Title :
An experimental evaluation to determine if port scans are precursors to an attack
Author :
Panjwani, Susmit ; Tan, Stephanie ; Jarrin, Keith M. ; Cukier, Michel
Author_Institution :
Dept. of Mech. Eng., Maryland Univ., College Park, MD, USA
fDate :
28 June-1 July 2005
Abstract :
This paper describes an experimental approach to determine the correlation between port scans and attacks. Discussions in the security community often state that port scans should be considered as precursors to an attack. However, very few studies have been conducted to quantify the validity of this hypothesis. In this paper, attack data were collected using a test-bed dedicated to monitoring attackers. The data collected consist of port scans, ICMP scans, vulnerability scans, successful attacks and management traffic. Two experiments were performed to validate the hypothesis of linking port scans and vulnerability scans to the number of packets observed per connection. Customized scripts were then developed to filter the collected data and group them on the basis of scans and attacks between a source and destination IP address pair. The correlation of the filtered data groups was assessed. The analyzed data consists of forty-eight days of data collection for two target computers on a heavily utilized subnet.
Keywords :
IP networks; computer crime; telecommunication security; telecommunication traffic; ICMP scans; IP address; attack data collection; filtered data groups; management traffic; port scans; vulnerability scans; Data analysis; Data security; Educational institutions; Engineering profession; Filtering; Filters; Joining processes; Mechanical engineering; Monitoring; Testing;
Conference_Titel :
Dependable Systems and Networks, 2005. DSN 2005. Proceedings. International Conference on
Print_ISBN :
0-7695-2282-3
DOI :
10.1109/DSN.2005.18
