This presentation describes an experimental approach to analyze scans and determine their impact on attacks. Within the security community scans are usually considered as precursors to an attack. However, very few studies have been conducted to quantify the validity of this hypothesis. In this presentation, attack data are collected using a test-bed dedicated to monitoring attackers. The collected data consists of port scans, ICMP scans, vulnerability scans, successful attacks and management traffic. Two experiments were performed to validate the hypothesis of linking port scans and vulnerability scans to the number of packets observed per connection. The analyzed data consists of forty-eight days of data collected from two target computers on a heavily utilized subnet. The experimental results showed that over 50% of the attacks were not linked to any scan type. Among the scans associated with an attack, the more frequently occurring were vulnerability scans and combinations of port and vulnerability scans. Port scans do not seem to be a good indicator of an associated attack since only 3% of them are linked to attacks. Thirty five percent of the observed attacks were preceded by at least one scan. An average of seven port scans and three vulnerability scans preceded an attack. From analyzing the average time separating a scan preceding an attack, we observed that this time was in tens of minutes for all three types of scans.
Michel Cukier is an Assistant Professor in the Center for Reliability Engineering in the Department of Mechanical Engineering at the University of Maryland, College Park.
Michel Cukier received a physics engineering degree from the Free University of Brussels, Belgium, in 1991, and the Doctor in engineering degree from the National Polytechnic Institute of Toulouse, France, in 1996. During 1991-1992, he was an instructor at the Free University of Brussels. From 1992 to 1996, he was at LAAS-CNRS, Toulouse, France for his doctoral work on coverage estimation of fault-tolerant systems. From 1996 to 2001, he was a researcher in the Perform research group in the Coordinated Science Laboratory at the University of Illinois, Urbana-Champaign. His research interests included intrusion tolerance by adaptation in distributed systems, adaptive fault tolerance in distributed systems, the evaluation of fault-tolerant systems combining modeling and fault injection, and the estimation of fault tolerance coverage. As part of this work, he is a co-developer of the AQuA Architecture, an architecturethat provides dependable distributed objects. His current research interests include security evaluation, intrusion tolerance, distributed system validation, fault injection, and software testing. He is member of the IEEE and the IEEE Computer Society.