1. Introduction

Embedded system is a system that was designed to serve specific tasks. Almost all embedded systems come in compact size, so users are able to use them as additional parts of other devices or construct specific applications with them. Embedded system has many advantages like high efficiency, long life usage, and economical energy consumption. Port scan attack detection is very important for security management. Many attackers perform port scans as a beginning to find out vulnerable hosts to compromise. Detecting such port scans indicates incoming network intrusions. Besides, recent worm epidemics, such as Code Red-II, and Nimda scan other vulnerable hosts for propagation [1], [2]. Network supervisors can prevent viruses from spreading by detecting port scanning activity and prohibiting them. A port scan is typically initiated by sending some packets from a host through the same port to various destinations and ports. If any destination has a service listening on the scanned port, the connection is established and a reply is sent back. From the reply, the attacker (or the worm) could know whether a service is available on the scanned port. It will try to exploit security problems of the service for further intrusion. There are two access patterns of port scans, horizontal (multiple destinations, same ports) and vertical (same destination, multiple ports). To detect port scans early and prevent their further damage, many networks employ Network Intrusion Detection Systems (NIDS) at network entrances. Intrusion Detection System (IDS) detects intrusions, normally defined as compromises of a system's confidentiality, integrity, or availability properties [3], [4]. The network administrator uses the port scanning technique to determine what network-aware applications are running on the network. The security consultant uses the port scanning technique to find potential security issues and violations [5].