Cyber threat modeling and validation: port scanning and detection

Port scanning is a commonly applied technique in the discovery phase of cyber attacks. As such, defending against them has long been the subject of many research and modeling efforts. Though modeling efforts can search large parameter spaces to find effective defensive parameter settings, confidence in modeling results can be hampered by limited or omitted validation efforts. In this paper, we introduce a novel, mathematical model that describes port scanning progress by an attacker and intrusion detection by a defender. The paper further describes a set of emulation experiments that we conducted with a virtual testbed and used to validate the model. Results are presented for two scanning strategies: a slow, stealthy approach and a fast, loud approach. Estimates from the model fall within 95% confidence intervals on the means estimated from the experiments. Consequently, the model's predictive capability provides confidence in its use for evaluation and development of defensive strategies against port scanning.

[1]  Milind Tambe,et al.  Data Exfiltration Detection and Prevention: Virtually Distributed POMDPs for Practically Safer Networks , 2016, GameSec.

[2]  Song Guo,et al.  Malware Propagation in Large-Scale Networks , 2015, IEEE Transactions on Knowledge and Data Engineering.

[3]  Jelena Mirkovic,et al.  DEW: Distributed Experiment Workflows , 2018, CSET @ USENIX Security Symposium.

[4]  Lee M. Rossey,et al.  Extending the DARPA off-line intrusion detection evaluations , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[5]  Dietmar P. F. Möller,et al.  Intrusion Detection and Prevention , 2020 .

[6]  Sebastian Junges,et al.  The Partially Observable Games We Play for Cyber Deception , 2018, ArXiv.

[7]  Giuseppe Serazzi,et al.  Computer Virus Propagation Models , 2003, MASCOTS Tutorials.

[8]  Demosthenis Teneketzis,et al.  A POMDP Approach to the Dynamic Defense of Large-Scale Cyber Networks , 2018, IEEE Transactions on Information Forensics and Security.

[9]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX Annual Technical Conference, FREENIX Track.

[10]  Bernard Ferguson,et al.  National Cyber Range Overview , 2014, 2014 IEEE Military Communications Conference.

[11]  Svein J. Knapskog,et al.  Using Stochastic Game Theory to Compute the Expected Behavior of Attackers , 2005, 2005 Symposium on Applications and the Internet Workshops (SAINT 2005 Workshops).

[12]  Paul G. Spirakis,et al.  Attack Modelling in Open Network Environments , 1996, Communications and Multimedia Security.

[13]  T. Basar,et al.  A game theoretic approach to decision and analysis in network intrusion detection , 2003, 42nd IEEE International Conference on Decision and Control (IEEE Cat. No.03CH37475).

[14]  Mourad Debbabi,et al.  Cyber Scanning: A Comprehensive Survey , 2014, IEEE Communications Surveys & Tutorials.

[15]  Branislav Bosanský,et al.  Manipulating Adversary's Belief: A Dynamic Game Approach to Deception by Design for Proactive Network Security , 2017, GameSec.

[16]  Martín Casado,et al.  Extending Networking into the Virtualization Layer , 2009, HotNets.

[17]  T. Basar,et al.  A game theoretic analysis of intrusion detection in access control systems , 2004, 2004 43rd IEEE Conference on Decision and Control (CDC) (IEEE Cat. No.04CH37601).

[18]  Iqbal Gondal,et al.  Survey of intrusion detection systems: techniques, datasets and challenges , 2019, Cybersecurity.

[19]  Terry V. Benzel The science of cyber security experimentation: the DETER project , 2011, ACSAC '11.

[20]  Jianhua Yang,et al.  Ethical Hacking and Network Defense: Choose Your Best Network Vulnerability Scanning Tool , 2017, 2017 31st International Conference on Advanced Information Networking and Applications Workshops (WAINA).

[21]  Chuang Lin,et al.  Modeling and security analysis of enterprise network using attack-defense stochastic game Petri nets , 2013, Secur. Commun. Networks.