An Experimental Evaluation to Determine if Port Scans are Precursors to an Attack
- 27 July 2005
- conference paper
- Published by Institute of Electrical and Electronics Engineers (IEEE)
- p. 602-611
- https://doi.org/10.1109/dsn.2005.18
Abstract
This paper describes an experimental approach to determine the correlation between port scans and attacks. Discussions in the security community often state that port scans should be considered as precursors to an attack. However, very few studies have been conducted to quantify the validity of this hypothesis. In this paper, attack data were collected using a test-bed dedicated to monitoring attackers. The data collected consist of port scans, ICMP scans, vulnerability scans, successful attacks and management traffic. Two experiments were performed to validate the hypothesis of linking port scans and vulnerability scans to the number of packets observed per connection. Customized scripts were then developed to filter the collected data and group them on the basis of scans and attacks between a source and destination IP address pair. The correlation of the filtered data groups was assessed. The analyzed data consists of forty-eight days of data collection for two target computers on a heavily utilized subnet.Keywords
This publication has 5 references indexed in Scilit:
- An initial foray into understanding adversary planning and courses of actionPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2002
- Characterizing intrusion tolerant systems using a state transition modelPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2002
- Experimenting with quantitative evaluation tools for monitoring operational securityIEEE Transactions on Software Engineering, 1999
- A network security monitorPublished by Institute of Electrical and Electronics Engineers (IEEE) ,1990
- Formal Models for Computer SecurityACM Computing Surveys, 1981