Automated Detection of Stealthy Portscans (Network Intrusion Detection System)

Portscanning is a common activity of considerable importance. It is often used by computer attackers to characterize hosts or networks which they are considering hostile activity against. Thus it is useful for system administrators and other network defenders to detect portscans as possible preliminaries to a more serious attack.

There are two general purposes that an attacker might have in conducting a portscan: a primary one, and a secondary one. The primary purpose is that of gathering information about the reachability and status of certain combinations of IP address and port (either TCP or UDP). The secondary purpose is to flood intrusion detection systems with alerts, with the intention of distracting the network defenders or preventing them from doing their jobs. We will mainly be concerned with detecting information gathering portscans.

We will use the term scan footprint for the set of port/IP combinations which the attacker is interested in characterizing. It is helpful to conceptually distinguish the footprint of the scan, from the script of the scan, which refers to the time sequence in which the attacker tries to explore the footprint. The footprint is independent of aspects of the script, such as how fast the scan is, whether it is randomized, etc. The
footprint represents the attackerâ„¢s information gathering requirements for her scan, and she designs a scan script that will meet those requirements, and perhaps other non-information-gathering requirements.

The most common type of portscan footprint at present is a horizontal scan. By this, we mean that an attacker has an exploit for a particular service, and is interested in finding any hosts that expose that service. Thus she scans the port of interest on all IP addresses in some range of interest. Also at present, this is mainly being done sequentially on TCP port 53 (DNS). There are also syn-fin scanning involves sending packets with both syn and fin flags set and Ack scanning involves sending an unsolicited packet with just the Ack flag set.

We can detect a Stealthy portscan by look for X TCP or UDP packets sent to any number of host/port combinations from a single source host in Y seconds, where X and Y are user defined values. Additionally, the portscan detector looks for single TCP packets that are not used in normal TCP operations. Such packets will have odd combinations of TCP flags set, or no flags set at all. Upon arrival, a packetâ„¢s structure is checked for soundness. The packet is then tested to see if it is part of a scan currently in progress. This is achieved by comparing the packet type and source address to those of scans currently being investigated. If it is not part of a current scan, it becomes the starting node of a new scan. Otherwise, the matching scanâ„¢s packet count is incremented, and a check is made to determine whether the threshold of X packets sent in Y seconds was exceeded. If so, the scan is reported. The scan will also be reported, regardless of the threshold

This project can be developed in C++ or JAVA or .NET