Investigating Study on Network Scanning Techniques

Transcription

1 Investigating Study on Network Scanning Techniques Mohammed Anbar 1, Ahmed Manasrah 2,Sureswaran Ramadass 3,Altyeb Altaher 4, Ashraf Aljmmal 5, Ammar Almomani National Advanced IPv6 Centre (NAv6), UniversitiSains Malaysia, USM, Penang, Malaysia, anbar@nav6.org, sures@nav6.usm.my, ammarali@nav6.org 2 Faculty of Information Technology and Computer Sciences, Yarmouk University, Irbid, Jordan, ahmad.a@yu.edu.jo 5 Computer Science and Applications, Faculty of Prince Al-Hussein Bin Abdullah II for Information Technology The Hashemite University, Zarqa Jordan ashrafj@hu.edu.jo Abstract Network scanning is considered to be the first step taken by attackers trying to gain access to a targeted network. Hence, it will be useful for system and network administrators to identify the targets scanned by network attackers as soon as possible. Resources and services can be further protected by patching or installing security measures, such as a firewall, an intrusion detection system (IDS), or some alternative computer system. This paper presents an investigative study on the network scanning techniques. This study will first identify the existing scanning methods. Furthermore, it will discuss how malicious code adopts scanning methods to find out the vulnerable hosts and services. In addition, this article explores the current approaches to detect the presence of scanning in the network 1. Introduction Keywords: Network scanning, Anomaly behavior and Worms A network attacker will always try to identify the active hosts, services, operating systems, and applications running on every computer system in a targeted network. Usually, network scanning is used for this purpose and it is considered to be the first step taken by attackers when gaining access to a targeted network [1]. However, it also incurs unwanted network traffic on a network. This is because the scanned host is busy receiving and replying to various unnecessary requests. Network scanning can generate traffic anomalies if scanners target the whole IP address range while searching for hosts and vulnerable services. This is because attackers are not aware of the services that might be available or are vulnerable in the targeted network, which can then be exploited for initiating attacks [2]. In other words, they will try to scan all available systems and programs in the target or host in their endeavor to detect a possible gateway. Many approaches for scanning detection have been proposed in the past to try to detect the presence of scanning in the network. Most research papers discuss efforts that are related to this proposed work, but none of these papers gives a comprehensive classification of the existing scanning approaches detection. This article contains an investigative study pertaining to existing scanning detection approaches based on detection techniques. Subsequently, the advantages and drawbacks for each approach will be identified and discussed. The rest of the paper is organized as follows. Section 2 presents the common terminology used in the paper. In section 3, this paper describes the network scanning methods. A employment of scanning by malicious code is presented in Section 4. Section 5 presents a review of network scanning and detection techniques found in the literature. Finally Section 5 concludes with a summary of this study and recommendations for future research. 2. Scanning Techniques Methods International Journal of Digital Content Technology and its Applications(JDCTA) Volume7,Number9,May 2013 doi: /jdcta.vol7.issue

2 The scanning techniques are categorized into five categories as shown in Figure 1. SCANNING Rando Sequenti Hit list Topologic Passive 2.1 Random Scanning Figure1. Scanning Techniques Methods In this method, an attacker often blindly scans the network to find out the vulnerable hosts and services. However, he is not aware which IP is active or what services are running on each running host. On the other hand, targeting inactive hosts or services will frequently generate connection failures messages. Thus frequent connection failures generated by network scanning might indicate the existence of a network worm if it is being analyzed properly (de Vivo, et al., 1999; Northcutt & Novak, 2002). The connection failure may occur due to the following: (1) a network worm tries to scan some services but the port is closed; in this case the ICMP port is unreachable or TCP-Rest packet will be generated (2) a worm tries to scan an inactive host; in this case the ICMP host is also unreachable and a packet will be generated. 2.2 Sequential Scanning In this method, the attacker aims to scan a block /range of IP addresses sequentially. After the worm has randomly selected a starting IP (s), a scanner will continue to scan s+1 or s-1 [3]. Sequential scanning can be easily noticed by any traffic sniffing tool such as Wireshark. This is because the captured IP that is performing the sequential scanning is listed sequentially. 2.3 Hit List Scanning In this method, an attacker defines a list of vulnerable hosts and services to be scanned once the worm is released. This list may be generated by stealthily monitoring the network or from somewhere else. The accuracy of this method is high since the attacker has prior knowledge about the targets and services. Due to its high accuracy, the probabilities of anomaly behavior that may appear is very low, so it is difficult for anomaly detection systems to detect such kind of scanning. 2.4 Topological Scanning In this method, a worm based on the local information is saved into the hosts. Local information includes address in user contact list, host file (e.g., /etc/hosts) and URLs in the user s browsing history. Attackers will employ this information to identify its targets and infection path by using a second channel such as the services provided by Google or by querying a peer- to-peer network or an instant messaging server for vulnerable peers. Topological worms can spread very fast, especially on networks with highly connected applications (Weaver, Paxson, Staniford, & Cunningham, 2003). 2.5 Passive scanning In this method, the information about vulnerable hosts and services are obtained by monitoring the target network passively (Kato, Nitou, Ohta, Mansfield, &Nemoto, 1999). This form of scanning is 313

3 much slower than the previous techniques but can be harder to detect by intrusion detection systems (IDS) since it does not appear to show any anomalies behavior. 3. Employing Scanning By Malicious Code: Worm Case Study Network worms are malicious codes that can propagate through the network without any human intervention, and it is considered a challenging problem since it has highly destructive effects on the network resources, topologies, assets and services. The entry point for network worms are the vulnerable hosts and services on the network. In efforts to find out such vulnerable hosts and services, the network worms will launch the network scanning as the first phase of the network worm life cycle beside the transmission propagation and infection [4, 5].However, the existence of scanning that has been launched by such worms has their own symptoms. The common symptom is the connection failure. The connection failure messages come in the form of ICMP type 3 and TCP RST packets that produces a very strong footprint and provide evidence of network scanning. An ICMP type 3, code 1 (host unreachable) packet is generated when a TCP SYN or UDP request is sent to an unused IP address. An ICMP type 3, code 3 (port unreachable) packets are generated when a UDP request is sent to an existing address, but the port is closed. A TCP RST packet is generated when a TCP SYN packet is sent to an existing host and the port is closed, and when a TCP SYN carries a forged source IP address sent to an existing host and the destination host replies by sending an SYN ACK packet to the real host. In the latter case, a TCP RST will be sent from the real IP address to the destination IP. Figure 2 shows an example of ICMP type 3 and TCP RST packet generation. Table 1 shows different worms and their scanning method. Figure 2. Connection attempts: a) Successful TCP Connection b) TCP Destination Port Closed c) UDP Destination Port Closed; d) Destination IP Address Does not Exist. 314

4 Table 1.Worms and Their Scanning Methods Hit Scanning Random Sequential list Techniques Topological Passive Reference Morris worm [6] Gnumanworm [7] Blasterworm [8] Slammerworm [9] Codred v2worm [10] CRCleanworm [11] Sasser - [12] Witty - [13] Nimda - [14] As we can see from Table 1 the random scanning is commonly used by worms. According to (Li, et al., 2008), worms which are employing random scanning to find out the vulnerable host and services may be easier to implement and may spread faster, but are not very accurate. In addition, random scanning is a preferable and common method and has been most used by network worms. 4. RELATED WORKS Network scanning is a technique used to determine what ports (or similar protocol abstraction) of a host are listening for connections. These ports represent potential communication channels. By knowing their existence that aids the exchange of information with the host, the service ports are quite useful for anyone wishing to explore their networked environment and topology as well as its configuration, including hackers. As a result, many researches are trying to propose an early scanning detection method to be the first line of defense against the attackers. Network scanning techniques that appear in the literature are grouped into: aggregation based approaches, anomaly based approaches and statistical based approaches. 4.1 Aggregation-based Approaches The aggregation approach mainly depends on counting aggregated data. This network-scanning detection approach was first proposed by Roesch (1999), and it depends on calculating the number of destination IPs accessed by each distinct source IP on each destination port. If the source IP exceeds a predefined threshold, the IP is identified as a scanner. However, this approach cannot be used to identify a low-level scanner operating over a long period of time [15], because this method wastes system resources (CPU and memory) by generating voluminous network traffic. Furthermore, this approach produces a high false positive rate, because it does not consider connection failure to be a very strong indicator of network scanning activity. Therefore, Singh et al. (2003) proposed a further aggregation approach for detecting scanning activities based on the calculation of the number of connection failures generated by each source IP in a specific time window. If the source IP exceeds a predefined threshold, the source IP is identified as a scanner. However, the consideration of only one metric (i.e., connection failure) when detecting network scanning activity produces high numbers of false positives, because many legitimate activities can generate the same connection failure symptoms [16]. 315

5 SNORT version [17] uses two preprocessors to avoid a heavy processing load with high traffic volumes. The first preprocessor is packet-oriented. Tools such as NMAP [18] are focused on detecting malformed packets used during low-level scanning. The second is a connection-oriented preprocessor that checks whether a given source IP address has accessed more than one distinct destination port or distinct destination IP address during a specific time window. If the count of distinct destination ports or IP addresses exceeds a certain threshold, the source IP is identified as a scanner. These anomaly-based approaches began to evolve in network scanning detection when it was found that aggregation approaches exhibited poor detection accuracy and high false positive rates. 4.2 Anomaly-based Approaches Anomaly-based detection systems can detect and identify abnormal behavior in any network. Anomaly detection generally depends on profiling the normal behavior of a network. Any deviation from the generated profile is then considered abnormal. The general assumption of anomaly detection is that any intrusive activity generates anomalous or suspicious activity. For example, any attacker without knowledge of legitimate user activities who attacks a host in a network can be easily identified and detected using an anomaly-based detection system, such as TRW [19] or PHAD [20]. However, flagging all apparent intrusive activities, i.e., anomalies, produces a high proportion of false positives. Staniford et al. (2002) developed a Stealthy Port scan and Intrusion Correlation Engine (SPICE) to detect low rate port-scanning activities. The proposed technique is based on two components, i.e., a network-anomaly detector (SPADE: Statistical Packet Anomaly Detection Engine) and a correlation engine. Port-scanning activity is detected by assigning an anomaly score to incoming packets. SPADE estimates the probability distribution of the normal network traffic and assigns each packet with an anomaly score based on a corresponding entropy measure. This technique assigns a lower anomaly score to a frequently accessed port/ip address. The anomaly score is derived by taking the negative log of the likelihood of a packet being sent to a specific port/ip address combination. The correlation engine stores the alerts generated by SPADE, as events in the main memory. The events are then inserted into graphs where each node represents a packet and the links between the nodes represent connections. Links are assigned weights indicating the strength of the correlation between the nodes. The correlation engine tries to link events in a group into activities that might indicate scanning activities [21]. However, one of the challenges of this detection technique is how best to model the host access distribution over a long time-frame, with minimal memory consumption. Kato et al. (1999) developed a three-level tree structure for host access indexing. Host accessing is first indexed by the source address, then the destination address, and finally the destination port. Any source IP that accesses three or more ports on the same destination address is considered to be a port scanner. However, this approach can consume a lot of memory. Thus, a time-to-live parameter is defined for each access in the index tree, which reduces memory usage. Furthermore, they only test TCP packets where the ACK and RST flags are set [22]. The two main problems of anomaly-based detection techniques are defining the normal behavior of a network and defining an appropriate threshold that triggers an alert [22, 23]. These limitations have directed researchers toward statistical-based approaches for identifying network anomalies and detecting network-scanning activity. 4.3 Statistical-based Approaches In statistical approaches, the system monitors network traffic activity and creates a statistical profile to represent the general behavior of network traffic. The profile represents the statistical characteristics 316

6 of normal network traffic behavior, where any deviation from the normal profile is considered to be a suspicious activity. Smaha (1998) proposed the earliest example of a statistical anomaly-based intrusion detection system (Haystack). This method incorporates user- and group-based anomaly-detection strategies, and models the system parameters as independent and Gaussian random variables. Haystack creates a normal profile, which includes all values considered to be normal for each feature. If a feature deviates from the normal range during a session, the score for the subject is increased. An alarm is triggered when the score is too high. Haystack also maintains a database of user groups and individual profiles. If a user is previously undetected, a new user profile with minimal capabilities is created with restrictions based on the user s group membership. This approach is designed to detect six types of intrusions, i.e., attempted break-ins by unauthorized users, masquerade attacks, penetration of the security control system, leakage, Denial of Service (DoS) attacks, and malicious use. The drawback of Haystack is that it was initially designed to work offline. This attempt to use statistical analysis in a real-time intrusion detection system is not satisfactory, because it requires high performance and high computational power. Haystack also requires profile maintenance, so a common problem for system administrators is the determination of suitable attributes that might serve as good indicators of intrusive activity [24]. Statistical Scan Anomaly Detection Engine (SCADE) [3] is a further statistical anomaly detection engine designed to detect inbound and outbound scanning. SCADE is considered to be one of the best tools for detecting scanning activities [25]. Inbound scan detection depends on the number of failed connection attempts prior to a successful connection. An inbound scanning alert is based on an anomaly score calculated using the following equation, s w 1 * Fh s w 2 * Fl s, w and 2 are effective weights for each port type and Where w 1 failed access attempts at high-severity ports and low-severity ports, respectively. s Fh and Fl s are the numbers of Outbound scan detection is based on a voting scheme using three anomaly-detection models, which tracks all the outbound connections for each internal host. The three models are as follows. Outbound scan rate s 1 : detects local hosts performing high-rate scans on many external addresses. Outbound connection failure rate s 2 : detects unusually high connection failure rates, with a h sensitivity to s s port usage. The anomaly score 2 is calculated using the following formula, Wherec is the total number of connection attempts. s 2 w * Fh w * Fl 1 s 2 s c Normalized entropy of the scan target distribution s 3 : calculates a Zipf[26] power law distribution for the outbound address connection patterns. A consistently distributed scan target model provides an indication of a possible outbound scan. A normalized entropy-based anomaly-scoring technique is used, which identifies candidates as follows. 317

7 s 3 H ln(m) H is the entropy of the scan target distribution, which is equal to, H m i1 P Ln( i P i ) Where m is the total number of scan targets and Pi is the proportion of target scans. However, there are difficulties when adjusting thresholds and balancing the three voting schema. These difficulties impact negatively on detection accuracy and increase the number of false positives. In addition, there are no standard rules for voting schema employed during outbound scanning detection. For example, Where is the threshold. if s 1 and s 2 or s 3 alert true if s 1 and s 2 alert true and s 3 This may increase the false positive rates, because diversity increases the number of possibilities. However, statistical approaches have the capacity to detect zero-day attacks, or the very latest attacks. They can also provide accurate notifications of malicious activity occurring over an extended time period. However, statistical anomaly approaches also have drawbacks, because a skilled attacker can train their activity to make abnormal statistical behavior appear normal. It can also be difficult to determine an appropriate threshold to balance the likelihood of false positives and the likelihood of false negatives, which affects overall detection accuracy and sensitivity. 5. Conclusion This paper has highlighted the severity of scanning and how the malicious codes are employing the scanning method to detect vulnerable service and host, and consequently it has identified and discussed the existing scanning methods. Then the existing approach for scanning detection is categorized into aggregation-based, anomaly-based and statistical-based and then the advantages and drawbacks for each approach are highlighted. Existing scanning techniques are unable to detect the presence of network scanning with high accuracy due to reasons such as (1) techniques that use heuristics to detect network scanning based on simple counting of specific type of packets (ICMP, TCP-RST) within a certain time window (2) techniques that do not consider all symptoms critical in detecting network scanning such as connection failure symptom. Meanwhile, even the approaches which consider the connection failure suffer from low accuracy since not all connection failure symptoms are considered (3) some techniques use different rules with different thresholds to detect a particular type of network scanning 318

8 such as SCADE (explained in Section 4.3). This diversity in rules and thresholds will increase the number of false positive. 6. Reference [1] C. Leckie and R. Kotagiri, "A probabilistic approach to detecting network scans," 2002, pp [2] M. de Vivo, E. Carrasco, G. Isern, and G. O. de Vivo, "A review of port scanning techniques," ACM SIGCOMM Computer Communication Review, vol. 29, pp , [3] G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee, "Bothunter: Detecting malware infection through ids-driven dialog correlation," 2007, pp [4] Q. Li and W. Han, "An Analysis for Stochastic Model of Worm Propagation," IJACT: International Journal of Advancements in Computing Technology, vol. 4, p. 156 ~ 164, [5] Y. Yao, W. Qin, W. Yang, F. Gao, and G. Yu, "Modeling the Diurnal Pattern of Worm Propagation: Initial Results," AISS, vol. 3, p. 392 ~ 400, [6] E. Spafford, "The Internet worm program: an analysis," ACM SIGCOMM Computer Communication Review, vol. 19, p. 57, [7] D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver, "Inside the slammer worm," IEEE Security & Privacy, vol. 1, pp , [8] Symantec, "Symantec summary of W32.Blaster.Worm ", [9] D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver, "Inside the slammer worm," Security & Privacy, IEEE, vol. 1, pp , [10] D. Moore and C. Shannon, "Code-Red: a case study on the spread and victims of an Internet worm," 2002, pp [11] C. Shannon and D. Moore, "The spread of the Witty worm," Security & Privacy, IEEE, vol. 2, pp , [12] Secunia, "Virus Information Sasser.G," [13] F-Secure, "Computer Virus Information Pages," [14] F-Secure, "F-Secure Virus Descriptions: Nimda," [15] M. Roesch, "Snort-lightweight intrusion detection for networks," 1999, pp [16] S. Singh, C. Estan, G. Varghese, and S. Savage, "The earlybird system for real-time detection of unknown worms," Citeseer [17] Snort, "A free lightweight network intrusion detection system for UNIX and Windows." [18] Nmap, "free security scanner for network exploration & security." [19] J. Jung, V. Paxson, A. Berger, and H. Balakrishnan, "Fast portscan detection using sequential hypothesis testing," 2004, pp [20] M. Mahoney and P. Chan, "PHAD: Packet header anomaly detection for identifying hostile network traffic,"

9 [21] S. Staniford, J. A. Hoagland, and J. M. McAlerney, "Practical automated detection of stealthy portscans," Journal of Computer Security, vol. 10, pp , [22] N. Kato, H. Nitou, K. Ohta, G. Mansfield, and Y. Nemoto, "A real-time intrusion detection system (IDS) for large scale networks and its evaluations," IEICE Transactions on Communications, vol. 82, pp , [23] P. Li, M. Salour, and X. Su, "A survey of internet worm detection and containment," Communications Surveys & Tutorials, IEEE, vol. 10, pp , [24] S. E. Smaha, "Haystack: An intrusion detection system," [25] H. R. Zeidanloo, A. B. A. Manaf, R. B. Ahmad, M. Zamani, and S. S. Chaeikar, "A Proposed Framework for P2P Botnet Detection," IACSIT International Journal of Engineering and Technology, vol. 2, [26] W. Reed, "The Pareto, Zipf and other power laws," Economics Letters, vol. 74, pp ,