Transcript Document

Exposure Maps:
Removing Reliance on Attribution During Scan Detection
David Whyte, P.C. van Oorschot, Evangelos Kranakis
Carleton University School of Computer Science
Outline
• Scanning detection challenges
• Problems with attribution-based detection
techniques
• Exposure Maps
• Experimental Results
• Conclusions
Carleton University School of Computer Science
Scanning Detection Challenges
• Sophisticated scanning techniques
–
–
–
–
Slow
Fragmented
Idle
Distributed (Botnet)
• I detected a scan
– Was it successful?
– What did it reveal?
• Volume of Internet “whitenoise”
–
–
–
–
–
Backscatter
Worm propagation (known)
Network diagnostics
Web spiders
Wrong numbers
Carleton University School of Computer Science
Attribution-based Scanning Detection
• Variety of scanning detection techniques
–
–
–
–
Observing connection failures
Abnormal network behavior
Connections to darkspace
Increased connection attempts
• Majority of these rely on correlating scanning
activity based on the perceived last-hop
• Focus of detection is who is scanning instead of
what is being scanned
Carleton University School of Computer Science
Shifting Focus
• Attribution is not practical for an increasing
number of sophisticated scanning techniques
• Focus on attribution overlooks critical components
of any observed scanning campaign:
– What are my adversaries looking for?
– Has the network behavior changed as a result of being
scanned?
• Exemplar technique: Exposure Maps
Carleton University School of Computer Science
Exposure Maps (1/2)
• Passively observe network traffic (training
period)
• Ignore network traffic initiated from the inside
• Record only internal system responses to
external events such as:
–
–
–
–
TCP: SYN ACK
TCP: RST
UDP: IP pairs list
ICMP: echo reply, host not found, time exceeded
Carleton University School of Computer Science
Exposure Maps (2/2)
• Host Exposure Map (HEM)
– Visible and enumerated services
– Externally visible interface of an individual host
• Network Exposure Map (NEM)
– Union of HEMS in a target network
– Externally visible interface of the network
• Let your adversaries do the vulnerability
scanning for you!
Carleton University School of Computer Science
Sample NEM (proof-of-concept)
Host
Description
TCP Ports
UDP Ports
10.0.0.1
Mail/DNS/HTTP Server
22, 25, 80, 993, 631
53
10.0.0.2
DNS/HTTP Server
22, 80, 443
53
10.0.0.3
SSH Server
22
• Test network size: 1/4 Class C
• Test period: two weeks
• NEM was stable within 12 hours of the testing
period
Carleton University School of Computer Science
Scan Detection
• Incoming connection is defined as any atomic TCP
connection, UDP or ICMP datagram
• A connection attempt to a host/port combo outside
of the NEM is considered a scan and recorded
• No connection state tracking required
Carleton University School of Computer Science
Post-Scan Detection Activities
• Monitor changes in the NEM
– Validate new services offered
– Unexpected changes in the NEM may indicate
compromise
• Monitor changes in network scanning activity
– Spikes in scanning activity may indicate a new exploit
• Attribution is possible post-scan detection for most
unsophisticated and certain classes of
sophisticated scanning activity
Carleton University School of Computer Science
Detected Scanning Activity
Carleton University School of Computer Science
Conclusions
• Shifting focus away from attribution during scan
detection may provide a means to detect
sophisticated scanning campaigns
• The true insight that can be gained by scanning
detection is not who is scanning you but what are
they scanning for?
Carleton University School of Computer Science
Discussion …..
[email protected]
Carleton University School of Computer Science
Observed Sophisticated Scanning
• “Slice and dice” recorded scans using a variety of
attributes
• Slow Scan - pcanywhere ~ 15 min intervals
• Possible distributed scan - 6 systems from the
same class C network and scanning footprint
Carleton University School of Computer Science
Exposures vs. Scanning Activity
• Network scanning possibilities
• In practice:
|NEM| < |A| < |E|
Carleton University School of Computer Science