科技的演進隨著5G時代的來臨正式加速了 IOT的普及與網路設備規模的快速擴張，IOT設備帶來的便利與應用種類的增加從家庭延伸到職場上的人們對於設備的依賴度逐年上升，研究顯示在2023年將達到147億個裝置存在於網路上並以每年19%的成長速度增加 ，在現今能便捷的建構出無數個LAN的當下也隨之衍生出多樣化的網路安全隱患，網路攻擊模式型態變化複雜多樣且能造成更大規模的損失，舉凡APT attack或是zero-day attack專門挑選商業價值極高或是存取機敏資料的政府部門做為攻擊目標，而在偵查過程常使用port scanning來確認目標狀態，常以低於IDS預設threshold檢測值將惡意行為隱藏於正常流量之間，進而達到緩慢且高隱蔽的掃描也稱為slow port scanning，本研究透過將NetFlow從uni-directional的特性轉換成Bi-directional的方式觀察往返兩端的完整流量，再藉著特徵指標與係數的搭配來捕捉slow port scanning的行為模式，成功解決IDS threshold定義問題與難以檢測慢速掃描的弱點。

Attackers often use slow port scanning to conceal malicious activities within normal traffic and evade IDS detection. To combat this, a study proposes transforming NetFlow into a bi-directional approach to detect slow port scanning behavior effectively, overcoming IDS threshold challenges.

[1]“5G Will Accelerate a New Wave of IoT Applications,” IBM Newsroom. https://newsroom.ibm.com/5G-accelerate-IOT
[2]M. Sneh and A. Bhandari, “Empirical Investigation of IoT Traffic in Smart Environments: Characteristics, Research Gaps and Recommendations,” in 2021 10th International Conference on System Modeling & Advancement in Research Trends (SMART), Dec. 2021, pp. 176–181.
[3]T. Olzak, “The five phases of a successful network penetration,” TechRepublic, Dec. 17, 2008. https://www.techrepublic.com/article/the-five-phases-of-a-successful-network-penetration/
[4]E. Skoudis and T. Liston, Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses (2nd Edition). USA: Prentice Hall PTR, 2005.
[5]V.-V. Patriciu and A. Furtuna, “Guide for designing cyber security exercises,” Jan. 2009.
[6]P. Chen, L. Desmet, and C. Huygens, “A Study on Advanced Persistent Threats,” in Communications and Multimedia Security, B. De Decker and A. Zúquete, Eds., in Lecture Notes in Computer Science. Berlin, Heidelberg: Springer, 2014, pp. 63–72.
[7]M. Uma and G. Padmavathi, “A Survey on Various Cyber Attacks and Their Classification,” p. 7, 2013.
[8]M. Roesch, “Snort – Lightweight Intrusion Detection for Networks,” 1999.
[9]Y. Wang and J. Zhang, “DeepPort: Detect Low Speed Port Scan Using Convolutional Neural Network,” in Bio-inspired Computing: Theories and Applications, J. Qiao, X. Zhao, L. Pan, X. Zuo, X. Zhang, Q. Zhang, and S. Huang, Eds., in Communications in Computer and Information Science. Singapore: Springer, 2018, pp. 368–379
[10]A. Sivanathan, H. H. Gharakheili, and V. Sivaraman, “Can We Classify an IoT Device using TCP Port Scan?,” in 2018 IEEE International Conference on Information and Automation for Sustainability (ICIAfS), Dec. 2018, pp. 1–4.
[11]M. Li, W. Huang, Y. Wang, W. Fan, and J. Li, “The study of APT attack stage model,” in 2016 IEEE/ACIS 15th International Conference on Computer and Information Science (ICIS), Jun. 2016, pp. 1–5.
[12]“Transmission Control Protocol,” Internet Engineering Task Force, Request for Comments RFC 793, Sep. 1981.
[13]楊中皇, 網路安全：理論與實務 第二版.
[14]J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan, “Fast portscan detection using sequential hypothesis testing,” in IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004, May 2004, pp. 211–225.
[15]P. Mell and R. Harang, “Limitations to threshold random walk scan detection and mitigating enhancements,” in 2013 IEEE Conference on Communications and Network Security (CNS), Oct. 2013 IEEE Conference on Communications and Network Security (CNS), Oct. 2013, pp. 332–340.
[16]M. Ring, D. Landes, and A. Hotho, “Detection of slow port scans in flow-based network traffic,” PLOS ONE, vol. 13, no. 9, p. e0204507, Sep. 2018
[17]M. Dabbagh, A. J. Ghandour, K. Fawaz, W. E. Hajj, and H. Hajj, “Slow port scanning detection, ” in 2011 7th International Conference on Information Assurance and Security (IAS), Dec. 2011, pp. 228–233.
[18]Patel S. K. and Sonker A., “Rule-Based Network Intrusion Detection System for Port Scanning with Efficient Port Scan Detection Rules Using Snort,” International Journal of Future Generation Communication and Networking, vol. 9, no. 6, pp. 339–350, Jun. 2016.
[19]“Home | TCPDUMP & LIBPCAP.” https://www.tcpdump.org/
[20]U. Lamping, R. Sharpe, and E. Warnicke, “Wireshark User’s Guide - for Wireshark 1.9”.
[21]“Wireshark · Go Deep,” Wireshark. http://localhost:3000/
[22]“CIDDS - Coburg Intrusion Detection Data Sets :: Hochschule Coburg.” https://www.hs-coburg.de/forschung/forschungsprojekte-oeffentlich/informationstechnologie/cidds-coburg-intrusion-detection-data-sets.html,
[23]IDS 2017 | Datasets | Research | Canadian Institute for Cybersecurity | UNB.” https://www.unb.ca/cic/datasets/ids-2017.html
[24]“KDD Cup 1999 Data.” http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html
[25] “NetFlow Version 9 Flow-Record Format  [IP Application Services],” Cisco. http://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.html