Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE.

Published byCecilia Parks Modified over 9 years ago

Similar presentations

Presentation on theme: "Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE."— Presentation transcript:

1 Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE Symposium on Security and Privacy 2004 Presenter:Ryan Cunningham

2 A quick note All images and equations taken directly from the publication

3 Port scanning Network reconnaissance technique Usually a prelude to an attack Difficult to detect  Traffic difficult to distinguish from regular traffic  Stealth scans can occur very slowly  Some scans are legitimate Search engine spiders SSH, peer-to-peer applications, etc.

4 Previous detection techniques Limit distinct connection attempts from one IP  Network Security Monitor  Snort Also detects malformed packets Limit failed connection attempts from one IP  Bro Sensitive to service on specific port  Robertson et al. showed threshold very important

5 Previous detection techniques Probabilistic model  Developed by Leckie et al.  Assesses typical traffic a machine receives  Also assesses the traffic a remote machine is likely to send  Combines these probabilities If the result is too much, an alert is sounded  Generates too many false positives

6 Previous detection techniques SPICE  Similar to probabilistic model  Used to detect low traffic “stealth” scans  Too computationally intensive for real world

7 Data set Traffic from two sites  LBL 6,000 hosts Sparse address space 4.4%  ICSI 200 hosts Dense address space 42%

8 Data set Anonymized TCP logs from Bro Recorded for one 24 hour period Bro NIDS flags for comparison and validation

9 Data set Unsuccessful Login attempt analysis

10 Data set Ratio of successful login attempts to unsuccessful login attempt analysis

11 Observations Scans usually come from one host Scans make lots of failed connection attempts and few successful connection attempts Scans should ideally be detected quickly False positive rate should be configurable

12 Sequential Hypothesis Testing Proposed by Wald in the 1940’s Method of doing repeated hypothesis testing as sequential data is gathered Deciding between two hypotheses Each time a data point arrives, decide  Accept H 0 (in our case, benign traffic)  Accept H 1 (in our case, port scan traffic)  Wait for more data (next connection attempt)

13 Sequential Hypothesis Testing We specify parameters  and    > false positive rate   < detection accuracy We must estimate parameters   and      probability a benign connection attempt is successful    probability a scanner connection attempt is successful

14 Sequential Hypothesis Testing For each test, we compute the likelihood ratio: Where

15 Sequential Hypothesis Testing Compare likelihood ratio to: If   <   then this is benign traffic   >   then this is scan traffic  Otherwise, wait for another connection

16 Sequential Hypothesis Testing We can estimate the expected number of connections required to decide with: Derivation is long and messy

17 Sequential Hypothesis Testing

18 Algorithm

19 Results Efficiency = true positive / total reported positive Effectiveness = true positive / total actually positive

20 Results Comparison with Snort and Bro N bar = average number of local hosts scanned before decision is made

21 Contributions Extremely fast port scan detection algorithm High accuracy Low false positive rate Sound statistical foundation Soundly evaluate the weaknesses of their approach Good use of appendixes Cure for insomnia

22 Weaknesses Buffer of activity  Attacker can spoof multiple IP addresses How is filled buffer dealt with?  Flush buffer  Attacker can use this to hide scan activity  Maintain larger buffer  Attacker can keep going until system crashes Distributed port scans undetectable  Botnets are increasing in popularity

23 Weaknesses Test assumes independent connection attempts  As suggested in paper, an attacker could exploit knowledge of the system to connect to some systems while doing surveillance on others No real time testing conducted, only simulation Reasoning is a little circular Poor use of language

24 Improvements Implement and test in real time Perform suggested improvements in paper  Differentiate between different services  Differentiate between rejected and unanswered connection attempts  Use a honeypot to see if complete three way hand shake is completed (to detect spoofed IPs) Should have kept some of the data away as a sort of test data set

Download ppt "Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE."

Similar presentations

Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.

Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.
Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.

Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.

 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.

 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering On-line Alert Systems for Production Plants A Conflict Based Approach.

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering On-line Alert Systems for Production Plants A Conflict Based Approach.
Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.

Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.
Fast Port Scan Using Sequential Hypothesis Testing Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan.

Fast Port Scan Using Sequential Hypothesis Testing Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan.
Statistical Comparison of Two Learning Algorithms Presented by: Payam Refaeilzadeh.

Statistical Comparison of Two Learning Algorithms Presented by: Payam Refaeilzadeh.
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS 395-0 Professor Yan Chen.

Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Port Scanning.

Port Scanning.

Similar presentations

Ads by Google