Visible to the public Network Reconnaissance 2015Conflict Detection Enabled

SoS Newsletter- Advanced Book Block


SoS Logo

Network Reconnaissance 2015

The capacity to survey analyze and assess a network is a critical aspect of developing resilient systems.  The work cited here addresses multiple methods and approaches to network reconnaissance.  All were presented in 2015.

Jafarian, J.H.; Al-Shaer, E.; Qi Duan, "Adversary-Aware IP Address Randomization for Proactive Agility Against Sophisticated Attackers," in Computer Communications (INFOCOM), 2015 IEEE Conference on, pp. 738-746, April 26 2015-May 1 2015. doi: 10.1109/INFOCOM.2015.7218443

Abstract: Network reconnaissance of IP addresses and ports is prerequisite to many host and network attacks. Meanwhile, static configurations of networks and hosts simplify this adversarial reconnaissance. In this paper, we present a novel proactive-adaptive defense technique that turns end-hosts into untraceable moving targets, and establishes dynamics into static systems by monitoring the adversarial behavior and reconfiguring the addresses of network hosts adaptively. This adaptability is achieved by discovering hazardous network ranges and addresses and evacuating network hosts from them quickly. Our approach maximizes adaptability by (1) using fast and accurate hypothesis testing for characterization of adversarial behavior, and (2) achieving a very fast IP randomization (i.e., update) rate through separating randomization from end-hosts and managing it via network appliances. The architecture and protocols of our approach can be transparently deployed on legacy networks, as well as software-defined networks. Our extensive analysis and evaluation show that by adaptive distortion of adversarial reconnaissance, our approach slows down the attack and increases its detectability, thus significantly raising the bar against stealthy scanning, major classes of evasive scanning and worm propagation, as well as targeted (hacking) attacks.

Keywords: IP networks; computer network security; software defined networking; adversary-aware IP address randomization; network hosts; proactive agility; software-defined networks; sophisticated attackers; Conferences; IP networks; Logic gates; Probes; Protocols; Reconnaissance; Servers (ID#: 16-9110)



Yue-Bin Luo; Bao-Sheng Wang; Xiao-Feng Wang; Xiao-Feng Hu; Gui-Lin Cai; Hao Sun, "RPAH: Random Port and Address Hopping for Thwarting Internal and External Adversaries," in Trustcom/BigDataSE/ISPA, 2015 IEEE, vol. 1, no., pp. 263-270, 20-22 Aug. 2015. doi: 10.1109/Trustcom.2015.383

Abstract: Network servers and applications commonly use static IP addresses and communication ports, making themselves easy targets for network reconnaissances and attacks. Port and address hopping is a novel and effective moving target defense (MTD) which hides network servers and applications by constantly changing IP addresses and ports. In this paper, we develop a novel port and address hopping mechanism called Random Port and Address Hopping (RPAH), which constantly and unpredictably mutates IP addresses and communication ports based on source identity, service identity as well as time with high rate. RPAH provides us a more strength and effective MTD mechanism with three hopping frequency, i.e., source hopping, service hopping and temporal hopping. In RPAH networks, the real IPs (rIPs) and real ports (rPorts) remain untouched and packets are routed based on dynamic and temporary virtual IPs (vIPs) of servers. Therefore, messages from adversaries using static, invalid or inactive IP addresses/ports will be detected and denied. Our experiments and evaluation show that RPAH is effective in defense against various internal and external threats such as network scanning, SYN flooding attack and worm propagation, while introducing an acceptable operation overhead.

Keywords: IP networks; computer network security; frequency hop communication; MTD; RPAH; SYN flooding attack; communication ports; moving target defense; network scanning; network servers; random port and address hopping; static IP address; worm propagation; Demultiplexing; IP networks; Internet; Ports (Computers); Security; Servers; Synchronization; dynamic mutation; moving target defense; network security; port and address hopping (ID#: 16-9111)



Voyiatzis, A.G.; Katsigiannis, K.; Koubias, S., "A Modbus/TCP Fuzzer for Testing Internetworked Industrial Systems," in Emerging Technologies & Factory Automation (ETFA), 2015 IEEE 20th Conference on, pp. 1-6, 8-11 Sept. 2015. doi: 10.1109/ETFA.2015.7301400

Abstract: Modbus/TCP is a network protocol for industrial communications encapsulated in TCP/IP network packets. There is an increasing need to test existing Modbus protocol implementations for security vulnerabilities, as devices become accessible even from the Internet. Fuzz testing can be used to discover implementation bugs in a fast and economical way. We present the design and implementation of MTF, a Modbus/TCP Fuzzer. The MTF incorporates a reconnaissance phase in the testing procedure so as to assist mapping the capabilities of the tested device and to adjust the attack vectors towards a more guided and informed testing rather than plain random testing. The MTF was used to test eight implementations of the Modbus protocol and revealed bugs and vulnerabilities that crash the execution, effectively resulting in denial of service attacks using only a few network packets.

Keywords: Internet; computer network security;industrial control; program debugging; program testing; transport protocols; MTF design; MTF implementation; Modbus protocol implementations; Modbus/TCP fuzzer; TCP/IP network packets; attack vectors; denial-of-service attacks; fuzz testing; industrial communications; internetworked industrial system testing; network protocol; reconnaissance phase; security vulnerabilities; testing procedure; Computer crashes; Computer crime; Protocols; Reconnaissance; Sockets; Software; Testing (ID#: 16-9112)



Albanese, M.; Battista, E.; Jajodia, S., "A Deception Based Approach for Defeating OS and Service Fingerprinting," in Communications and Network Security (CNS), 2015 IEEE Conference on, pp. 317-325, 28-30 Sept. 2015. doi: 10.1109/CNS.2015.7346842

Abstract: Cyber attacks are typically preceded by a reconnaissance phase in which attackers aim at collecting critical information about the target system, including information about network topology, services, operating systems, and unpatched vulnerabilities. Specifically, operating system fingerprinting aims at determining the operating system of a remote host in either a passive way, through sniffing and traffic analysis, or an active way, through probing. Similarly, service fingerprinting aims at determining what services are running on a remote host. In this paper, we propose an approach to defeat an attacker's fingerprinting effort through deception. To defeat OS fingerprinting, we manipulate outgoing traffic so that it resembles traffic generated by a host with a different operating system. Similarly, to defeat service fingerprinting, we modify the service banner by intercepting and manipulating certain packets before they leave the host or network. Experimental results show that our approach can efficiently and effectively deceive an attacker.

Keywords: computer network security; operating systems (computers); telecommunication network topology; telecommunication services; telecommunication traffic; OS fingerprinting; attacker fingerprinting; cyber attacks; deception based approach; network topology; operating system fingerprinting; outgoing traffic; reconnaissance phase; remote host; service banner; service fingerprinting; traffic analysis; Fingerprint recognition; IP networks; Operating systems; Ports (Computers); Probes; Protocols; Standards (ID#: 16-9113)



Costin, A., "All Your Cluster-Grids Are Belong to Us: Monitoring the (In)Security of Infrastructure Monitoring Systems," in Communications and Network Security (CNS), 2015 IEEE Conference on, pp. 550-558, 28-30 Sept. 2015. doi: 10.1109/CNS.2015.7346868

Abstract: Monitoring of the high-performance computing systems and their components, such as clusters, grids and federations of clusters, is performed using monitoring systems for servers and networks, or Network Monitoring Systems (NMS). These monitoring tools assist system administrators in assessing and improving the health of their infrastructure. A successful attack on the infrastructure monitoring tools grants the attacker elevated power over the monitoring tasks, and eventually over some management functionality of the interface or over hosts running those interfaces. Additionally, detailed and accurate fingerprinting and reconnaissance of a target infrastructure is possible when such interfaces are publicly exposed. A successful reconnaissance allows an attacker to craft an efficient second stage attacks, such as targeted, mimicry and blended attacks. We provide in this paper a comprehensive security analysis of some of the most popular infrastructure monitoring tools for grids, clusters and High-Performance Computing (HPC) systems. We also provide insights based on the infrastructure data openly exposed over the Internet. The wide use of some of the most popular infrastructure monitoring tools makes this data exposure possible. For example, we found such monitoring interfaces to expose infrastructure details of systems inside many high-profile organizations, including two top national laboratories for nuclear research and one top Internet non-profit foundation. We also present our findings on a plethora of web vulnerabilities in the entire version-span of such monitoring tools, and discuss at a high-level the possible attacks. The results of our research allow us to “monitor” an “alarming” mismanagement reality of grid infrastructure. The aim of this work is to raise the awareness about this novel risk to cloud infrastructure.

Keywords: Internet; cloud computing; grid computing; parallel processing; security of data; system monitoring; workstation clusters; HPC systems; Internet; NMS; Web vulnerabilities; cloud infrastructure; clusters; comprehensive security analysis; grid infrastructure; high-performance computing; infrastructure monitoring systems; insecurity monitoring; network monitoring systems; open data exposure; Cloud computing; Kernel; Monitoring; Ports (Computers); Privacy; Security; Servers (ID#: 16-9114)



Ward, J.R.; Younis, M., "Distributed Beamforming Relay Selection to Increase Base Station Anonymity in Wireless Ad Hoc Networks," in Computer Communication and Networks (ICCCN), 2015 24th International Conference on, pp. 1-8, 3-6 Aug. 2015. doi: 10.1109/ICCCN.2015.7288399

Abstract: Wireless ad hoc networks have become valuable assets to both the commercial and military communities with applications ranging from industrial control on a factory floor to reconnaissance of a hostile border. In most applications, nodes act as data sources and forward information to a central base station (BS) that may also perform network management tasks. The critical role of the BS makes it a target for an adversary's attack. Even if an ad hoc network employs conventional security primitives such as encryption and authentication, an adversary can apply traffic analysis techniques to find the BS. Therefore, the BS should be kept anonymous to protect its identity, role, and location. Previous work has demonstrated distributed beamforming to be an effective technique to boost BS anonymity in wireless ad hoc networks; however, the increased anonymity and corresponding energy consumption depend on the quality and quantity of selected helper relays. In this paper we present a novel, distributed approach for determining a set of relays per hop that boosts BS anonymity using evidence theory analysis while minimizing energy consumption. The identified relay set is further prioritized using local wireless channel statistics. The simulation results demonstrate the effectiveness our approach.

Keywords: ad hoc networks; array signal processing; relay networks (telecommunication); telecommunication network management; telecommunication power management; telecommunication security; wireless channels; central base station; commercial community; distributed beamforming relay selection; energy consumption minimization; evidence theory analysis; hostile border; identity protection; industrial control; local wireless channel statistics; military community; traffic analysis technique; wireless ad hoc network security; Array signal processing; Mobile ad hoc networks; Protocols; Relays; Synchronization; Wireless communication (ID#: 16-9115)



Hirayama, Takayuki; Toyoda, Kentaroh; Sasase, Iwao, "Fast Target Link Flooding Attack Detection Scheme by Analyzing Traceroute Packets Flow," in Information Forensics and Security (WIFS), 2015 IEEE International Workshop on, pp. 1-6, 16-19 Nov. 2015. doi: 10.1109/WIFS.2015.7368594

Abstract: Recently, a botnet based DDoS (Distributed Denial of Service) attack, called target link flooding attack, has been reported that cuts off specific links over the Internet and disconnects a specific region from other regions. Detecting or mitigating the target link flooding attack is more difficult than legacy DDoS attack techniques, since attacking flows do not reach the target region. Although many mitigation schemes are proposed, they detect the attack after it occurs. In this paper, we propose a fast target link flooding attack detection scheme by leveraging the fact that the traceroute packets are increased before the attack caused by the attacker's reconnaissance. Moreover, by analyzing the characteristic of the target link flooding attack that the number of traceroute packets simultaneously increases in various regions over the network, we propose a detection scheme with multiple detection servers to eliminate false alarms caused by sudden increase of traceroute packets sent by legitimate users. We show the effectiveness of our scheme by computer simulations.

Keywords: Computational modeling; Reconnaissance (ID#: 16-9116)



Vukalovic, J.; Delija, D., "Advanced Persistent Threats - Detection and Defense," in Information and Communication Technology, Electronics and Microelectronics (MIPRO), 2015 38th International Convention on, pp. 1324-1330, 25-29 May 2015. doi: 10.1109/MIPRO.2015.7160480

Abstract: The term “Advanced Persistent Threat” refers to a well-organized, malicious group of people who launch stealthy attacks against computer systems of specific targets, such as governments, companies or military. The attacks themselves are long-lasting, difficult to expose and often use very advanced hacking techniques. Since they are advanced in nature, prolonged and persistent, the organizations behind them have to possess a high level of knowledge, advanced tools and competent personnel to execute them. The attacks are usually preformed in several phases - reconnaissance, preparation, execution, gaining access, information gathering and connection maintenance. In each of the phases attacks can be detected with different probabilities. There are several ways to increase the level of security of an organization in order to counter these incidents. First and foremost, it is necessary to educate users and system administrators on different attack vectors and provide them with knowledge and protection so that the attacks are unsuccessful. Second, implement strict security policies. That includes access control and restrictions (to information or network), protecting information by encrypting it and installing latest security upgrades. Finally, it is possible to use software IDS tools to detect such anomalies (e.g. Snort, OSSEC, Sguil).

Keywords: authorisation; cryptography; data protection; access control; advanced persistent threats; anomaly detection; attack vectors; computer systems; encryption; security policies; security upgrades; software IDS tools; Command and control systems; Data mining; Malware; Monitoring; Organizations; Servers (ID#: 16-9117)



Kotson, M.C.; Schulz, A., "Characterizing Phishing Threats with Natural Language Processing," in Communications and Network Security (CNS), 2015 IEEE Conference on, pp. 308-316, 28-30 Sept. 2015. doi: 10.1109/CNS.2015.7346841

Abstract: Spear phishing is a widespread concern in the modern network security landscape, but there are few metrics that measure the extent to which reconnaissance is performed on phishing targets. Spear phishing emails closely match the expectations of the recipient, based on details of their experiences and interests, making them a popular propagation vector for harmful malware. In this work we use Natural Language Processing techniques to investigate a specific real-world phishing campaign and quantify attributes that indicate a targeted spear phishing attack. Our phishing campaign data sample comprises 596 emails - all containing a web bug and a Curriculum Vitae (CV) PDF attachment - sent to our institution by a foreign IP space. The campaign was found to exclusively target specific demographics within our institution. Performing a semantic similarity analysis between the senders' CV attachments and the recipients' LinkedIn profiles, we conclude with high statistical certainty (p <; 10-4) that the attachments contain targeted rather than randomly selected material. Latent Semantic Analysis further demonstrates that individuals who were a primary focus of the campaign received CVs that are highly topically clustered. These findings differentiate this campaign from one that leverages random spam.

Keywords: computer crime; computer network security; invasive software; natural language processing; statistical analysis; unsolicited e-mail; Web bug; curriculum vitae PDF attachment; foreign IP space; latent semantic analysis; malware; modern network security landscape; natural language processing; propagation vector; recipient LinkedIn profiles; semantic similarity analysis; sender CV attachments; spear phishing emails; spear phishing threat characterization; statistical certainty; Reconnaissance (ID#: 16-9118)



Patil Madhubala R., "Survey on Security Concerns in Cloud computing," in Green Computing and Internet of Things (ICGCIoT), 2015 International Conference on, pp. 1458-1462, 8-10 Oct. 2015. doi: 10.1109/ICGCIoT.2015.7380697

Abstract: Cloud consists of vast number of servers. Cloud contains tremendous amount of information. There are various problems in cloud computing such as storage, bandwidth, environment problems like availability, Heterogeneity, scalability and security problems like reliability and privacy. Though so many efforts are taken to solve these problems there are still some security problems [1]. Ensuring security to this data is important issue in cloud Storage. Cloud computing security can be defined as broad set of technologies, policies and controls deployed to protect applications, data and corresponding infrastructure of cloud computing. Due to tremendous progress in technology providing security to customers data becomes more and more important. This paper will tell the need of third party auditor in security of cloud. This paper will give brief idea about what are the security threats in cloud computing. This paper will analyze the various security objectives such as confidentiality, integrity, authentication, auditing, accountability, availability, authorization. This paper also studies the various data security concerns such as various reconnaissance techniques, denial of service, account cracking, hostile and self-replicating codes, system or network penetration, Buffer overflow, SQL injection attack.

Keywords: Cloud computing; Computer crime; Data privacy; Reconnaissance; Servers; Data security concerns; Security objectives; Third party audit; cloud computing; cloud computing security (ID#: 16-9119)



Bou-Harb, E.; Debbabi, M.; Assi, C., "A Time Series Approach for Inferring Orchestrated Probing Campaigns by Analyzing Darknet Traffic," in Availability, Reliability and Security (ARES), 2015 10th International Conference on, pp. 180-185, 24-27 Aug. 2015. doi: 10.1109/ARES.2015.9

Abstract: This paper aims at inferring probing campaigns by investigating dark net traffic. The latter probing events refer to a new phenomenon of reconnaissance activities that are distinguished by their orchestration patterns. The objective is to provide a systematic methodology to infer, in a prompt manner, whether or not the perceived probing packets belong to an orchestrated campaign. Additionally, the methodology could be easily leveraged to generate network traffic signatures to facilitate capturing incoming packets as belonging to the same inferred campaign. Indeed, this would be utilized for early cyber attack warning and notification as well as for simplified analysis and tracking of such events. To realize such goals, the proposed approach models such challenging task as a problem of interpolating and predicting time series with missing values. By initially employing trigonometric interpolation and subsequently executing state space modeling in conjunction with a time-varying window algorithm, the proposed approach is able to pinpoint orchestrated probing campaigns by only monitoring few orchestrated flows. We empirically evaluate the effectiveness of the proposed model using 330 GB of real dark net data. By comparing the outcome with a previously validated work, the results indeed demonstrate the promptness and accuracy of the proposed approach.

Keywords: Internet; computer network security; interpolation; overlay networks; system monitoring; telecommunication congestion control; time series; cyber attack notification; cyber attack warning; darknet traffic analysis; event analysis; event tracking; incoming packet capture; network traffic signature; orchestrated flow monitoring; orchestrated probing campaign inference; orchestration pattern; probing packets; reconnaissance activity; state space modeling; time series approach; time-varying window algorithm; trigonometric interpolation; Clustering algorithms; IP networks; Internet; Interpolation; Kalman filters; Telescopes; Time series analysis (ID#: 16-9120)



Ward, J.R.; Younis, M., "Base Station Anonymity Distributed Self-Assessment in Wireless Sensor Networks," in Intelligence and Security Informatics (ISI), 2015 IEEE International Conference on, pp. 103-108, 27-29 May 2015. doi: 10.1109/ISI.2015.7165947

Abstract: In recent years, Wireless Sensor Networks (WSNs) have become valuable assets to both the commercial and military communities with applications ranging from industrial control on a factory floor to reconnaissance of a hostile border. In most applications, the sensors act as data sources and forward information generated by event triggers to a central sink or base station (BS). The unique role of the BS makes it a natural target for an adversary that desires to achieve the most impactful attack possible against a WSN with the least amount of effort. Even if a WSN employs conventional security mechanisms such as encryption and authentication, an adversary may apply traffic analysis techniques to identify the BS. This motivates a significant need for improved BS anonymity to protect the identity, role, and location of the BS. Previous work has proposed anonymity-boosting techniques to improve the BS's anonymity posture, but all require some amount of overhead such as increased energy consumption, increased latency, or decreased throughput. If the BS understood its own anonymity posture, then it could evaluate whether the benefits of employing an anti-traffic analysis technique are worth the associated overhead. In this paper we propose two distributed approaches to allow a BS to assess its own anonymity and correspondingly employ anonymity-boosting techniques only when needed. Our approaches allow a WSN to increase its anonymity on demand, based on real-time measurements, and therefore conserve resources. The simulation results confirm the effectiveness of our approaches.

Keywords: security of data; wireless sensor networks; WSN; anonymity-boosting techniques; anti-traffic analysis technique; base station; base station anonymity distributed self-assessment; conventional security mechanisms; improved BS anonymity; wireless sensor networks; Current measurement; Energy consumption; Entropy; Protocols; Sensors; Wireless sensor networks; anonymity; location privacy; wireless sensor networks (ID#: 16-9121)



Gillani, F.; Al-Shaer, E.; Lo, S.; Qi Duan; Ammar, M.; Zegura, E., "Agile Virtualized Infrastructure to Proactively Defend Against Cyber Attacks," in Computer Communications (INFOCOM), 2015 IEEE Conference on, pp. 729-737, April 26 2015-May 1 2015. doi: 10.1109/INFOCOM.2015.7218442

Abstract: DDoS attacks have been a persistent threat to network availability for many years. Most of the existing mitigation techniques attempt to protect against DDoS by filtering out attack traffic. However, as critical network resources are usually static, adversaries are able to bypass filtering by sending stealthy low traffic from large number of bots that mimic benign traffic behavior. Sophisticated stealthy attacks on critical links can cause a devastating effect such as partitioning domains and networks. In this paper, we propose to defend against DDoS attacks by proactively changing the footprint of critical resources in an unpredictable fashion to invalidate an adversary's knowledge and plan of attack against critical network resources. Our present approach employs virtual networks (VNs) to dynamically reallocate network resources using VN placement and offers constant VN migration to new resources. Our approach has two components: (1) a correct-by-construction VN migration planning that significantly increases the uncertainty about critical links of multiple VNs while preserving the VN placement properties, and (2) an efficient VN migration mechanism that identifies the appropriate configuration sequence to enable node migration while maintaining the network integrity (e.g., avoiding session disconnection). We formulate and implement this framework using SMT logic. We also demonstrate the effectiveness of our implemented framework on both PlanetLab and Mininet-based experimentations.

Keywords: computer network security; formal logic; virtualisation; DDoS attacks; Mininet; PlanetLab; SMT logic; VN migration; VN placement; agile virtualized infrastructure; attack mitigation techniques; critical network resources;cyber attacks; distributed denial-of-service attack; network availability; network resource reallocation; virtual networks; Computational modeling; Computer crime; Mathematical model; Reconnaissance; Routing protocols; Servers; Substrates (ID#: 16-9122)



Rushing, D.; Guidry, J.; Alkadi, I., "Collaborative Penetration-Testing and Analysis Toolkit (CPAT)," in Aerospace Conference, 2015 IEEE, pp. 1-9, 7-14 March 2015. doi: 10.1109/AERO.2015.7119262

Abstract: Penetration testing (or “pentesting”) is critical to both maintaining and increasing the reliability of computer networks while lessening their vulnerability. The number, importance and value of these networks has been growing over the past decade, and their capabilities and respective uses have been integrated into many aspects of our lives. Without penetration testing, our networks can fall victim to a myriad of malicious mayhem which has the potential for serious, large-scale ramifications, and when these networks are not operating as expected it is often individuals who suffer. However, penetration testing poses its own new and diverse set of problems to security analysts. Due to the abstract nature of performing a pentest, the near complete lack of design geared toward effective collaboration and teamwork in many widely used penetration testing tools can create a notable hindrance for security teams. This paper describes a software project surrounding network penetration testing from a collaborative standpoint and the problems associated with team-based efforts utilizing present network analysis tools and technologies.

Keywords: program testing; security of data; CPAT; collaborative penetration-testing and analysis toolkit; large-scale ramifications; malicious mayhem; network analysis tools; security teams; software project; team-based efforts; Biographies; Computer hacking; Integrated circuits; Reconnaissance; Meteor framework; penetration testing; real time data (ID#: 16-9123)



Ramachandruni, R.S.; Poornachandran, P., "Detecting the Network Attack Vectors on SCADA Systems," in Advances in Computing, Communications and Informatics (ICACCI), 2015 International Conference on, pp. 707-712, 10-13 Aug. 2015. doi: 10.1109/ICACCI.2015.7275694

Abstract: Currently critical infrastructures such as SCADA systems are increasingly under threat, they often go unreported. There is a great need in addressing them. Today majority of the industries use these SCADA systems, so it is very critical to protect these systems. Attack on these systems could cause serious damage to the infrastructure and sometimes a threat to human life as well. As per date there are very few solutions to address SCADA security. So, it is important to take countermeasures against the attacks on these systems. In this paper we will analyze the use of honeypot systems in detecting the network attack vectors on SCADA systems. We will start by analyzing and testing various honeypot features which can help in providing additional security for SCADA systems. A Honeypot is built to mimic the services of an ICS; exposing them to the Internet, making them attractive for attackers and monitor the attackers activities. The goal is to model the attacking methodologies and suggest recommendations to make SCADA system secure.

Keywords: {Internet; SCADA systems; computer network security; critical infrastructures; ICS; Internet; SCADA security systems; critical infrastructures; honeypot systems; industrial control system; network attack vector detection; Internet; MIMICs; Monitoring; Protocols; Reconnaissance; SCADA systems; Honeypots; ICS; IDS; IPS; SCADA (ID#: 16-9124)



Ullrich, J.; Kieseberg, P.; Krombholz, K.; Weippl, E., "On Reconnaissance with IPv6: A Pattern-Based Scanning Approach," in Availability, Reliability and Security (ARES), 2015 10th International Conference on, pp. 186-192, 24-27 Aug. 2015. doi: 10.1109/ARES.2015.48

Abstract: Today's capability of fast Internet-wide scanning allows insights into the Internet ecosystem, but the on-going transition to the new Internet Protocol version 6 (IPv6) makes the approach of probing all possible addresses infeasible, even at current speeds of more than a million probes per second. As a consequence, the exploitation of frequent patterns has been proposed to reduce the search space. Current patterns are manually crafted and based on educated guesses of administrators. At the time of writing, their adequacy has not yet been evaluated. In this paper, we assess the idea of pattern-based scanning for the first time, and use an experimental set-up in combination with three real-world data sets. In addition, we developed a pattern-based algorithm that automatically discovers patterns in a sample and generates addresses for scanning based on its findings. Our experimental results confirm that pattern-based scanning is a promising approach for IPv6 reconnaissance, but also that currently known patterns are of limited benefit and are outperformed by our new algorithm. Our algorithm not only discovers more addresses, but also finds implicit patterns. Furthermore, it is more adaptable to future changes in IPv6 addressing and harder to mitigate than approaches with manually crafted patterns.

Keywords: IP networks; Internet; protocols; IPv6 addressing; IPv6 reconnaissance; Internet Protocol version 6; Internet ecosystem; Internet-wide scanning; pattern-based algorithm; pattern-based scanning approach; search space; Internet; Ports (Computers);Probes; Protocols; Reconnaissance; Servers; Standards; Addresses; IPv6; Network Security (ID#: 16-9125)



Robertson, S.; Alexander, S.; Micallef, J.; Pucci, J.; Tanis, J.; Macera, A., "CINDAM: Customized Information Networks for Deception and Attack Mitigation," in Self-Adaptive and Self-Organizing Systems Workshops (SASOW), 2015 IEEE International Conference on, pp. 114-119, 21-25 Sept. 2015. doi: 10.1109/SASOW.2015.23

Abstract: The topology of networks typically remains static over long periods of time, giving attackers the advantage of long planning cycles to develop, test, and refine targeted attacks. The CINDAM design preempts the attacker by creating ephemeral, per-host views of the protected enclave to transform the constant topology of computing networks into deceptive, mutable, and individualized ones that are able to impede nation-state attacks while still providing mission services to legitimate users. CINDAM achieves this deception without affecting network operations and without modifying client and server software. CINDAM is being implemented using software-defined networking technology for a cost-effective cyber deception solution.

Keywords: computer network security; software defined networking; telecommunication network planning; telecommunication network topology; CINDAM design; cost-effective cyber deception solution; customized information networks for deception and attack mitigation; nation-state attacks; network topology; software-defined networking technology; Conferences; P networks; Network topology; Ports (Computers); Reconnaissance; Servers; Topology; Adaptive Networks; CINDAM; Deception; Networks; SDN (ID#: 16-9126)



Chia-Nan Kao; Yung-Cheng Chang; Nen-Fu Huang; Salim, I.S.; I-Ju Liao; Rong-Tai Liu; Hsien-Wei Hung, "A Predictive Zero-Day Network Defense Using Long-Term Port-Scan Recording," in Communications and Network Security (CNS), 2015 IEEE Conference on, pp. 695-696, 28-30 Sept. 2015. doi: 10.1109/CNS.2015.7346890

Abstract: Zero-day attack is a critical network attack. The zero-day attack period (ZDAP) is the period from the release of malware/exploit until a patch becomes available. IDS/IPS cannot effectively block zero-day attacks because they use pattern-based signatures in general. This paper proposes a Prophetic Defender (PD) by which ZDAP can be minimized. Prior to actual attack, hackers scan networks to identify hosts with vulnerable ports. If this port scanning can be detected early, zero-day attacks will become detectable. PD architecture makes use of a honeypot-based pseudo server deployed to detect malicious port scans. A port-scanning honeypot was operated by us in 6 years from 2009 to 2015. By analyzing the 6-year port-scanning log data, we understand that PD is effective for detecting and blocking zero-day attacks. The block rate of the proposed architecture is 98.5%.

Keywords: computer network security; digital signatures; PD architecture; ZDAP; critical network attack; honeypot-based pseudoserver; long-term port-scan recording; malicious port scan detection; malware; pattern-based signatures; port scanning detection; port-scanning honeypot; port-scanning log data; predictive zero-day network defense; prophetic defender; vulnerable ports; zero-day attack blocking; zero-day attack detection; zero-day attack period; Computer architecture; Computer hacking; Malware; Market research; Ports (Computers);Reconnaissance; Servers (ID#: 16-9127)



Al-Hakbani, M.M.; Dahshan, M.H., "Avoiding Honeypot Detection in Peer-to-Peer Botnets," in Engineering and Technology (ICETECH), 2015 IEEE International Conference on, pp. 1-7, 20-20 March 2015. doi: 10.1109/ICETECH.2015.7275017

Abstract: A botnet is group of compromised computers that are controlled by a botmaster, who uses them to perform illegal activities. Centralized and P2P (Peer-to-Peer) botnets are the most commonly used botnet types. Honeypots have been used in many systems as computer defense. They are used to attract botmasters to add them in their botnets; to become spies in exposing botnet attacker behaviors. In recent research works, improved mechanisms for honeypot detection have been proposed. Such mechanisms would enable bot masters to distinguish honeypots from real bots, making it more difficult for honeypots to join botnets. This paper presents a new method that can be used by security defenders to overcome the authentication procedure used by the advanced two-stage reconnaissance worm (ATSRW). The presented method utilizes the peer list information sent by an infected host during the ATSRW authentication process and uses a combination of IP address spoofing and fake TCP three-way handshake. The paper provides an analytical study on the performance and the success probability of the presented method. We show that the presented method provide a higher chance for honeypots to join botnets despite security measures taken by botmasters.

Keywords: message authentication; peer-to-peer computing; ATSRW authentication process; IP address spoofing; advanced two-stage reconnaissance worm; centralized botnet; fake TCP three-way handshake; honeypot detection; peer-to-peer botnets; success probability; Authentication; Computers; Delays; Grippers; IP networks; Peer-to-peer computing; P2P; botnet; detecting; honeypot; honeypot aware; peer-to-peer (ID#: 16-9128)



Kotenko, I.; Doynikova, E., "The CAPEC Based Generator of Attack Scenarios for Network Security Evaluation," in Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS), 2015 IEEE 8th International Conference on, vol. 1, pp. 436-441, 24-26 Sept. 2015. doi: 10.1109/IDAACS.2015.7340774

Abstract: The paper proposes a technique and a software tool for generation of attack scenarios - random sequences of attack patterns and appropriate sequences of security events. The technique suggested is based on the application of open standards for representation of attack patterns and vulnerabilities. The tool was developed in scope of the integrated system of network security analysis, risk assessment and countermeasure generation. It is intended to test effectiveness of this system by simulation of the input data - random attacks against computer networks.

Keywords: computer network security; software tools; CAPEC based generator; common attack pattern enumeration and classification; computer network security evaluation; software tool; Computer networks; Dictionaries; Generators; Knowledge engineering; Reconnaissance; Software; attack graphs; attack patterns; cyber security; risk assessment; security evaluation; security events (ID#: 16-9129)



Chavez, Adrian R.; Stout, William M.S.; Peisert, Sean, "Techniques for the Dynamic Randomization of Network Attributes," in Security Technology (ICCST), 2015 International Carnahan Conference on, pp. 1-6, 21-24 Sept. 2015. doi: 10.1109/CCST.2015.7389661

Abstract: Critical infrastructure control systems continue to foster predictable communication paths and static configurations that allow easy access to our networked critical infrastructure around the world. This makes them attractive and easy targets for cyber-attack. We have developed technologies that address these attack vectors by automatically reconfiguring network settings. Applying these protective measures will convert control systems into "moving targets" that proactively defend themselves against attack. This "Moving Target Defense" (MTD) revolves about the movement of network reconfiguration, securely communicating reconfiguration specifications to other network nodes as required, and ensuring that connectivity between nodes is uninterrupted. Software-defined Networking (SDN) is leveraged to meet many of these goals. Our MTD approach eliminates adversaries targeting known static attributes of network devices and systems, and consists of the following three techniques: (1) Network Randomization for TCP/UDP Ports; (2) Network Randomization for IP Addresses; (3) Network Randomization for Network Paths In this paper, we describe the implementation of the aforementioned technologies. We also discuss the individual and collective successes for the techniques, challenges for deployment, constraints and assumptions, and the performance implications for each technique.

Keywords: IP networks; Overlay networks; Ports (Computers); Protocols; Reconnaissance; Routing; Virtual private networks; Computer Security; Dynamic Defense; IP Address Hopping; Moving Target Defense; Software Defined Networking (ID#: 16-9130)



Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.