Title :
Limitations to threshold random walk scan detection and mitigating enhancements
Author :
Mell, Peter ; Harang, Richard
Author_Institution :
Nat. Inst. of Stand. & Technol., Gaithersburg, MD, USA
Abstract :
This paper discusses limitations in one of the most widely cited single source scan detection algorithms: threshold random walk (TRW). If an attacker knows that TRW is being employed, these limitations enable full circumvention allowing undetectable high speed full horizontal and vertical scanning of target networks from a single Internet Protocol address. To mitigate the discovered limitations, we provide 3 enhancements to TRW and analyze the increased cost in computational complexity and memory. Even with these mitigations in place, circumvention is still possible but only through collaborative scanning (something TRW was not designed to detect) with a significant increase in the required level of effort and usage of resources.
Keywords :
IP networks; computational complexity; computer network security; protocols; random processes; Internet protocol address; TRW; collaborative scanning; computational complexity; cost analysis; enhancement mitigation; memory; single-source scan detection algorithms; target networks; threshold random walk scan detection; undetectable high-speed full-horizontal scanning; undetectable high-speed full-vertical scanning; Blindness; IP networks; Monitoring; Ports (Computers); Probes; Protocols; Reservoirs; Intrusion Detection; Scanning;
Conference_Titel :
Communications and Network Security (CNS), 2013 IEEE Conference on
Conference_Location :
National Harbor, MD
DOI :
10.1109/CNS.2013.6682723
