Tracking Darkports for Network Defense

We exploit for defensive purposes the concept of darkports ­ the unused ports on active systems. We are particularly in- terested in such ports which transition to become active (i.e. become trans-darkports). Darkports are identified by pas- sively observing and characterizing the connectivity behav- ior of internal hosts in a network as they respond to both le- gitimate connection attempts and scanning attempts. Dark- ports can be used to detect sophisticated scanning activity, enable fine-grained automated defense against automated malware attacks, and detect real-time changes in a network that may indicate a successful compromise. We show, in a direct comparison with Snort, that darkports offer a better scanning detection capability with fewer false positives and negatives. Our results also show that the network awareness gained by the use of darkports enables active response op- tions to be safely focused exclusively on those systems that directly threaten the network.

[1]  David Moore,et al.  Network Telescopes: Tracking Denial-of-Service Attacks and Internet Worms Around the Globe , 2003, LiSA.

[2]  Vinod Yegneswaran,et al.  Internet intrusions: global characteristics and prevalence , 2003, SIGMETRICS '03.

[3]  Vinod Yegneswaran,et al.  An Inside Look at Botnets , 2007, Malware Detection.

[4]  Matthew M. Williamson,et al.  Throttling viruses: restricting propagation to defeat malicious mobile code , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[5]  Evangelos Kranakis,et al.  DNS-based Detection of Scanning Worms in an Enterprise Network , 2005, NDSS.

[6]  George Bakos,et al.  Early detection of Internet worm activity by metering ICMP destination unreachable messages , 2002, SPIE Defense + Commercial Sensing.

[7]  Kotagiri Ramamohanarao,et al.  A probabilistic approach to detecting network scans , 2002, NOMS 2002. IEEE/IFIP Network Operations and Management Symposium. ' Management Solutions for the New Communications World'(Cat. No.02CH37327).

[8]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[9]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[10]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[11]  Evangelos Kranakis,et al.  Exposure Maps: Removing Reliance on Attribution During Scan Detection , 2006, HotSec.

[12]  Stuart Staniford-Chen,et al.  Practical Automated Detection of Stealthy Portscans , 2002, J. Comput. Secur..

[13]  P. DeMar,et al.  EFFECT OF DYNAMIC ACL (ACCESS CONTROL LIST) LOADING ON PERFORMANCE OF CISCO ROUTERS , 2006 .

[14]  Charles V. Wright,et al.  Playing Devil's Advocate: Inferring Sensitive Information from Anonymized Network Traces , 2007, NDSS.

[15]  Wenke Lee,et al.  Modeling Botnet Propagation Using Time Zones , 2006, NDSS.

[16]  Bjarte Malmedal Using Netflows for slow portscan detection , 2005 .

[17]  Felix C. Freiling,et al.  Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks , 2005, ESORICS.

[18]  Dawn Song,et al.  Malware Detection (Advances in Information Security) , 2006 .

[19]  Michel Cukier,et al.  An experimental evaluation to determine if port scans are precursors to an attack , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[20]  Avishai Wool,et al.  A quantitative study of firewall configuration errors , 2004, Computer.

[21]  Vinod Yegneswaran,et al.  Characteristics of internet background radiation , 2004, IMC '04.

[22]  Grenville J. Armitage,et al.  Greynets: a definition and evaluation of sparsely populated darknets , 2005, MineNet '05.

[23]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[24]  Richard Bejtlich Extrusion Detection: Security Monitoring for Internal Intrusions , 2005 .

[25]  Stuart E. Schechter,et al.  Fast Detection of Scanning Worm Infections , 2004, RAID.

[26]  Daniel R. Ellis,et al.  A behavioral approach to worm detection , 2004, WORM '04.