Visible to the public Cyber Threat Modeling and Validation: Port Scanning and Detection

Port scanning is a commonly applied technique in the discovery phase of cyber attacks. As such, defending against them has long been the subject of many research and modeling efforts. Though modeling efforts can search large parameter spaces to find effective defensive parameter settings, confidence in modeling results can be hampered by limited or omitted validation efforts. In this paper, we introduce a novel, mathematical model that describes port scanning progress by an attacker and intrusion detec-tion by a defender. The paper further describes a set of emulation experiments that we conducted with a virtual testbed and used to validate the model. Results are presented for two scanning strate-gies: a slow, stealthy approach and a fast, loud approach. Estimates from the model fall within 95% confidence intervals on the means estimated from the experiments. Consequently, the model's pre-dictive capability provides confidence in its use for evaluation and development of defensive strategies against port scanning.

Eric Vugrin is a Distinguished Member of Technical Staff at Sandia National Laboratories in Albuquerque, New Mexico. His current research focuses on modeling and analyzing the resilience of industrial control systems and other critical infrastructure. His work has provided research, operational, and policy guidance to the U.S. Department of Energy, the U.S. Department of Homeland Security, the U.S. Department of Defense, and other federal agencies. He received his PhD in Mathematics from Virginia Tech.

Creative Commons 2.5

Other available formats:

Cyber Threat Modeling and Validation: Port Scanning and Detection
Switch to experimental viewer