2005 International Conference on Dependable Systems and Networks (DSN'05) (2005)
June 28, 2005 to July 1, 2005
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/DSN.2005.18
Susmit Panjwani , University of Maryland at College Park
Stephanie Tan , University of Maryland at College Park
Keith M. Jarrin , University of Maryland at College Park
Michel Cukier , University of Maryland at College Park
This paper describes an experimental approach to determine the correlation between port scans and attacks. Discussions in the security community often state that port scans should be considered as precursors to an attack. However, very few studies have been conducted to quantify the validity of this hypothesis. In this paper, attack data were collected using a test-bed dedicated to monitoring attackers. The data collected consist of port scans, ICMP scans, vulnerability scans, successful attacks and management traffic. Two experiments were performed to validate the hypothesis of linking port scans and vulnerability scans to the number of packets observed per connection. Customized scripts were then developed to filter the collected data and group them on the basis of scans and attacks between a source and destination IP address pair. The correlation of the filtered data groups was assessed. The analyzed data consists of forty-eight days of data collection for two target computers on a heavily utilized subnet.
M. Cukier, K. M. Jarrin, S. Panjwani and S. Tan, "An Experimental Evaluation to Determine if Port Scans are Precursors to an Attack," 2005 International Conference on Dependable Systems and Networks (DSN'05)(DSN), Yokohama, Japan, 2005, pp. 602-611.