A case study in testing a network security algorithm
Proceedings of the 4th International Conference on Testbeds and research infrastructures for the development of networks & communities
A Parallel Architecture for Stateful, High-Speed Intrusion Detection
ICISS '08 Proceedings of the 4th International Conference on Information Systems Security
Detecting low-profile scans in TCP anomaly event data
Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services
Idle port scanning and non-interference analysis of network protocol stacks using model checking
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
A network activity classification schema and its application to scan detection
IEEE/ACM Transactions on Networking (TON)
Networking Recon: Network reconnaissance
Network Security
Incident Response: Technological alternatives in incident response
Network Security
| Hi-index | 0.00 |
Co-ordinated scan detection is primarily of interest to a particular niche of defenders, such as those at the nation-state level. These defenders, such as military organizations, are interested in the detection of co-ordinated scans due to the (untested) assumption that the presence of a co-ordinated scan indicates a more sophisticated adversary. However, despite this level of interest, very little research has been performed at the academic level into defining and detecting co-ordinated scans. Further, in those cases where a detection approach has been proposed, there has been little discussion on how to appropriately test the approach or compare it to other approaches. This dissertation begins by describing a model of potential adversaries based on the information they wish to obtain, where each adversary is mapped to a particular scan footprint pattern. The adversary model forms the basis of an approach to detecting some forms of co-ordinated scans, employing an algorithm that is inspired by heuristics for the set covering problem. The model also provides a framework for a comparison of the types of adversaries different co-ordinated scan detection approaches might identify. An evaluation structure, which is based on the modeling of detector performance over a set of experiments, is presented. A black-box testing approach is adopted, where the variables that potentially affect the detection and false positive rate consist of variables that can be controlled by the user of the detector, the environment in which the detector operates, and the characteristics of the scan itself. Both the detection and false positive rates gathered from the experiments are modeled using regression equations. The resulting coefficients are analysed to determine the impact each variable has on the two rates. The fit of the regression equation is validated using a second series of experiments. A third series of experiments is performed to determine how well the model generalizes to previously unseen operating environments and networks. The regression equations that are provided can be used by a defender to predict the detector's performance in his own environment, as well as how changing the values for different variables will affect the performance of the detector.