Abstract
Scan detection and suppression methods are an important means for preventing the disclosure of network information to attackers. However, despite the importance of limiting the information obtained by the attacker, and the wide availability of such scan detection methods, there has been very little research on evasive scan techniques, which can potentially be used by attackers to avoid detection. In this paper, we first present a novel classification of scan detection methods based on their amnesty policy, since attackers can take advantage of such policies to evade detection. Then we propose two novel metrics to measure the resources that an attacker needs to complete a scan without being detected. Next, we introduce z-Scan, a novel evasive scan technique that uses distributed scanning, and show that it is extremely effective against TRW, one of the state-of-the-art scan detection methods. Finally, we investigate possible countermeasures including hybrid scan detection methods and information-hiding techniques. We provide theoretical analysis, as well as simulation results, to quantitatively measure the effectiveness of the evasive scan techniques and the countermeasures.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
antirez. IP ID reverse scan, http://www.kyuzz.org/antirez/papers/dumbscan.html
Fyodor. The Art of Port Scanning. Phrack 51, vol. 7 (September 1, 1997), http://www.phrack.com/phrack/51/P51-11
hybrid Distributed information gathering. Phrack 51, vol. 9 (September 9, 1999), http://www.phrack.org/phrack/55/P55-09
Antonatos, S., Akritidis, P., Markatos, E., Anagnostakis, K.G.: Defending against Hitlist Worms using Network Address Space Randomization. In: ACM Workshop on Rapid Malcode Fairfax, November 2005, VA, USA, 11 (2005)
Basu, R., Cunningham, R.K., Lippmann, R.P.: Detecting Low-Profile Probes and Novel Denial-of-Service Attacks. In: Proceedings 2nd Annual IEEE Systems, Man, and Cybernetics Information Assurance Workshop, June 5–6, 2001, West Point, NY, USA (2001)
Crosby, S., Wallach, D.: Denial of Service via Algorithmic Complexity Attacks. In: Proceedings of the 12th USENIX Security Symposium (Washington DC, USA) (August 4–8, 2003)
Dreger, H., Feldmann, A., Paxson, V., Sommer, R.: Operational Experiences with HighVolume Network Intrusion Detection. In: 11th ACM Conference on Computer and Communications Security, Washington DC, USA, October 25–29, 2004, ACM Press, New York (2004)
Heberlein, L.T., Dias, G.V., Levitt, K.N., Mukherjee, B., Wood, J., Wolber, D.: A network security monitor. In: Proceedings of the IEEE Symposium on Research in Security and Privacy
Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast Portscan Detection Using Sequential Hypothesis Testing. In: IEEE Symposium on Security and Privacy, Berkeley/Oakland, CA, USA, May 9–12, 2004, IEEE Computer Society Press, Los Alamitos (2004)
Kato, N., Nitou, H., Ohta, K., Mansfield, G., Nemoto, Y.: A Real-Time Intrusion Detection System(IDS) for Large Scale Networks and its Evaluations. IEICE Transactions on Communication E82B(11), 1817–1825
Kreibich, C., Crowcroft, J.: Honeycomb –Creating Intrusion Detection Signatures Using Honeypots. In: 2nd Workshop on Hot Topics in Networks, November 20–21, 2003, Boston, MA, USA (2003)
Leckie, C., Kotagiri, R.: A Probabilistic Approach to Detecting Network Scans. In: Proceedings of the Eighth IEEE Network Operations and Management Symposium, April 15–19, 2002, Florence, Italy (2002)
Paxson, V.: Bro: a system for detecting network intruders in real-time. Computer Networks (Amsterdam, Netherlands) 31(23–24), 2435–2463 (1999)
Provos, N.: A Virtual Honeypot Framework. In: Proceedings of the 13th USENIX Security Symposium, August 9–13, 2004, San Diego, CA, USA (2004)
Ptacek, T.H., Newsham, T.N.: Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. Technical report
Robertson, S., Siegel, E.V., Miller, M., Stolfo, S.J.: Surveillance Detection in High Bandwidth Environments. In: Proceedings of the 2003 DARPA DISCEX III Conference, April 22–24, 2003, Washington DC, USA (2003)
Roesch, M.: Snort-Lightweight Intrusion Detection for Networks. In: Proceedings of LISA’99: 13th Systems Administration Conference Seattle, November 7–12, 1999, WA, USA (1999)
Schechter, S.E., Jung, J., Berger, A.W.: Fast Detection of Scanning Worm Infections. In: 7th International Symposium on Recent Advances in Intrusion Detection Sophia Antipolis, September 15–17, 2004, French Riviera, France (2004)
Staniford, S., Hoagland, J.A., McAlerney, J.M.: Practical Automated Detection of Stealthy Portscans. In: Proceedings of the 7th ACM Conference on Computer and Communications Security, November 1–4, 2000, Athens, Greece (2000)
Weaver, N., Staniford, S., Paxson, V.: Very Fast Containment of Scanning Worms. In: 13th USENIX Security Symposium. August 9–13, 2004, San Diego, CA, USA (2004)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kang, M.G., Caballero, J., Song, D. (2007). Distributed Evasive Scan Techniques and Countermeasures. In: M. Hämmerli, B., Sommer, R. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2007. Lecture Notes in Computer Science, vol 4579. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-73614-1_10
Download citation
DOI: https://doi.org/10.1007/978-3-540-73614-1_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-73613-4
Online ISBN: 978-3-540-73614-1
eBook Packages: Computer ScienceComputer Science (R0)