Nothing Special   »   [go: up one dir, main page]
Skip to main content
Springer Nature Link
Log in

Distributed Evasive Scan Techniques and Countermeasures

  • Conference paper
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2007)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4579))

Abstract

Scan detection and suppression methods are an important means for preventing the disclosure of network information to attackers. However, despite the importance of limiting the information obtained by the attacker, and the wide availability of such scan detection methods, there has been very little research on evasive scan techniques, which can potentially be used by attackers to avoid detection. In this paper, we first present a novel classification of scan detection methods based on their amnesty policy, since attackers can take advantage of such policies to evade detection. Then we propose two novel metrics to measure the resources that an attacker needs to complete a scan without being detected. Next, we introduce z-Scan, a novel evasive scan technique that uses distributed scanning, and show that it is extremely effective against TRW, one of the state-of-the-art scan detection methods. Finally, we investigate possible countermeasures including hybrid scan detection methods and information-hiding techniques. We provide theoretical analysis, as well as simulation results, to quantitatively measure the effectiveness of the evasive scan techniques and the countermeasures.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. antirez. IP ID reverse scan, http://www.kyuzz.org/antirez/papers/dumbscan.html

  2. Fyodor. The Art of Port Scanning. Phrack 51, vol. 7 (September 1, 1997), http://www.phrack.com/phrack/51/P51-11

  3. hybrid Distributed information gathering. Phrack 51, vol. 9 (September 9, 1999), http://www.phrack.org/phrack/55/P55-09

  4. Morph, http://www.synacklabs.net/projects/morph/

  5. Snot. http://www.l0t3k.org/security/tools/ids/

  6. Stick. http://www.l0t3k.org/security/tools/ids/

  7. Antonatos, S., Akritidis, P., Markatos, E., Anagnostakis, K.G.: Defending against Hitlist Worms using Network Address Space Randomization. In: ACM Workshop on Rapid Malcode Fairfax, November 2005, VA, USA, 11 (2005)

    Google Scholar 

  8. Basu, R., Cunningham, R.K., Lippmann, R.P.: Detecting Low-Profile Probes and Novel Denial-of-Service Attacks. In: Proceedings 2nd Annual IEEE Systems, Man, and Cybernetics Information Assurance Workshop, June 5–6, 2001, West Point, NY, USA (2001)

    Google Scholar 

  9. Crosby, S., Wallach, D.: Denial of Service via Algorithmic Complexity Attacks. In: Proceedings of the 12th USENIX Security Symposium (Washington DC, USA) (August 4–8, 2003)

    Google Scholar 

  10. Dreger, H., Feldmann, A., Paxson, V., Sommer, R.: Operational Experiences with HighVolume Network Intrusion Detection. In: 11th ACM Conference on Computer and Communications Security, Washington DC, USA, October 25–29, 2004, ACM Press, New York (2004)

    Google Scholar 

  11. Heberlein, L.T., Dias, G.V., Levitt, K.N., Mukherjee, B., Wood, J., Wolber, D.: A network security monitor. In: Proceedings of the IEEE Symposium on Research in Security and Privacy

    Google Scholar 

  12. Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast Portscan Detection Using Sequential Hypothesis Testing. In: IEEE Symposium on Security and Privacy, Berkeley/Oakland, CA, USA, May 9–12, 2004, IEEE Computer Society Press, Los Alamitos (2004)

    Google Scholar 

  13. Kato, N., Nitou, H., Ohta, K., Mansfield, G., Nemoto, Y.: A Real-Time Intrusion Detection System(IDS) for Large Scale Networks and its Evaluations. IEICE Transactions on Communication E82B(11), 1817–1825

    Google Scholar 

  14. Kreibich, C., Crowcroft, J.: Honeycomb –Creating Intrusion Detection Signatures Using Honeypots. In: 2nd Workshop on Hot Topics in Networks, November 20–21, 2003, Boston, MA, USA (2003)

    Google Scholar 

  15. Leckie, C., Kotagiri, R.: A Probabilistic Approach to Detecting Network Scans. In: Proceedings of the Eighth IEEE Network Operations and Management Symposium, April 15–19, 2002, Florence, Italy (2002)

    Google Scholar 

  16. Paxson, V.: Bro: a system for detecting network intruders in real-time. Computer Networks (Amsterdam, Netherlands) 31(23–24), 2435–2463 (1999)

    Google Scholar 

  17. Provos, N.: A Virtual Honeypot Framework. In: Proceedings of the 13th USENIX Security Symposium, August 9–13, 2004, San Diego, CA, USA (2004)

    Google Scholar 

  18. Ptacek, T.H., Newsham, T.N.: Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. Technical report

    Google Scholar 

  19. Robertson, S., Siegel, E.V., Miller, M., Stolfo, S.J.: Surveillance Detection in High Bandwidth Environments. In: Proceedings of the 2003 DARPA DISCEX III Conference, April 22–24, 2003, Washington DC, USA (2003)

    Google Scholar 

  20. Roesch, M.: Snort-Lightweight Intrusion Detection for Networks. In: Proceedings of LISA’99: 13th Systems Administration Conference Seattle, November 7–12, 1999, WA, USA (1999)

    Google Scholar 

  21. Schechter, S.E., Jung, J., Berger, A.W.: Fast Detection of Scanning Worm Infections. In: 7th International Symposium on Recent Advances in Intrusion Detection Sophia Antipolis, September 15–17, 2004, French Riviera, France (2004)

    Google Scholar 

  22. Staniford, S., Hoagland, J.A., McAlerney, J.M.: Practical Automated Detection of Stealthy Portscans. In: Proceedings of the 7th ACM Conference on Computer and Communications Security, November 1–4, 2000, Athens, Greece (2000)

    Google Scholar 

  23. Weaver, N., Staniford, S., Paxson, V.: Very Fast Containment of Scanning Worms. In: 13th USENIX Security Symposium. August 9–13, 2004, San Diego, CA, USA (2004)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Carnegie Mellon University,  

    Min Gyung Kang, Juan Caballero & Dawn Song

Authors
  1. Min Gyung Kang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Juan Caballero
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dawn Song
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Bernhard M. Hämmerli Robin Sommer

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Kang, M.G., Caballero, J., Song, D. (2007). Distributed Evasive Scan Techniques and Countermeasures. In: M. Hämmerli, B., Sommer, R. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2007. Lecture Notes in Computer Science, vol 4579. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-73614-1_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-73614-1_10

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-73613-4

  • Online ISBN: 978-3-540-73614-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation