Abstract

Recently, network attacks have occurred frequently, causing confidential data to be stolen. The first step for hackers to conduct attacks is information collection. In this stage, Nmap is one of the most widely used scanning tools to obtain information from the target host. The obtained information can be further analyzed to assist in the subsequent attack. Therefore, it is necessary to find an efficient way to detect Nmap scanning behavior. ET OPEN is a rule set widely used by the intrusion detection system (IDS) to protect hosts from malicious penetration. The Nmap detection rate is 58.3% with ET OPEN rules, but it becomes 8.3% when facing IDS evasion. Due to the low detection rate of ET OPEN, we propose the Comprehensive Nmap Detection Rules (CNDR). CNDR can detect the Nmap scanning behaviors precisely and efficiently. In the CNDR, Nmap's customizable fields are removed, and rules for operating system scanning are added. CNDR achieves 100% detection rate of normal Nmap scanning and 91.7% detection accuracy of Nmap with IDS evasion on our designed dataset. The result shows CNDR is robust even facing customized scanning and is superior to ET OPEN.