Shared resource matrix methodology: an approach to identifying storage and timing channels
ACM Transactions on Computer Systems (TOCS)
Guarded commands, nondeterminacy and formal derivation of programs
Communications of the ACM
Practical automated detection of stealthy portscans
Journal of Computer Security
A technique for counting natted hosts
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Using Model Checking to Analyze Network Vulnerabilities
SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy
Characteristics of internet background radiation
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Worm Detection, Early Warning and Response Based on Local Victim Information
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Remote Physical Device Fingerprinting
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Modeling and Verification of IPSec and VPN Security Policies
ICNP '05 Proceedings of the 13TH IEEE International Conference on Network Protocols
Co-ordinated port scans: a model, a detector and an evaluation methodology
Co-ordinated port scans: a model, a detector and an evaluation methodology
From NuSMV to SPIN: Experiences with model checking flight guidance systems
Formal Methods in System Design
Resisting SYN flood DoS attacks with a SYN cache
BSDC'02 Proceedings of the BSD Conference 2002 on BSD Conference
Very fast containment of scanning worms
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
A simulation-based proof technique for dynamic information flow
Proceedings of the 2007 workshop on Programming languages and analysis for security
Tracking port scanners on the IP backbone
Proceedings of the 2007 workshop on Large scale attack defense
Quantitative information flow as network flow capacity
Proceedings of the 2008 ACM SIGPLAN conference on Programming language design and implementation
Distributed Evasive Scan Techniques and Countermeasures
DIMVA '07 Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
Tightlip: keeping applications from spilling the beans
NSDI'07 Proceedings of the 4th USENIX conference on Networked systems design & implementation
Interactive visualization for network and port scan detection
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Students who don't understand information flow should be eaten: an experience paper
CSET'12 Proceedings of the 5th USENIX conference on Cyber Security Experimentation and Test
Collaborative TCP sequence number inference attack: how to crack sequence number under a second
Proceedings of the 2012 ACM conference on Computer and communications security
| Hi-index | 0.00 |
Idle port scanning uses side-channel attacks to bounce scans off of a "zombie" host to stealthily scan a victim IP address or infer IP-based trust relationships between the zombie and victim. We present results from building a transition system model of a network protocol stack for an attacker, victim, and zombie, and testing this model for non-interference properties using model checking. Two new methods of idle scans resulted from our modeling effort, based on TCP RST rate limiting and SYN caches, respectively. Through experimental verification of these attacks, we show that it is possible to scan victims which the attacker is not able to route packets to, meaning that protected networks or ports closed by firewall rules can be scanned. This is not possible with the one currently known method of idle scan in the literature that is based on non-random IPIDs. For the future design of network protocols, a notion of trusted vs. untrusted networks and hosts (based on existing IP-based trust relationships) will enable shared, limited resources to be divided. For a model complex enough to capture the details of each attack and where a distinction between trusted and untrusted hosts can be made, we modeled RST rate limitations and a split SYN cache structure. Non-interference for these two resources was verified with symbolic model checking and bounded model checking to depth 1000, respectively. Because each transtion is roughly a packet, this demonstrates that the two respective idle scans are ameliorated by separating these resources.