represent alerts coming from the local network layers, if two alerts are similar an edge is create between them. The graph is periodically clustered, each cluster is computed with RGRASP in order to discriminate different groups of attackers.
Clustered alerts became metanode of red color, when CPDCS discriminates attackers the node turns into purple. This node contains the list of attackers belonging to a GOA.
At the beginning of the video, the systems is tested against a single attacker A, at time 2:48, alerts start to be collapsed in a metanode, this means that the system correctly identify the attacker, at minute 3:24 all the alerts have been collapsed in a single metanode that contains hosts from a single attacker (purple node).
Later on, the system is tested against other two attackers that partially overlapp the set of targets with A, at time 6:12  the system starts to separate two of the three attackers (a red node means that in the metanode we have mixed host from two or more attackers), one attacker (the bright purple) it is correctly separated and at minute 7:45 the other attacker (dark purple) it is identified.