Abstract:

The portscan is most popular anomaly in the network and the TRW is the most representative algorithm for the portscan detection.The packet sampling is currently the majority of packet selection method used by many business demands.Prior work has shown that the packet sampling thins traffic flows and impacts anomaly detection.The success ratio and the false negative ratio of the TRW initially increases for low sampling intervals before dropping off for high sampling intervals as the traffic is increasingly thinned.Based on previous researches,we design an improved TRW using theTCP protocol information in the sampling packet.Experimental results show that using the algorithm the false negative ratio drops off while the success ratio does not change.

Key words: portscan;sampling;flow size