A network activity classification schema and its application to scan detection
IEEE/ACM Transactions on Networking (TON)
Revisiting network scanning detection using sequential hypothesis testing
Security and Communication Networks
| Hi-index | 0.00 |
The Internet is saturated with nonproductive network traffic that includes a variety of reconnaissance activities to identify vulnerable systems. Individual systems exhibit anomalous behavior in their interactions with physical and logical interconnections that define the enterprise network when they are scanning or are the target of a scan. We take advantage of this observation through the development of a suite of network scanning detection techniques to detect internal (intra-enterprise) scanning using the address resolution protocols (i.e. Domain Name System (DNS), Address Resolution Protocol (ARP)), and external (inter-enterprise) scanning using darkports—the unused ports on active systems, which we identify during the construction of exposure maps. Specifically, to detect intra-enterprise network scanning activity, we note that scanning systems exhibit anomalous behavior when using the address resolution protocols. These techniques offer the possibility to identify local scanning systems within an enterprise network after the observation of only a few scanning attempts with a low false positive and negative rate. To detect external scanning activity directed at a network we make use of the concept of exposure maps that are identified by passively characterizing the connectivity behavior of internal hosts in a network as they respond to both legitimate connection attempts and scanning attempts. The exposure maps technique enables: (1) active response options to be safely focused exclusively on those systems that directly threaten the network, (2) the ability to rapidly characterize and group hosts in a network into different exposure profiles based on the services they offer, and (3) the ability to perform a Reconnaissance Activity Assessment (RAA) that determines what specific information was returned to an adversary as a result of a directed scanning campaign. In a direct side-by-side comparison with the Threshold Random Walk (TRW) scanning detection technique of Jung (2006, MIT Ph.D., thesis) exposure maps offered an equivalent scanning detection capability while arguably being lightweight, and offering additional functionality. This dissertation describes the design, implementation and evaluation of fully functional prototypes to detect internal and external scanning activity at an enterprise network.