| dc.contributor.author | Gates, Carrie. | en_US |
| dc.date.accessioned | 2014-10-21T12:34:59Z | |
| dc.date.available | 2006 | |
| dc.date.issued | 2006 | en_US |
| dc.identifier.other | AAINR16682 | en_US |
| dc.identifier.uri | http://hdl.handle.net/10222/54773 | |
| dc.description | Co-ordinated scan detection is primarily of interest to a particular niche of defenders, such as those at the nation-state level. These defenders, such as military organizations, are interested in the detection of co-ordinated scans due to the (untested) assumption that the presence of a co-ordinated scan indicates a more sophisticated adversary. However, despite this level of interest, very little research has been performed at the academic level into defining and detecting co-ordinated scans. Further, in those cases where a detection approach has been proposed, there has been little discussion on how to appropriately test the approach or compare it to other approaches. | en_US |
| dc.description | This dissertation begins by describing a model of potential adversaries based on the information they wish to obtain, where each adversary is mapped to a particular scan footprint pattern. The adversary model forms the basis of an approach to detecting some forms of co-ordinated scans, employing an algorithm that is inspired by heuristics for the set covering problem. The model also provides a framework for a comparison of the types of adversaries different co-ordinated scan detection approaches might identify. | en_US |
| dc.description | An evaluation structure, which is based on the modeling of detector performance over a set of experiments, is presented. A black-box testing approach is adopted, where the variables that potentially affect the detection and false positive rate consist of variables that can be controlled by the user of the detector, the environment in which the detector operates, and the characteristics of the scan itself. Both the detection and false positive rates gathered from the experiments are modeled using regression equations. The resulting coefficients are analysed to determine the impact each variable has on the two rates. The fit of the regression equation is validated using a second series of experiments. A third series of experiments is performed to determine how well the model generalizes to previously unseen operating environments and networks. The regression equations that are provided can be used by a defender to predict the detector's performance in his own environment, as well as how changing the values for different variables will affect the performance of the detector. | en_US |
| dc.description | Thesis (Ph.D.)--Dalhousie University (Canada), 2006. | en_US |
| dc.language | eng | en_US |
| dc.publisher | Dalhousie University | en_US |
| dc.publisher | | en_US |
| dc.subject | Computer Science. | en_US |
| dc.title | Co-ordinated port scans: A model, a detector and an evaluation methodology. | en_US |
| dc.type | text | en_US |
| dc.contributor.degree | Ph.D. | en_US |
