Method and apparatus for detecting port scans in a network

Assignee

• AT&T Intellectual Property I, L.P. · US

Inventors

• Wai Sum Lai · Lincoln, US
• Andrew Egan · Lake Hopatcong, US
• Wen-Jui Li · Bound Brook, US

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L43/106
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

A method and an apparatus for detecting a port scan in a network are disclosed. For example, the method extracts statistics from a message, detects the port scan for a source internet protocol address, determines whether a port scan record exists for the source internet protocol address, creates a port scan record for the source internet protocol address that is extracted when the port scan record does not exist, determines an elapsed time when the port scan record does exist, wherein the elapsed time is determined as a difference between the time stamp that is extracted and a recorded time stamp, sets the recorded time stamp to be the extracted time stamp when the elapsed time is less than an intra-scan time, and determines the port scan has ended for the source internet protocol address when the elapsed time is not less than the intra-scan time.