Information Fusion for Anomaly Detection with the Dendritic Cell Algorithm

Dendritic cells are antigen presenting cells that provide a vital link between the innate and adaptive immune system, providing the initial detection of pathogenic invaders. Research into this family of cells has revealed that they perform information fusion which directs immune responses. We have derived a Dendritic Cell Algorithm based on the functionality of these cells, by modelling the biological signals and differentiation pathways to build a control mechanism for an artificial immune system. We present algorithmic details in addition to experimental results, when the algorithm was applied to anomaly detection for the detection of port scans. The results show the Dendritic Cell Algorithm is sucessful at detecting port scans.Comment: 21 pages, 17 figures, Information Fusio

Information Fusion for Anomaly Detection with the Dendritic Cell Algorithm

Dendritic cells are antigen presenting cells that provide a vital link between the innate and adaptive immune system, providing the initial detection of pathogenic invaders. Research into this family of cells has revealed that they perform information fusion which directs immune responses. We have derived a Dendritic Cell Algorithm based on the functionality of these cells, by modelling the biological signals and differentiation pathways to build a control mechanism for an artificial immune system. We present algorithmic details in addition to experimental results, when the algorithm was applied to anomaly detection for the detection of port scans. The results show the Dendritic Cell Algorithm is successful at detecting port scans

Distributed Port Scanning Detection

Conventional Network Intrusion Detection System (NIDS) have heavyweight processing and memory requirements as they maintain per flow state using data structures like linked lists or trees. This is required for some specialized jobs such as Stateful Packet Inspection (SPI) where the network communications between entities are recreated in its entirety to inspect application level data. The downside to this approach is that the NIDS must be in a position to view all inbound and outbound traffic of the protected network. The NIDS can be overwhelmed by a DDoS attack since most of these try and exhaust the available state of network entities. For some applications like port scan detection, we do not require to reconstruct the complete network tra�c. We propose to integrate a detector into all routers so that a more distributed detection approach can be achieved. Since routers are devices with limited memory and processing capabilities, conventional NIDS approaches do not work while integrating a detector in them. We describe a method to detect port scans using aggregation. A data structure called a Partial Completion Filter(PCF) or a counting Bloom filter is used to reduce the per flow state

Scan Correlation -- Revealing distributed scan campaigns

Public networks are exposed to port scans from the Internet. Attackers search for vulnerable services they can exploit. In large scan campaigns, attackers often utilize different machines to perform distributed scans, which impedes their detection and might also camouflage the actual goal of the scanning campaign. In this paper, we present a correlation algorithm to detect scans, identify potential relations among them, and reassemble them to larger campaigns. We evaluate our approach on real-world Internet traffic and our results indicate that it can summarize and characterize standalone and distributed scan campaigns based on their tools and intention.Comment: Accepted for publication at DISSECT '2

A Comparative Performance of Port Scanning Techniques

Cyberattack has its effect on businesses and private systems every day and it has risen tremendously. Port scanning is the first step taken by attackers before an attack is deployed. It is employed to identify the targeted host’s IP addresses, network devices and services running which later be used to determine the server locations and diagnose security levels of the victim by revealing the presence of security measures in place such as firewall between the server and the network devices. There have been several papers presenting the performance of port scanning techniques. However, the impact on host's performance has not yet been done. In this research, a comparative study of port scanning techniques is proposed to evaluate their impact on the scanned hosts performance using Zabbix. The goal of this research is to identify the difference of port scanning techniques and their strategies in probing the targeted host. Three scanning techniques are compared namely TCP SYN, TCP Connect and UDP scan. Several experiments have been conducted using NMAP, Unicornscan, Netcat, Apache2 web server and Zabbix running in virtual machine (VM) environment. Of the three port scanning techniques, TCP SYN scan has the least impact on the targeted scanned host with average response time of 0.69ms for a single scan and 0.421ms for 100 scans. UDP scan has the most impact on the targeted scanned host with average response time of 10.84ms for a single scan and 6.71ms for 100 scans

Packed to the Brim: Investigating the Impact of Highly Responsive Prefixes on Internet-wide Measurement Campaigns

Internet-wide scans are an important tool to evaluate the deployment of services. To enable large-scale application layer scans, a fast, stateless port scan (e.g., using ZMap) is often performed ahead of time to collect responsive targets. It is a common expectation that port scans on the entire IPv4 address space provide a relatively unbiased view as they cover the complete address space. Previous work, however, has found prefixes where all addresses share particular properties. In IPv6, aliased prefixes and fully responsive prefixes, i.e., prefixes where all addresses are responsive, are a well-known phenomenon. However, there is no such in-depth analysis for prefixes with these responsiveness patterns in IPv4. This paper delves into the underlying factors of this phenomenon in the context of IPv4 and evaluates port scans on a total of 161 ports (142 TCP & 19 UDP ports) from three different vantage points. To account for packet loss and other scanning artifacts, we propose the notion of a new category of prefixes, which we call highly responsive prefixes (HRPs). Our findings show that the share of HRPs can make up 70 % of responsive addresses on selected ports. Regarding specific ports, we observe that CDNs contribute to the largest fraction of HRPs on TCP/80 and TCP/443, while TCP proxies emerge as the primary cause of HRPs on other ports. Our analysis also reveals that application layer handshakes to targets outside HRPs are, depending on the chosen service, up to three times more likely to be successful compared to handshakes with targets located in HRPs. To improve future scanning campaigns conducted by the research community, we make our study's data publicly available and provide a tool for detecting HRPs. Furthermore, we propose an approach for a more efficient, ethical, and sustainable application layer target selection