Portest: Port Scan Detection on Non-Programmable Switches using TCAM and Randomized Algorithm
Krack, Timon
1; Zitterbart, Martina 1
1 Institut für Telematik (TM), Karlsruher Institut für Technologie (KIT)
1; Zitterbart, Martina 11 Institut für Telematik (TM), Karlsruher Institut für Technologie (KIT)
Abstract (englisch):
Monitoring network traffic for detecting security events is crucial for the effective operation of intrusion detection systems (IDS). While programmable switches offer the flexibility to execute monitoring algorithms directly in the data plane, non-programmable switches lack such capabilities and traffic needs to be mirrored and processed externally, leading to scalability and performance challenges. In this paper, we present Portest, a novel algorithm that enables the detection of port scans on non-programmable switches without mirroring traffic. Portest installs a constant number of flow rules with specific stochastic properties in the Ternary Content Addressable Memory (TCAM) of the switch and uses the match counter values for detection. Our results demonstrate that Portest can efficiently detect real-world port scans on non-programmable hardware.
| Zugehörige Institution(en) am KIT | Institut für Telematik (TM) |
| Publikationstyp | Proceedingsbeitrag |
| Publikationsdatum | 08.09.2025 |
| Sprache | Englisch |
| Identifikator | ISBN: 979-8-4007-2087-1 KITopen-ID: 1000184186 |
| HGF-Programm | 46.23.01 (POF IV, LK 01) Methods for Engineering Secure Systems |
| Erschienen in | Proceedings of the 1st Workshop on Next-Generation Network Observability, SIGCOMM 2025 |
| Veranstaltung | 1st Workshop on Next-Generation Network Observability (NGNO 2025), Coimbra, Portugal, 08.09.2025 – 11.09.2025 |
| Verlag | Association for Computing Machinery (ACM) |
| Seiten | 51–57 |
| Schlagwörter | Port Scan Detection, Network Switches, TCAM, Cardinality Estimation |
| Nachgewiesen in | OpenAlex Dimensions Scopus |