Document Type

Conference Paper

Publication Date


Publication Source

INFOCOM, 2012 Proceedings IEEE


Intrusion Detection Systems (IDS) have become ubiquitous in the defense against virus outbreaks, malicious exploits of OS vulnerabilities, and botnet proliferation. As attackers frequently rely on host scanning for reconnaissance leading to penetration, IDS is often tasked with detecting scans and preventing them. However, it is currently unknown how likely an IDS is to detect a given Internet-wide scan pattern and whether there exist sufficiently fast scan techniques that can remain virtually undetectable at large-scale. To address these questions, we propose a simple analytical model for the window-expiration rules of popular IDS tools (i.e., Snort and Bro) and utilize a variation of the Chen-Stein theorem to derive the probability that they detect some of the commonly used scan permutations. Using this analysis, we also prove the existence of stealth-optimal scan patterns, examine their performance, and contrast it with that of well-known techniques.

Inclusive pages

2077 - 2085



Document Version

Published Version


Publisher Citation

Leonard, D.; Zhongmei Yao; Xiaoming Wang; Loguinov, D., "Stochastic analysis of horizontal IP scanning," INFOCOM, 2012 Proceedings IEEE , vol., no., pp.2077,2085, 25-30 March 2012

Permission documentation is on file.



Place of Publication

Orlando, FL

Peer Reviewed



IP networks, Internet, computer network security, computer viruses, operating systems (computers), probability, stochastic processes, ubiquitous computing, Bro, Chen-Stein theorem, IDS tools, Internet-wide scan pattern, OS vulnerability, Snort, botnet proliferation, fast scan techniques, horizontal IP scanning, host scanning, intrusion detection systems, malicious exploits, probability, scan detection, scan permutations, scan prevention, stealth-optimal scan patterns, stochastic analysis, ubiquitous, virtually undetectable, virus outbreaks, window-expiration rules, Accuracy, Analytical models, Delay, Grippers, IP networks, Internet, Probes

Link to published version