Future Work - Summary and Future Directions

Chapter 8 Summary and Future Directions

8.2 Future Work

Our exposure maps technique produces DCAs that can be processed and analyzed using a variety of heuristics. For instance, we developed two heuristics to detect a form of distributed scanning. Additionally, we discussed a third heuristic that could be used to detect slow scanning. Other heuristics could be developed that use the raw output from exposure maps to identify other types of simple or sophisticated scanning activity (e.g. slow scanning).

The RAA provides a mechanism to identify the overall network information di- vulged as well as the specific network information revealed as a direct result of a specific scanning campaign. The signature file that enables RAA currently contains

regex patterns for the SMTP, SSH, HTTP, DNS, and SSL protocols. Additional signatures could be developed to identify other types of applications that could be added into the signature file.

Our DNS-based detection technique is based on the observation that a local host performing remote network scanning does not perform a DNS-lookup before making a connection attempts. This behavior is inherently anomalous and we believe that it can be extended to detect additional classes of malicious activity including: covert channels, and remote to local worm propagation. The technique uses a whitelist to exempt a list of IP addresses and port combinations to eliminate a possible source of false positives caused by client applications that legitimately do not rely on DNS to function. For example, in most networks there are systems that regularly commu- nicate with one another by using IP addresses specified in configuration files rather than fetched in DNS records. However, in certain network environments (e.g. ad hoc, P2P) the majority of hosts may initiate new connections without first generating a DNS lookup. In these network environments the number of IP addresses and protocols added to the whitelist may potentially limit the applicability of this technique as a stand alone detector. In these scenarios, an investigation could be undertaken of how this detection method could be used as an additional detection signal in concert with other worm detection schemes instead of being used as the primary detection technique.

Our experimentation has shown that the ARP-based detection technique has a greater speed of detection when the amount of network dark space is large in pro- portion to active hosts. The development of less coarse thresholds would be worth investigating when the size of network dark space is relatively small in order to in- crease both the speed and accuracy of the technique. One such method would be to evaluate how darkports could be used in conjunction with darkspace to detect L2L scanning activity.

[1] Optixpro trojan horse. http://securityresponse1.symantec.com/sarc/sarc.nsf/ html/backdoor.optixpro.12.html; accessed on January 24, 2008.

[2] tcpdump/libpcap public repository. http://www.tcpdump.org.

[3] M. Alsaleh, D. Barrera, and P. C. van Oorschot. Improving security visualiza- tion with exposure map filtering. In Proceedings of the 24th Annual Computer Security Applications Conference (ACSAC), December 2008.

[4] G. Bakos and V. Berk. Early detection of Internet worm activity by metering ICMP destination unreachable activity. In SPIE Conference on Sensors, and Command, Control, Communications and Intelligence, April 2002.

[5] P. Barford and V. Yegneswaran. An Inside Look at Botnets. Special Workshop on Malware Detection, Advances in Information Security, Springer Verlag, 2006. [6] G. Bartlett, J. Heidemann, and C. Papadopoulos. Understanding passive and active service discovery. In IMC ’07: Proceedings of the 7th ACM SIGCOMM Conference on Internet Measurement, pages 57–70, New York, NY, USA, 2007. ACM.

[7] R. Bejtlich. Extrusion Detection, Security Monitoring for Internal Intrusions. Addison Wesley, first edition, 2006.

[8] A. Bobyshev, P. DeMar, and D. Lamore. Effect of Dynamic ACL (Access Control List) Loading on Performance of Cisco Routers. In Computing in High Energy Physics, Feb. 2006.

[9] Bro Intrusion Detection System. http://bro-ids.org/; accessed on February 23, 2008.

[10] Reference Manual. Bro Wiki. http://www.bro-ids.org/wiki/index.php; accessed on February 23, 2008.

[11] S. Chen and Y. Tang. Slowing down internet worms. In Proc. of 24th Interna- tional Conference on Distributed Computing Systems, Mar. 2004.

[12] S. Coull, C. Wright, F. Monrose, M. Collins, and M. Reiter. Playing devil’s advocate: Inferring sensitive information from anonymized traces. In Proc. of the 14th Annual Network and Distributed System Security Symposium, Feb. 2007. [13] M. Crispin. Internet Message Access Protocol. March 2003. http://www.ietf.org

/rfc/rfc3501.txt?number=3501; accessed on Jan 12, 2008.

[14] D. Dagon, X. Qin, G. Gu, W. Lee, J. Grizzard, J. Levine, and H. Owen. Hon- eyStat: Local worm detection using honeypots. In Proceedings of the 7th In- ternational Symposium on Recent Advances in Intrusion Detection (RAID’04), September 2004.

[15] D. Dagon, C. Zou, and W. Lee. Modeling botnet propagation using time zones. InProceedings of the 13th Annual Network and Distributed System Security Sym- posium (NDSS’06), February 2006.

[16] M. de Vivo, E. Carrasco, G. Isern, and G. O. de Vivo. A review of port scanning techniques. SIGCOMM Comput. Commun. Rev., 29(2):41–48, 1999.

[17] R. Droms. Dynamic Host Resolution Protocol. RFC 2131, March 1997. http://www.ietf.org/ rfc/rfc2131.txt? number=2131; accessed on January 24, 2008.

[18] D. Ellis, J. Aiken, K. Attwood, and S. Tenaglia. A behavioral approach to worm detection. In Proceedings of The ACM Workshop on Rapid Malcode, 2003.

[19] Forescout Technologies Inc, Forescout product. http://www.forescout.com /wormscout.html; accessed on January 24, 2008.

[20] F. C. Freiling, T. Holz, and G. Wicherski. Botnet tracking: Exploring a root- cause methodology to prevent distributed denial-of-service attacks. InESORICS, pages 319–335, 2005.

[21] Fyodor. Remote OS detection via TCP/IP stack fingerprinting. Phrack, 54, December 1998.

[22] C. Gates, J. J. McNutt, J. B. Kadane, and M. I. Kellner. Scan detection on very large networks using logistic regression modeling. In ISCC ’06: Proceedings of the 11th IEEE Symposium on Computers and Communications, pages 402–408, Washington, DC, USA, 2006.

[23] G. Granger, G. Economou, and S. Bielski. Self-securing network interfaces: What, why and how. Technical report, Carnegie-Mellon University, CMU-CS- 02-144, May 2002.

[24] G. Gu, M. Sharif, X. Qin, D. Dagon, W. Lee, and G. Riley. Worm detection, early warning and response based on local victim information. InProceedings of the 20th Annual Computer Security Applications Conference (ACSAC’04), pages 136–145, Washington, DC, USA, 2004.

[25] W. Harrop and G. Armitage. Greynets: a definition and evaluation of sparsely populated darknets. In Proceedings of the 2005 ACM SIGCOMM Workshop on Mining Network Data, pages 171–172, 2005.

[26] IANA TCP/IP Port Assignments. February 2008. http://www.iana.org/ assignments/port-numbers; accessed on February 23, 2008.

[27] M. S. Johns. Identification Protocol. RFC 1413, February 1993. http://www.ietf. org/rfc/rfc1413.txt; accessed Jan 07, 2008.

[28] J. Jung. Real-Time Detection of Malicious Network Activity Using Stochastic Models. PhD thesis, Massachusetts Institute of Technology, 2006.

[29] J. Jung, V. Paxson, A. Berger, and H. Balakrishman. Fast portscan detection using sequential hypothesis testing. InIEEE Symposium on Security and Privacy, pages 211–225, 2004.

[30] C. Kruegel, T. Toth, and E. Kirda. Service specific anomaly detection for intrusion detection. Technical report, Technical University Vienna, Vienna, Austria. TU-1841-2002-28, 2002.

[31] C. Leckie and R. Kotagiri. A probabilistic approach to detecting network scans. InEighth IEEE Network Operations and Management Symposium (NOMS 2002), pages 359–372, 2002.

[32] B. Malmedal. Using netflows for slow portscan detection. Master’s thesis, De- partment of Computer Science and Media Technology, Gjovik University College, Norway, 2005.

[33] MaxMind Frequently Asked Questions. MaxMind GeoIP product. http://www. maxmind.com/app/faq#accurate; accessed on January 24, 2008.

[34] J. McHugh. Acquisition and analysis of large scale network data: Introduction. Tutorial given at the 21st Annual Computer Security Applications Conference (ACSAC), December 2005.

[35] D. Mills. Network Time Protocol (Version 3). RFC 1305, March 1992. http://www.ietf.org/rfcs /rfc1305.txt?number=1305; accessed on January 24, 2008.

[36] Mirage Networks. Mirage NAC. http://www.mirage networks.com; accessed on January 26, 2008.

[37] P. Mockapetris. Domain Names - Implementation and Specification. RFC 1035, November 1987. http://www.ietf.org/rfcs /rfc1035.txt?number=1035; accessed on January 24, 2008.

[38] D. Moore. Network telescopes: Tracking denial-of-service attacks and Internet worms around the globe. In LISA, 2003.

[39] D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the Slammer Worm. In IEEE Security and Privacy Magazine, pages 33– 39, July/August 2003.

[40] D. Moore, G. Voelker, and S. Savage. Inferring Internet denial of service activity. In 10th USENIX Security Symposium, 2001.

[41] Nessus. Tenable Network Security. http: //www.nessus.org.

[42] R. Pang, M. Allman, M. Bennett, J. Lee, V. Paxson, and B. Tierney. A first look at modern enterprise traffic. InIMC’05: Proceedings of the Internet Measurement Conference 2005 on Internet Measurement Conference, pages 2–2, Berkeley, CA, USA, 2005. USENIX Association.

[43] R. Pang, M. Allman, V. Paxson, and J. Lee. The devil and packet trace anonymization. SIGCOMM Comput. Commun. Rev., 36(1):29–38, 2006.

[44] S. Panjwani, S. Tan, K. Jarrin, and M. Cukier. An Experimental Evaluation to Determine if Port Scans are Precursors to an Attack. InInternational Conference on Dependable Systems and Networks, pages 602–611, July 2005.

[45] V. Paxson. Bro: a system for detecting network intruders in real-time.Computer Networks, 31(23–24):2435–2463, Amsterdam, Netherlands, 1999.

[46] V. Paxson, R. Pang, M. Allman, M. Bennett, J. Lee, and B. Tierney. LBNL/ICSI Enterprise Tracing Project (collection). http://imdc.datcat. org/collection/1-0132-C=LBNL_\%2FICSI+Enterprise+Tracing+Project;

accessed on February 12, 2008.

[47] R. Pethia. Attacks on the Internet 2003. Congressional Testimony, Subcommittee on Telecommunications and the Internet, USA, November, 2003.

[48] D. Plummer. An Ethernet Address Resolution Protocol 826. RFC 826, November 1982. http://www.ietf.org/rfc/rfc0826.txt?number= 826; accessed on January 24, 2007.

[49] J. Postel and J. Reynolds. File Transfer Protocol (FTP). RFC 959, October 1985. http://www.ietf.org/rfc/rfc959. txt?number=959; accessed Jan 02, 2006.

[50] N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu. The Ghost in The Browser: Analysis of Web-based Malware. In USENIX HotBots 2007, Aug. 2007.

[51] M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis. A multifaceted approach to understanding the botnet phenomenon. In Internet Measurement Conference 2006 (IMC’06), October 2006.

[52] Regular-Expressions.info. http://www.regular-expressions.info/; accessed on Feb 23, 2008.

[53] Y. Rekhter, B. Moskowitz, D. Karrenberg, G. J. de Groot, and E. Lear. Address Allocation for Private Internets. http://www.ietf.org/rfc/rfc1918.txt; accessed on Jan 02, 2006.

[54] RemoteScan Corporation, RemoteScan. http://www.remote-scan.com.

[55] D. Roelker, M. Norton, and J. Hewlett. sfPortscan. 2004. http://cvs.snort.org/ viewcvs.cgi/snort/doc/README.sfportscan?rev=1.6.

[56] M. Roesch. Snort - lightweight intrusion detection for networks. In LISA, 1999. [57] S. Sanfilippo. Bugtraq: new TCP scan method. December 1998. http://seclists.

org/lists/bugtraq/1998/Dec/ 0079.html.

[58] S. Schechter, J. Jung, and A. Berger. Fast detection of scanning worm infec- tions. In7th International Symposium on Recent Advances in Intrusion Detection (RAID 2004), September 2004.

[59] R. Sekar, A. Gupta, J. Frullo, T. Shanbhag, A. Tiwari, H. Yang, and S. Zhou. Specification-based anomaly detection: a new approach for detecting network intrusions. In Proceedings of the 9th ACM Conference on Computer and Com- munications Security, pages 265–274. ACM Press, 2002.

[60] C. Shannon and D. Moore. The spread of the Witty worm. IEEE Security and Privacy, 2(4):46–50, March 2004.

[61] M. Shelton. Passive Asset Detection System (PADS). http://passive. source- forge.net; accessed on February 23, 2008.

[62] M. Smart, G. R. Malan, and F. Jahanian. Defeating TCP/IP stack fingerprinting. In SSYM’00: Proceedings of the 9th USENIX Security Symposium, pages 17–17, Berkeley, CA, USA, 2000. USENIX Association.

[63] A. Sridharan, T. Ye, and S. Bhattacharrya. Connectionless port scan detection on the backbone. In Malware workshop, IPCCC, Pheonix, AZ, April 2006. [64] S. Staniford, J. Hoagland, and J. McAlerney. Practical automated detection of

stealthy portscans. In 7th ACM Conference on Computer and Communications Security, 2000.

[65] S. Staniford, V. Paxson, and N. Weaver. How to 0wn the internet in your spare time. In Proceedings of the 11th USENIX Security Symposium, August 2002. [66] M. Tanase. Introduction to Autorooters: Crackers Working Smarter, not Harder.

[67] Tenable Network Security, Inc., Nessus Vulnerability Scanner. http://www. nessus.org; accessed on January 26, 2008.

[68] N. Weaver. Potential strategies for high speed active worms: A worst case analysis. 2002. http://www.cs.berkeley.edu/˜nweaver/worms.pdf; last accessed October 20, 2004.

[69] N. Weaver, V. Paxson, S. Staniford, and R. Cunningham. A taxonomy of computer worms. In The First ACM Workshop on Rapid Malcode, Oct. 2003.

[70] N. Weaver, S. Staniford, and V. Paxson. Very fast containment of scanning worms. In Proceedings of the 13th USENIX Security Symposium, 2004.

[71] D. Whyte, E. Kranakis, and P. van Oorschot. DNS-based detection of scanning worms in an enterprise network. In Proc. of the 12th Network and Distributed System Security Symposium, Feb. 2005.

[72] D. Whyte, E. Kranakis, and P. C. van Oorschot. ARP-based detection of scanning worms in an enterprise network. InProceedings of the 21st Annual Computer Security Applications Conference (ACSAC), December 2005.

[73] D. Whyte, P. van Oorschot, and E. Kranakis. Exposure Maps: Removing Re- liance on Attribution during Scanning Detection. InUSENIX HotSec 2006, Aug. 2006.

[74] D. Whyte, P. C. van Oorschot, and E. Kranakis. Addressing SMTP-based mass- mailing activity within enterprise networks. In Proceedings of the 22nd Annual Computer Security Applications Conference (ACSAC), December 2006.

[75] D. Whyte, P. C. van Oorschot, and E. Kranakis. Tracking Darkports for Network Defence. In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC), December 2007.

[76] M. Williamson. Throttling viruses: Restricting propagation to defeat malicious mobile code. In 18th Annual Computer Security Applications Conference (AC- SAC), 2002.

[77] C. Wong, S. Bielski, A. Studer, and C. Wang. Empirical analysis of rate limiting mechanisms. In 8th International Symposium on Recent Advances in Intrusion Detection (RAID), 2005.

[78] A. Wool. A Quantitative Study of Firewall Configuration Errors. IEEE Com- puter, 37(6):62–67, 2004.

[79] V. Yegneswaran, P. Barford, and J. Ullrich. Intrusions: Global characteristics and prevalence. In SIGMETRICS, 2003.

[80] T. Ylonen. SSH – secure login connections over the internet. In Proceedings of the 6th USENIX Security Symposium, pages 37–42, 1996.

[81] M. Zalewski. p0f. http://lcamtuf.coredump.cx/p0f.shtml.

[82] C. Zou, L. Gao, W. Gong, and D. Towsley. Monitoring and early warning for Internet worms. In Proceedings of the 10th ACM Conference on Computer and Communications Security, 2003.

Supplementary Material

A.1 Acronym List

Table A.1: Acronyms. ACE ARP Correlation Engine

ACL Access Control List

ARP Address Resolution Protocol CCSL Carleton Computer Security Lab DCA Darkport Connection Attempt DNSCE DNS Correlation System

DHCP Dynamic Host Configuration Protocol DNS Domain Name Service

HEM Host Exposure Map

HTTP Hypertext Transfer Text Protocol IANA Internet Assigned Numbers Authority ICMP Internet Control Message Protocol IDN Internal Departmental Network IMAP Internet Message Access Protocol IP Internet Protocol

NEM Network Exposure Map L2L Local to Local

L2R Local to Remote

LBNL/ICSI Lawrence Berkeley National Laboratory/International Computer Science Institute

MAC Media Access Control P2P Peer to Peer

PPE Packet Processing Engine R2L Remote to Local

RAA Reconnaissance Activity Assessment SMTP Simple Mail Transfer Protocol SSH Secure Shell

SSL Secure Sockets Layer

TCP/IP Transmission Control Protocol/Internet Protocol TRW Threshold Random Walk

TTL Time to Live

UDP User Datagram Protocol 177

In document NETWORK SCANNING DETECTION STRATEGIES FOR ENTERPRISE NETWORKS (Page 180-190)