SPICE Whitepaper - The Stealthy Portscan and Intrusion Correlation Engine is a project at Silicon Defense to detect portscans, even those in which the attacker has attempted to make the scan stealthy. For example, they may have slowed down the scan or randomized it. The basic idea with Spice is to monitor a network's packets. Each packet is assigned an anomaly score based on the normal traffic observed on the network. The higher the score, the more unusual and possibly suspicious the packet it. These are then passed to a correlator which groups related packets together and reports portscans. The correlator is under active development but an implementation of the anomaly sensor called SPADE has been released.
c99f6f93498d742845e7c30fc7a248c8ed4aea75426f04e9ec5ace07517adf05