Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fast Port Scan Using Sequential Hypothesis Testing Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Fast Port Scan Using Sequential Hypothesis Testing Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan."— Presentation transcript:

1 Fast Port Scan Using Sequential Hypothesis Testing Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan

2 Introduction  Port Scanning: Reconnaissance Hackers will scan host/hosts for vulnerable ports as potential avenues of attack Hackers will scan host/hosts for vulnerable ports as potential avenues of attack  Not clearly defined Scan sweeps Scan sweeps Connection to a few addresses, some fail?Connection to a few addresses, some fail? Granularity Granularity Separate sources as one scan?Separate sources as one scan? Temporal Temporal Over what timeframe should activity be trackedOver what timeframe should activity be tracked Intent Intent Hard to differentiate between benign scans and scans with malicious intentHard to differentiate between benign scans and scans with malicious intent

3 Previous Scanning Techniques  Malformed Packets Packets used for “stealth scanning” Packets used for “stealth scanning”  Connections to ports/hosts per unit time Checks whether a source hits more than X ports on Y hosts in Z time Checks whether a source hits more than X ports on Y hosts in Z time  Failed connections Malicious connections will have a higher ratio of failed connection attempts Malicious connections will have a higher ratio of failed connection attempts

4 Bro NIDS  Current algorithm in use for years  High efficiency  Counts local connections from remote host  Differentiates connections by service  Sets threshold  Blocks suspected malicious hosts

5 Flaws in Bro  Skewed for little-used servers Example: a private host that one worker remotely logs into from home Example: a private host that one worker remotely logs into from home  Difficult to choose probabilities  Difficult to determine never-accessed hosts Needs data to determine appropriate parameters Needs data to determine appropriate parameters

6 Threshold Random Walk (TRW)  Objectives for the new algorithm: Require performance near Bro Require performance near Bro High speed High speed Flag as scanner if no useful connection Flag as scanner if no useful connection Detect single remote hosts Detect single remote hosts

7 Data Analysis  Data analyzed from two sites, LBL and ICSI Research laboratories with minimal firewalling Research laboratories with minimal firewalling LBL: 6000 hosts, sparse host density LBL: 6000 hosts, sparse host density ICSI: 200 hosts, dense host density ICSI: 200 hosts, dense host density

8 Separating Possible Scanners  Which of remainder are likely, but undetected scanners? Argument nearly circular Argument nearly circular Show that there are properties plausibly used to distinguish likely scanners in the remainder Show that there are properties plausibly used to distinguish likely scanners in the remainder Use that as a ground truth to develop an algorithm against Use that as a ground truth to develop an algorithm against

9 Data Analysis (cont.)  First model Look at remainder hosts making failed connections Look at remainder hosts making failed connections Compare all of remainder to known bad Compare all of remainder to known bad Hope for two modes, where the failed connection mode resembles the known bad Hope for two modes, where the failed connection mode resembles the known bad No such modality exists No such modality exists

10 Data Analysis (cont.)  Second model Examine ratio of hosts with failed connections made to successful connections made Examine ratio of hosts with failed connections made to successful connections made Known bad have a high percentage of failed connections Known bad have a high percentage of failed connections Conclusion: remainder hosts with <80% failure are potentially benign Conclusion: remainder hosts with <80% failure are potentially benign Rest are suspect Rest are suspect

11 TRW – continued  Detect failed/succeeded connections  Sequential Hypothesis Testing Two hypotheses: benign (H_0) and scanner (H_1) Two hypotheses: benign (H_0) and scanner (H_1) Probabilities determined by the equations Probabilities determined by the equations Theta_0 > theta_1 (benign has higher chance of succeeding connection) Theta_0 > theta_1 (benign has higher chance of succeeding connection) Four outcomes: detection, false positive, false negative, nominal Four outcomes: detection, false positive, false negative, nominal

12 Thresholds  Choose Thresholds Set upper and lower thresholds, n_0 and n_1 Set upper and lower thresholds, n_0 and n_1 Calculate likelihood ratio Calculate likelihood ratio Compare to thresholds Compare to thresholds

13

14 Choosing Thresholds  Choose two constants, alpha and beta Probability of false positive (P_f) <= alpha Probability of false positive (P_f) <= alpha Detection probability (P_d) >= beta Detection probability (P_d) >= beta Typical values: alpha = 0.01, beta = 0.99 Typical values: alpha = 0.01, beta = 0.99  Thresholds can be defined in terms of P_f and P_d or alpha and beta n_1 <= P_d/P_f n_1 <= P_d/P_f n_0 >= (1-P_d)/(1-P_f) n_0 >= (1-P_d)/(1-P_f) Can be approximated using alpha and beta Can be approximated using alpha and beta n_1 = beta/alpha n_1 = beta/alpha n_0 = (1-beta)/(1-alpha) n_0 = (1-beta)/(1-alpha)

15 Evaluation Methodology  Used the data from the two labs  Knowledge of whether each connection is established, rejected, or unanswered  Maintains 3 variables for each remote host D_s, the set of distinct hosts previously connected to D_s, the set of distinct hosts previously connected to S_s, the decision state (pending, H_0, or H_1) S_s, the decision state (pending, H_0, or H_1) L_s, the likelihood ratio L_s, the likelihood ratio

16 Evaluation Methodology (cont.)  For each line in dataset Skip if not pending Skip if not pending Determine if connection is successful Determine if connection is successful Check whether is already in connection set; if so, proceed to next line Check whether is already in connection set; if so, proceed to next line Update D_s and L_s Update D_s and L_s If L_s goes beyond either threshold, update state accordingly If L_s goes beyond either threshold, update state accordingly

17 Results

18 TRW Evaluation  Efficiency – true positives to rate of H1  Effectiveness – true positives to all scanners  N – Average number of hosts probed before detection

19 TRW Evaluation (cont.)  TRW is far more effective than the other two  TRW is almost as efficient as Bro  TRW detects scanners in far less time

20 Potential Improvements  Leverage Additional Information Factor for specific services (e.g. HTTP) Factor for specific services (e.g. HTTP) Distinguish between unanswered and rejected connections Distinguish between unanswered and rejected connections Consider time local host has been inactive Consider time local host has been inactive Consider rate Consider rate Introduce correlations (e.g. 2 failed in a row worse than 1 fail, 1 success, 1 fail) Introduce correlations (e.g. 2 failed in a row worse than 1 fail, 1 success, 1 fail) Devise a model on history of the hosts Devise a model on history of the hosts

21 Improvements (cont.)  Managing State Requires large amount of maintained states for tracking Requires large amount of maintained states for tracking However, capping the state is vulnerable to state overflow attacks However, capping the state is vulnerable to state overflow attacks  How to Respond What to do when a scanner is detected? What to do when a scanner is detected? Is it worth blocking? Is it worth blocking?  Evasion and Gaming Spoofed IPs Spoofed IPs Institute “whitelists”Institute “whitelists” Use a honeypot to try to connectUse a honeypot to try to connect Evasion (inserting legitimate connections in scan) Evasion (inserting legitimate connections in scan) Incorporating other information, such as a model of what is normal for legitimate users and give less weight to connections not fitting the patternIncorporating other information, such as a model of what is normal for legitimate users and give less weight to connections not fitting the pattern  Distributed Scans Scans originating from more than one source Scans originating from more than one source Difficult to fix in this framework Difficult to fix in this framework

22 Conclusion/Summary  TRW- based on ratio of failed/succeeded connections  Sequential Hypothesis Testing  Highly accurate  Quick Response

Download ppt "Fast Port Scan Using Sequential Hypothesis Testing Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan."

Similar presentations

A small taste of inferential statistics

A small taste of inferential statistics
Tests of Hypotheses Based on a Single Sample

Tests of Hypotheses Based on a Single Sample
Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.

Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.
1 COMM 301: Empirical Research in Communication Lecture 15 – Hypothesis Testing Kwan M Lee.

1 COMM 301: Empirical Research in Communication Lecture 15 – Hypothesis Testing Kwan M Lee.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
COURSE: JUST 3900 INTRODUCTORY STATISTICS FOR CRIMINAL JUSTICE Instructor: Dr. John J. Kerbs, Associate Professor Joint Ph.D. in Social Work and Sociology.

COURSE: JUST 3900 INTRODUCTORY STATISTICS FOR CRIMINAL JUSTICE Instructor: Dr. John J. Kerbs, Associate Professor Joint Ph.D. in Social Work and Sociology.
Statistical Techniques I EXST7005 Lets go Power and Types of Errors.

Statistical Techniques I EXST7005 Lets go Power and Types of Errors.
HYPOTHESIS TESTING Four Steps Statistical Significance Outcomes Sampling Distributions.

HYPOTHESIS TESTING Four Steps Statistical Significance Outcomes Sampling Distributions.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Very Fast containment of Scanning Worms Presenter: Yan Gao ------------------------------------------------ Authors: Nicholas Weaver Stuart Staniford Vern.

Very Fast containment of Scanning Worms Presenter: Yan Gao Authors: Nicholas Weaver Stuart Staniford Vern.
CS 552 Computer Security Richard Martin. Aspects of Security Confidentiality: can a 3rd party see it? Authentication: Who am I talking to? Non-repudiation:

CS 552 Computer Security Richard Martin. Aspects of Security Confidentiality: can a 3rd party see it? Authentication: Who am I talking to? Non-repudiation:
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
ANOMALY DETECTION AND CHARACTERIZATION: LEARNING AND EXPERIANCE YAN CHEN – MATT MODAFF – AARON BEACH.

ANOMALY DETECTION AND CHARACTERIZATION: LEARNING AND EXPERIANCE YAN CHEN – MATT MODAFF – AARON BEACH.
Collaborating Against Common Enemies Sachin Katti Balachander Krishnamurthy and Dina Katabi AT&T Labs-Research & MIT CSAIL.

Collaborating Against Common Enemies Sachin Katti Balachander Krishnamurthy and Dina Katabi AT&T Labs-Research & MIT CSAIL.
Aaker, Kumar, Day Seventh Edition Instructor’s Presentation Slides

Aaker, Kumar, Day Seventh Edition Instructor’s Presentation Slides
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Chapter 5For Explaining Psychological Statistics, 4th ed. by B. Cohen 1 Suppose we wish to know whether children who grow up in homes without access to.

Chapter 5For Explaining Psychological Statistics, 4th ed. by B. Cohen 1 Suppose we wish to know whether children who grow up in homes without access to.
Port Scanning.

Port Scanning.

Similar presentations

Ads by Google