An experimental evaluation to determine if port scans are precursors to an attack

This paper describes an experimental approach to determine the correlation between port scans and attacks. Discussions in the security community often state that port scans should be considered as precursors to an attack. However, very few studies have been conducted to quantify the validity of this hypothesis. In this paper, attack data were collected using a test-bed dedicated to monitoring attackers. The data collected consist of port scans, ICMP scans, vulnerability scans, successful attacks and management traffic. Two experiments were performed to validate the hypothesis of linking port scans and vulnerability scans to the number of packets observed per connection. Customized scripts were then developed to filter the collected data and group them on the basis of scans and attacks between a source and destination IP address pair. The correlation of the filtered data groups was assessed. The analyzed data consists of forty-eight days of data collection for two target computers on a heavily utilized subnet.

[1]  Biswanath Mukherjee,et al.  A network security monitor , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[2]  J. Lowry An initial foray into understanding adversary planning and courses of action , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[3]  Vinod Yegneswaran,et al.  Characteristics of internet background radiation , 2004, IMC '04.

[4]  Kishor S. Trivedi,et al.  Characterizing intrusion tolerant systems using a state transition model , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[5]  Cynthia Bailey Lee,et al.  Detection and Characterization of Port Scan Attacks , 2003 .

[6]  George Kurtz,et al.  Hacking Exposed , 2005 .

[7]  Carl E. Landwehr,et al.  Formal Models for Computer Security , 1981, CSUR.

[8]  John Chirillo Hack Attacks Revealed: A Complete Reference for UNIX, Windows, and Linux with Custom Security Toolkit , 2002 .

[9]  L. Spitzner,et al.  Honeypots: Tracking Hackers , 2002 .

[10]  Rodolphe Ortalo,et al.  Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security , 1999, IEEE Trans. Software Eng..

[11]  George Kurtz,et al.  Hacking Exposed: Network Security Secrets & Solutions , 1999 .

[12]  Robert R. Moeller,et al.  Network Security , 1993, Inf. Secur. J. A Glob. Perspect..

[13]  Karl N. Levitt,et al.  GrIDS A Graph-Based Intrusion Detection System for Large Networks , 1996 .

[14]  Radia Perlman,et al.  Network Security , 2002 .

[15]  Jeannette M. Wing Survivability analysis of networked systems , 2000, FORTE.

[16]  Jeannette M. Wing,et al.  Survivability analysis of networked systems , 2001, ICSE 2001.