Cyber Scanning: A Comprehensive Survey

Cyber scanning refers to the task of probing enterprise networks or Internet wide services, searching for vulnerabilities or ways to infiltrate IT assets. This misdemeanor is often the primarily methodology that is adopted by attackers prior to launching a targeted cyber attack. Hence, it is of paramount importance to research and adopt methods for the detection and attribution of cyber scanning. Nevertheless, with the surge of complex offered services from one side and the proliferation of hackers' refined, advanced, and sophisticated techniques from the other side, the task of containing cyber scanning poses serious issues and challenges. Furthermore recently, there has been a flourishing of a cyber phenomenon dubbed as cyber scanning campaigns - scanning techniques that are highly distributed, possess composite stealth capabilities and high coordination - rendering almost all current detection techniques unfeasible. This paper presents a comprehensive survey of the entire cyber scanning topic. It categorizes cyber scanning by elaborating on its nature, strategies and approaches. It also provides the reader with a classification and an exhaustive review of its techniques. Moreover, it offers a taxonomy of the current literature by focusing on distributed cyber scanning detection methods. To tackle cyber scanning campaigns, this paper uniquely reports on the analysis of two recent cyber scanning incidents. Finally, several concluding remarks are discussed.

[1]  Barry Irwin,et al.  Towards a taxonomy of network scanning techniques , 2008, SAICSIT '08.

[2]  LeckieChristopher,et al.  A survey of coordinated attacks and collaborative intrusion detection , 2010 .

[3]  Young Ik Eom,et al.  Analysis of the Propagation Pattern of a Worm with Random Scanning Strategy Based on Usage Rate of Network Bandwidth , 2009, ICISC.

[4]  Aditya P. Mathur,et al.  A Survey of Malware Detection Techniques , 2007 .

[5]  Christopher Leckie,et al.  A survey of coordinated attacks and collaborative intrusion detection , 2010, Comput. Secur..

[6]  Carrie Gates,et al.  Coordinated Scan Detection , 2009, NDSS.

[7]  Pele Li,et al.  A survey of internet worm detection and containment , 2008, IEEE Communications Surveys & Tutorials.

[8]  Salvatore J. Stolfo,et al.  Surveillance detection in high bandwidth environments , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[9]  Theodore J. Socolofsky,et al.  TCP/IP tutorial , 1991, RFC.

[10]  Kulsoom Abdullah,et al.  Passive visual fingerprinting of network attack tools , 2004, VizSEC/DMSEC '04.

[11]  Evangelos Kranakis,et al.  Tracking Darkports for Network Defense , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[12]  João Paulo S. Medeiros,et al.  A Data Mining Based Analysis of Nmap Operating System Fingerprint Database , 2009, CISIS.

[13]  Deepak Kapur,et al.  Idle Port Scanning and Non-interference Analysis of Network Protocol Stacks Using Model Checking , 2010, USENIX Security Symposium.

[14]  Leyla Bilge,et al.  Before we knew it: an empirical study of zero-day attacks in the real world , 2012, CCS.

[15]  K. Stockinger,et al.  Detecting Distributed Scans Using High-Performance Query-Driven Visualization , 2006, ACM/IEEE SC 2006 Conference (SC'06).

[16]  Alberto Leon-Garcia,et al.  Communication Networks , 2000 .

[17]  Maurizio Dusi,et al.  Tunnel Hunter: Detecting application-layer tunnels with statistical fingerprinting , 2009, Comput. Networks.

[18]  Iljitsch van Beijnum,et al.  An FTP Application Layer Gateway (ALG) for IPv6-to-IPv4 Translation , 2011, RFC.

[19]  Henry Stern,et al.  A Survey of Modern Spam Tools , 2008, CEAS.

[20]  J. Treurniet,et al.  Detecting low-profile scans in TCP anomaly event data , 2006, PST.

[21]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[22]  Viney Sharma,et al.  IPv6 and IPv4 Security challenge Analysis and Best-Practice Scenario , 2010 .

[23]  Antonio Pescapè,et al.  Analysis of a "/0" stealth scan from a botnet , 2015, TNET.

[24]  Vinod Yegneswaran,et al.  Using Honeynets for Internet Situational Awareness , 2005 .

[25]  James Won-Ki Hong,et al.  IP Prefix Hijacking Detection Using Idle Scan , 2009, APNOMS.

[26]  Vinod Yegneswaran,et al.  Internet intrusions: global characteristics and prevalence , 2003, SIGMETRICS '03.

[27]  Chuanyi Ji,et al.  Understanding Localized-Scanning Worms , 2007, 2007 IEEE International Performance, Computing, and Communications Conference.

[28]  Aikaterini Mitrokotsa,et al.  DDoS attacks and defense mechanisms: classification and state-of-the-art , 2004, Comput. Networks.

[29]  Somesh Jha,et al.  Global Intrusion Detection in the DOMINO Overlay System , 2004, NDSS.

[30]  Heejo Lee,et al.  Fast detection and visualization of network attacks on parallel coordinates , 2009, Comput. Secur..

[31]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[32]  Phurivit Sangkatsanee,et al.  Practical real-time intrusion detection using machine learning approaches , 2011, Comput. Commun..

[33]  Alan Boulanger Unauthorized Intrusions and Denial of Service , 2011 .

[34]  Hussein Al-Bahadili,et al.  Network Security Using Hybrid Port Knocking , 2010 .

[35]  Christopher Abad,et al.  The economy of phishing: A survey of the operations of the phishing market , 2005, First Monday.

[36]  Peter Kulchyski and , 2015 .

[37]  Manish Karir,et al.  Honeyd Detection via Packet Fragmentation , 2006 .

[38]  Sally Floyd,et al.  On inferring TCP behavior , 2001, SIGCOMM.

[39]  B. Goode,et al.  Voice over Internet protocol (VoIP) , 2002, Proc. IEEE.

[40]  Emmanuel S. Pilli,et al.  Network forensic system for port scanning attack , 2010, 2010 IEEE 2nd International Advance Computing Conference (IACC).

[41]  Mark Handley,et al.  SIP: Session Initiation Protocol , 1999, RFC.

[42]  Mourad Debbabi,et al.  A secure, efficient, and cost-effective distributed architecture for spam mitigation on LTE 4G mobile networks , 2013, Secur. Commun. Networks.

[43]  Wei Zhang,et al.  Scan attack detection based on distributed cooperative model , 2008, 2008 12th International Conference on Computer Supported Cooperative Work in Design.

[44]  Richard Clayton,et al.  Failures in a Hybrid Content Blocking System , 2005, Privacy Enhancing Technologies.

[45]  Andrzej Duda,et al.  An Accurate Sampling Scheme for Detecting SYN Flooding Attacks and Portscans , 2011, 2011 IEEE International Conference on Communications (ICC).

[46]  Gordon Fyodor Lyon,et al.  Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning , 2009 .

[47]  Giuseppe Antonio Di Luna,et al.  Collaborative Detection of Coordinated Port Scans , 2013, ICDCN.

[48]  Anitha R,et al.  Reconnaissance Scan Detection Heuristics to disrupt the pre-attack information gathering , 2009, 2009 International Conference on Network and Service Security.

[49]  Vern Paxson,et al.  Automating analysis of large-scale botnet probing events , 2009, ASIACCS '09.

[50]  Lee Garber,et al.  Denial-of-Service Attacks Rip the Internet , 2000, Computer.

[51]  Tao Ye,et al.  Connectionless port scan detection on the backbone , 2006, 2006 IEEE International Performance Computing and Communications Conference.

[52]  Duane C. Hanselman,et al.  Mastering MATLAB 5: A Comprehensive Tutorial and Reference , 1995 .

[53]  Elwyn B. Davies,et al.  IPv6 Transition/Co-existence Security Considerations , 2007, RFC.

[54]  Gustavo Gonzalez Granadillo,et al.  Botnets: Lifecycle and Taxonomy , 2011, 2011 Conference on Network and Information Systems Security.

[55]  Rob Sloan,et al.  Advanced Persistent Threat , 2014 .

[56]  Giuseppe Antonio Di Luna,et al.  A Collaborative Event Processing System for Protection of Critical Infrastructures from Cyber Attacks , 2011, SAFECOMP.

[57]  Alberto Dainotti,et al.  Extracting benefit from harm: using malware pollution to analyze the impact of political and geophysical events on the internet , 2012, CCRV.

[58]  Jugal K. Kalita,et al.  AOCD: An Adaptive Outlier Based Coordinated Scan Detection Approach , 2012, Int. J. Netw. Secur..

[59]  J. Bezdek,et al.  FCM: The fuzzy c-means clustering algorithm , 1984 .

[60]  Felix C. Freiling,et al.  Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks , 2005, ESORICS.

[61]  Jayant Gadge,et al.  Port scan detection , 2008, 2008 16th IEEE International Conference on Networks.

[62]  Rajesh Krishnan,et al.  Mitigating distributed denial of service attacks with dynamic resource pricing , 2001, Seventeenth Annual Computer Security Applications Conference.

[63]  Farnam Jahanian,et al.  The Internet Motion Sensor - A Distributed Blackhole Monitoring System , 2005, NDSS.

[64]  Jugal K. Kalita,et al.  Surveying Port Scans and Their Detection Methodologies , 2011, Comput. J..

[65]  Dafydd Stuttard,et al.  The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws , 2007 .

[66]  Yoo Chung Distributed denial of service is a scalability problem , 2012, CCRV.

[67]  Stephen Hinde The law, cybercrime, risk assessment and cyber protection , 2003, Comput. Secur..

[68]  Yuchung Cheng,et al.  TCP fast open , 2011, CoNEXT '11.

[69]  Jian Wan,et al.  PMSW: a passive monitoring system in wireless sensor networks , 2011, Int. J. Netw. Manag..

[70]  Tomas Olovsson,et al.  Trends and Differences in Connection-Behavior within Classes of Internet Backbone Traffic , 2008, PAM.

[71]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[72]  Yan Chen,et al.  Botnet Research Survey , 2008, 2008 32nd Annual IEEE International Computer Software and Applications Conference.

[73]  Fernando Gont,et al.  Recommendations for filtering ICMP messages , 2013 .

[74]  Donald F. Towsley,et al.  Code red worm propagation modeling and analysis , 2002, CCS '02.

[75]  Farrukh Kamran,et al.  Detection of Port and Network Scan Using Time Independent Feature Set , 2007, 2007 IEEE Intelligence and Security Informatics.

[76]  Stuart Staniford-Chen,et al.  Practical Automated Detection of Stealthy Portscans , 2002, J. Comput. Secur..

[77]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[78]  L. H.,et al.  Communication Networks , 1936, Nature.

[79]  Sean Convery IPv6 and IPv4 Threat Comparison and Best- Practice Evaluation (v1.0) , 2004 .

[80]  Bill Cheswick,et al.  Worm Propagation Strategies in an IPv6 Internet , 2006, login Usenix Mag..

[81]  Evangelos Kranakis,et al.  DNS-based Detection of Scanning Worms in an Enterprise Network , 2005, NDSS.

[82]  Sun Microsystems,et al.  RPC: Remote Procedure Call Protocol specification: Version 2 , 1988, RFC.

[83]  Eric Wustrow,et al.  Internet background radiation revisited , 2010, IMC '10.

[84]  Vasant Honavar,et al.  A Software Fault Tree Approach to Requirements Analysis of an Intrusion Detection System , 2002, Requirements Engineering.

[85]  Paul Francis,et al.  The IP Network Address Translator (NAT) , 1994, RFC.

[86]  Ralph E. Droms,et al.  Automated Configuration of TCP/IP with DHCP , 1999, IEEE Internet Comput..

[87]  Michel Cukier,et al.  An experimental evaluation to determine if port scans are precursors to an attack , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[88]  Zhenkai Liang,et al.  Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation , 2007, USENIX Security Symposium.

[89]  Joanne Treurniet,et al.  A Network Activity Classification Schema and Its Application to Scan Detection , 2011, IEEE/ACM Transactions on Networking.

[90]  Vinod Yegneswaran,et al.  On the Design and Use of Internet Sinks for Network Abuse Monitoring , 2004, RAID.