By quickly detecting a port scan and blocking the culprit host from the network, it is possible to minimize the spread of the damage by infected hosts and malicious users. In the past, various Software-Defined Networking (SDN)-based methods have been proposed, whose main advantage is the lower overhead compared to traditional methods that collect and analyze all captured traffic. On the other hand, due to the polling process used in these methods, it is necessary to set a short interval (e.g., few seconds) to keep the attacks' detection as short as possible. However, when the attack frequency is very low compared to normal traffic, there is an unnecessary overhead. In this paper, we propose a port scan detection method that considers the characteristics of Packet-In messages sent from the OpenFlow (OF) switch to the controller. This allows a prompt detection and with less overhead than conventional polling methods. The evaluation was conducted using both simulated and real traffic data. Results confirm that the proposed method can detect port scans with lower overhead than existing methods.

中文翻译：

---

OpenFlow网络中基于Packet-In Messages的端口扫描检测方法的提出及评价

通过快速检测端口扫描并阻止犯罪主机进入网络，可以最大限度地减少受感染主机和恶意用户造成的损害传播。过去，已经提出了各种基于软件定义网络 (SDN) 的方法，其主要优点是与收集和分析所有捕获流量的传统方法相比开销较低。另一方面，由于这些方法中使用的轮询过程，需要设置一个较短的时间间隔（例如，几秒）以保持尽可能短的攻击检测。但是，当攻击频率与正常流量相比非常低时，就会产生不必要的开销。在本文中，我们提出了一种端口扫描检测方法，该方法考虑了从 OpenFlow (OF) 交换机发送到控制器的 Packet-In 消息的特性。这允许快速检测并且开销比传统轮询方法少。评估是使用模拟和真实交通数据进行的。结果证实，所提出的方法可以以比现有方法更低的开销检测端口扫描。