150 likes | 281 Views
Exposure Maps: Removing Reliance on Attribution During Scan Detection. David Whyte , P.C. van Oorschot, Evangelos Kranakis. Outline. Scanning detection challenges Problems with attribution-based detection techniques Exposure Maps Experimental Results Conclusions.
E N D
Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos Kranakis
Outline • Scanning detection challenges • Problems with attribution-based detection techniques • Exposure Maps • Experimental Results • Conclusions
Scanning Detection Challenges • Sophisticated scanning techniques • Slow • Fragmented • Idle • Distributed (Botnet) • I detected a scan • Was it successful? • What did it reveal? • Volume of Internet “whitenoise” • Backscatter • Worm propagation (known) • Network diagnostics • Web spiders • Wrong numbers
Attribution-based Scanning Detection • Variety of scanning detection techniques • Observing connection failures • Abnormal network behavior • Connections to darkspace • Increased connection attempts • Majority of these rely on correlating scanning activity based on the perceived last-hop • Focus of detection is who is scanning instead of what is being scanned
Shifting Focus • Attribution is not practical for an increasing number of sophisticated scanning techniques • Focus on attribution overlooks critical components of any observed scanning campaign: • What are my adversaries looking for? • Has the network behavior changed as a result of being scanned? • Exemplar technique: Exposure Maps
Exposure Maps (1/2) • Passively observe network traffic (training period) • Ignore network traffic initiated from the inside • Record only internal system responses to external events such as: • TCP: SYN ACK • TCP: RST • UDP: IP pairs list • ICMP: echo reply, host not found, time exceeded
Exposure Maps (2/2) • Host Exposure Map (HEM) • Visible and enumerated services • Externally visible interface of an individual host • Network Exposure Map (NEM) • Union of HEMS in a target network • Externally visible interface of the network • Let your adversaries do the vulnerability scanning for you!
Sample NEM (proof-of-concept) • Test network size: 1/4 Class C • Test period: two weeks • NEM was stable within 12 hours of the testing period
Scan Detection • Incoming connection is defined as any atomic TCP connection, UDP or ICMP datagram • A connection attempt to a host/port combo outside of the NEM is considered a scan and recorded • No connection state tracking required
Post-Scan Detection Activities • Monitor changes in the NEM • Validate new services offered • Unexpected changes in the NEM may indicate compromise • Monitor changes in network scanning activity • Spikes in scanning activity may indicate a new exploit • Attribution is possible post-scan detection for most unsophisticated and certain classes of sophisticated scanning activity
Conclusions • Shifting focus away from attribution during scan detection may provide a means to detect sophisticated scanning campaigns • The true insight that can be gained by scanning detection is not who is scanning you but what are they scanning for?
Discussion ….. dlwhyte@scs.carleton.ca
Observed Sophisticated Scanning • “Slice and dice” recorded scans using a variety of attributes • Slow Scan - pcanywhere ~ 15 min intervals • Possible distributed scan - 6 systems from the same class C network and scanning footprint
Exposures vs. Scanning Activity • Network scanning possibilities • In practice: |NEM| < |A| < |E|