A Method for Port Scanner Detection on a Mobile Network



Similar documents
A System for Detecting a Port Scanner in 3G WCDMA Mobile Networks

A Systemfor Scanning Traffic Detection in 3G WCDMA Network

How To Detect An Advanced Persistent Threat Through Big Data And Network Analysis

A Study on Countering VoIP Spam using RBL

Fuzzy Network Profiling for Intrusion Detection

A Study on Behavior Patternize in BYOD Environment Using Bayesian Theory

Second-generation (GenII) honeypots

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Vulnerability Analysis of Hash Tables to Sophisticated DDoS Attacks

Development of Integrated Management System based on Mobile and Cloud service for preventing various dangerous situations

Slow Port Scanning Detection

Network Based Intrusion Detection Using Honey pot Deception

In the Trenches of a Globally Spanning SIP Network

Dual Mechanism to Detect DDOS Attack Priyanka Dembla, Chander Diwaker 2 1 Research Scholar, 2 Assistant Professor

A Novel Distributed Denial of Service (DDoS) Attacks Discriminating Detection in Flash Crowds

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

Top 5 Essential Log Reports

Index Terms Domain name, Firewall, Packet, Phishing, URL.

A Fuzzy Logic-Based Information Security Management for Software-Defined Networks

Implementation of Botcatch for Identifying Bot Infected Hosts

Efficacy of Live DDoS Detection with Hadoop

NSC E

A Real-Time Network Traffic Based Worm Detection System for Enterprise Networks

Intrusion Detection & SNORT. Fakrul Alam fakrul@bdhbu.com

Security Threats on National Defense ICT based on IoT

FortiGate IPS Guide. Intrusion Prevention System Guide. Version November

Analysis of SIP Traffic Behavior with NetFlow-based Statistical Information

Firewalls Overview and Best Practices. White Paper

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

HANDBOOK 8 NETWORK SECURITY Version 1.0

How Voice Calls Affect Data in Operational LTE Networks

Fuzzy Network Profiling for Intrusion Detection

Firewall Design Principles Firewall Characteristics Types of Firewalls

Chapter 8 Router and Network Management

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN

Impact of Feature Selection on the Performance of Wireless Intrusion Detection Systems

Introduction of Intrusion Detection Systems

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Mining and Detecting Connection-Chains in Network Traffic

Large-Scale IP Traceback in High-Speed Internet

Dynamic Rule Based Traffic Analysis in NIDS

How To Protect A Dns Authority Server From A Flood Attack

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

School of Information Science (IS 2935 Introduction to Computer Security, 2003)

A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS

DDOS WALL: AN INTERNET SERVICE PROVIDER PROTECTOR

Anomaly Traffic Analysis and The Experiment Statistic Model Based on

Security issues in Voice over IP: A Review

DDoS DETECTING. DDoS ATTACKS WITH INFRASTRUCTURE MONITORING. [ Executive Brief ] Your data isn t safe. And neither is your website or your business.

Adaptive Discriminating Detection for DDoS Attacks from Flash Crowds Using Flow. Feedback

IMPLEMENTATION OF FPGA CARD IN CONTENT FILTERING SOLUTIONS FOR SECURING COMPUTER NETWORKS. Received May 2010; accepted July 2010

A Study on the Live Forensic Techniques for Anomaly Detection in User Terminals

GregSowell.com. Mikrotik Security

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Development of Integrated Management System based on Mobile and Cloud Service for Preventing Various Hazards

Understanding and Configuring NAT Tech Note PAN-OS 4.1

Network Traffic Analysis

Service Assurance based on Packet Capture

Denial of Service Attacks

Real-Time Analysis of CDN in an Academic Institute: A Simulation Study

Detection of Distributed Denial of Service Attack with Hadoop on Live Network

NetFlow Tracker Overview. Mike McGrath x ccie CTO mike@crannog-software.com

International Journal of Enterprise Computing and Business Systems ISSN (Online) :

Intrusion Forecasting Framework for Early Warning System against Cyber Attack

Botnet Detection by Abnormal IRC Traffic Analysis

Network Security Policy

Project 4: (E)DoS Attacks

Malicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software

Deployment of Snort IDS in SIP based VoIP environments

Botnet Detection Based on Degree Distributions of Node Using Data Mining Scheme

Implementing Secure Converged Wide Area Networks (ISCW)

NetStream (Integrated) Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date

A S B

Security Toolsets for ISP Defense

Two State Intrusion Detection System Against DDos Attack in Wireless Network

Man-in-the-Middle Attack on T-Mobile Wi-Fi Calling

F-SECURE MESSAGING SECURITY GATEWAY

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

An apparatus for P2P classification in Netflow traces

Network Monitoring Tool to Identify Malware Infected Computers

Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions

Snort Installation - Ubuntu FEUP. SSI - ProDEI Paulo Neto and Rui Chilro. December 7, 2010

Prediction of DDoS Attack Scheme

Chapter 9 Firewalls and Intrusion Prevention Systems

Safe network analysis

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

packet retransmitting based on dynamic route table technology, as shown in fig. 2 and 3.

Firewalls, Tunnels, and Network Intrusion Detection

A Phased Framework for Countering VoIP SPAM

Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Internet Worm Classification and Detection using Data Mining Techniques

Design and Experiments of small DDoS Defense System using Traffic Deflecting in Autonomous System

Windows Filtering Platform, engine for local security

10 METRICS TO MONITOR IN THE LTE NETWORK. [ WhitePaper ]

IMPROVING QUALITY OF VIDEOS IN VIDEO STREAMING USING FRAMEWORK IN THE CLOUD

Vulnerability Analysis on Mobile VoIP Supplementary Services and MITM Attack

Transcription:

A Method for Port Scanner Detection on a Mobile etwork Sekwon Kim, Joohyung Oh, Inho Kim, and Chaetae Im Korea Internet Security Center Korea Internet & Security Agency IT Venture Tower, Jungdaero 135, Songpa, Seoul Korea {heath82, jhoh, chtim}@kisa.or.kr, ino1170@sk.com Abstract: - ew and advanced attack methods and tools have recently emerged as serious threats to the mobile communication and Internet environments such as new scanning techniques, wireless bandwidth crowding and sophisticated billing scams. To respond to these menaces mobile carriers are trying to protect their networks by installing IP-based security devices between their mobile network and Internet network. However, these security devices cannot detect abnormal traffic or attacks that occur only within the mobile network. Furthermore, since the IP addresses of multiple terminals are changed to a single IP through a AT, it is difficult to identify the attacking device. The authors of this paper are proposing a new method for detecting a port scanner on a WCDMA network. The method previously used for doing this used the same TRW algorithm that is used for detecting port scanners in a wired network. However, that method considers only connection attempts, not any response to them. This paper proposes an improved method for detecting a port scanner in a mobile network. The new method considers both connection attempts and a response to them. It also has the further advantage of being able to extract specific useful information (MSISD, IMSI) of the detected mobile terminal. The improved method was implemented and tested for two months in a WCDMA network operating in Korea and was found to be able to effectively detect mobile terminals causing port scan attacks. Key-Words: - port scanner; TRW; mobile network 1 Introduction Ever since smartphones were released that could utilize 3G mobile services in 2008, data traffic flowing through the networks has been increasing along with the explosion of smartphone users and proliferation of mobile services. Accompanying this, malicious traffic of the wired environment has also been flowing into the mobile communication network due to the internet tethering services that allow mobile terminals to be setup as a modem to serve other devices. As a result, there is a growing potential security risk to the mobile communication network infrastructure. Attack methods and tools such as specialized scan apps that allow smartphones to troll the mobile communication network, crowd out wireless bandwidth and execute sophisticated billing scams have emerged and been highlighted at conferences recently [1][2]. In response, mobile carriers are trying to protect their mobile communication networks by installing IP-based security devices between their mobile and Internet networks. However, these security devices can not detect abnormal traffic or attacks that occur only within the mobile network. Further, since the IP addresses of a multitude of terminals is changed to a single IP through a AT, it is difficult to identify the attacking device. Therefore a security device that is able to detect abnormal traffic or attacks within the mobile network is now essential. In this paper is proposed a method that can detect a port scanner in a mobile network. Section II describes a typical port scan attack. Section III describes the detection method of the port scanner that was previously proposed by the authors of this paper. Section IV describes a method for detecting port scanners that has proven to be better than what was previously proposed as well as a process for identifying the detected mobile terminal[3][4]. Section V describes the test results of the proposed method and, finally, Section VI contains the conclusions. 2 Port Scan Attack in Mobile etworks Mobile terminals that have been released recently have a performance and features comparable to a PC. By installing a port scanner application from an app store or from the black market, these smartphone users can easily initiate a port scan attack. In addition, port scanner applications in the wired environment are used as attack tools by utilizing the tethering feature that is offered as part of the native smartphone software package. In this section, we ISB: 978-960-474-341-4 166

describe how a port scan attack is initiated and its effects. Attacker Internal etwork Port Scanning Attack Phone-to-Phone Port Scanning Attack SGS Packet etwork GGS External etwork Port Scanning Attack Internet Fig. 1. Types of port scan attacks afflicting mobile networks. Fig. 1 shows three types of port scan attack that can afflict a 3G WCDMA network. An attacker can initiate scanning attacks using a port scan application (Port Scanner, TCP Port Scanner, et Scan, etc.) or special tools (map, Superscan, etc.) as follows: 2.1 Phone-to-Phone Port Scanning Attack Check the IP assigned to the mobile terminal using an application such as etwork Info II. Acquire the IP addresses of devices comprising a mobile network via tracert. Launch a port scan attack on the devices comprising the mobile network using a port scan tool. 2.3 External etwork Port Scan Attack Launch a port scan attack upon a target server in an external network using a port scan application. Or connect a PC to a smartphone using the tethering feature. Launch a port scan attack on a target server in the external network using the port scan tool. In general, the attacker launches a scanning attack in order to discover network vulnerabilities in a wired environment. In a mobile network, the attacker can not only obtain network vulnerabilities but also cause other problems such as bandwidth depletion and denial of service to other mobile terminals as shown in Fig. 5. Fig. 2. Checking the IP address using etwork Info II. Initiate a port scan attack upon a mobile terminal of the same IP address range using a port scan application. Fig. 3. Initiating a port scan attack using a port scan application. 2.2 Internal etwork Port Scan Attack Fig. 5. Effects of a port scan attack in a mobile network. In order to efficiently manage the limited amount of bandwidth available, mobile carriers free the bandwidth of mobile terminals not being used. The idle mobile terminal that is released of its bandwidth resource is activated in order to send and receive data. In this case, paging traffic occurs. When an attacker launches a scanning attack upon numerous mobile terminals at once, let us consider that most of those mobile terminals will be idle at that time. As a result, bandwidth is depleted and devices activated on the network will fail due to the large amount of paging traffic. Also, let us consider the case whereby an attacker sends a copious amount of scanning traffic to a particular mobile terminal. The effects will be that the performance of the mobile terminal targeted by such an attack will be seriously degraded and the battery will be drained. Fig. 4. Launching a port scan attack using a port scan tool. Connect a PC to a smartphone using the tethering feature 3 Previously Proposed Method for Detecting a Port Scanner The authors of this paper had last year proposed a method for detecting a port scanner on a WCDMA network [3]. That method employed an algorithm known as a TRW (Threshold Random Walk) that is typically used for detecting a port scanner in a wired ISB: 978-960-474-341-4 167

environment [5]. Fig. 6 shows the flow diagram for the port scanner detection technique that was previously proposed. Read the sub table of -th user Packet Count == 1 When trying to connect to a remote system a mobile terminal sends a TCP S packet. The remote system responds by returning a TCP S- ACK or RSTACK packet to the terminal. Here, SACK means connection success and RSTACK means connection failure. The system for detecting a port scanner captures GTP traffic flows in real time at 10Gbps using DAG cards. The procedure for parsing captured GTP packets is as follows: GTP Packet GTP-C Message Type GTP-U (0xFF) TCP otherwise Control Bit End Fig. 6. Flow diagram for detecting a port scanner [3]. S, SACK, RSTACK Parsing Here, S n and F n are the probability of success or Timestamp Source IP Source Port Destination IP Destination Port Control Bit TTL Is_Inbound Store in RAM disc failure for each connection attempt. We assumed S n and F n as follows: ew 1 minute Sn = = (1) 0.8, Fn 0.2 The likelihood ratio is compared to upper threshold, η 1, and lower threshold, η 0. We assumed η 1 and η 0 as follows: η = = (2) 1 99, η0 0.01 If Λn η1, the remote source is deemed a scanner. If Λn η 0, the remote source is deemed normal. And, if η0 <Λ n < η1, it is deemed suspicious, so the system waits for the next observation and updates Λ n. 4 Improved Method for Port Scanner Detection It is unusual for a mobile terminal to be connected to a large remote system at the same time, and the frequency of repetitive connection attempts is typically low. The method proposed above considers only connection attempts, not any kind of response to them. However, this method often incorrectly designates normal mobile terminals that are simply trying to connect to Google and Apple push servers. This section describes a method for detecting port scanners that is better than those previously proposed as well as being capable of identifying the detected terminals. 4.1 GTP Packet Capture and Parsing Write File CDR.csv Fig. 7. Flow diagram for capturing and parsing GTP traffic. Check the Message Type, then pick the GTP- U (Message Type = 0xFF). Pick the connection attempt (TCP S) and response (TCP SACK, RSTACK) packets. Extract specific fields (Source IP/Port, Destination IP/ Port, Control Bit, TTL) in the GTP packet. Store extracted information on a RAM disk. Output information stored in the RAM disk to a CDR file if the Timestamp of the collected packet is new within 1 minute. In the CDR Timestamp is written the time the packet was captured. The Is_Inbound field indicates the direction of the packet. If the GTP packet is sent from the SGS to the GGS, Is_Inbound is 0, and 1 if not. 4.2 The Improved Method The port scanner is detected by analyzing the CDR file that is output every minute. The analysis is divided into two steps. The first is to analyze the success/failure of a connection attempt and record the result in an IP List. It is basically composed of keys and values. The key is a unique combination of the source IP/Port and destination IP/Port. The value indicates the success(0)/failure(1) of the connection attempt. Table I. is an example of an IP List Hash Table. ISB: 978-960-474-341-4 168

Table 1. IP List KE Value Src IP Src Port Dst IP Dst Port Is_Failure 10.15.21.253 52464 101.79.255.85 80 0 10.10.174.25 34445 110.76.140.139 5223 0 10.20.216.24 48175 115.68.22.81 5222 1 In Fig. 8 is shown the first step for port scanner detection. The procedure is as follows: Update Is_Failure to 1 if a matching key exists, read the next line if not. Repeat steps 2 through 10 until all the lines of the CDR file are processed, then output the IP List to the IPList file. The second step for detecting a port scanner is to calculate the TRW of each mobile terminal and to detect a port scanner. The TRW of each mobile terminal is recorded in the TRW as shown in TABLE II. CDR Read Line Table 2. TRW KE Value Src IP TRW Value Is End of File Write File IPList.csv End 10.15.21.253 0.25 10.10.174.25 0.05 Is_Inbound==0 && S Lookup IP List Key.length > 0 Insert into IP List 10.20.216.24 1024 Is_Inbound==1 In Fig. 9 is shown the second step for detecting a port scanner. The procedure is as follows: Is S ACK Lookup IP List Key.length > 0 Update Is_Failure = 0 Is RST ACK Lookup IP List Key.length > 0 Update Is_Failure = 1 Fig. 8. The first step for port scanner detection. IPList.csv Input the CDR file. Check whether Is_Inbound and the Control Bit of the line is respectively 0 and S. Lookup in the IP List if the result in step 2 is true. (Here, the key for lookup is a combination of the source IP/Port and destination IP/Port as found in the CDR line.) Read the next line if a matching key exists, insert into the key in the IP List if not. (Here, the value is 0.) Check whether Is_Inbound is 1 if the result in step 2 is false. Read the next line if the result in step 5 is false. Lookup in the IP List if the result in step 5 is true and Control Bit is SACK. (Here, the key for lookup is a combination of the destination IP/Port and source IP/Port as found in the n-th line.) Update Is_Failure to 0 if a matching key exists, read the next line if not. Lookup in the IP List if the result in step 5 is true and Control Bit is RSTACK. (Here, the key for lookup is a combination of the destination IP/Port and source IP/Port as found in the n-th line.) Insert Source IP in TRW Read Line IPList.csv Is End of File Lookup TRW Hash Table by Source IP Key.Value > 0 Is_Failure == 1 Read Line TRW Is End of Table Fig. 9. Second step for port scanner detection. End Output Result & Delete TRW value Delete TRW value Load the probability of success/failure for the connection attempt and upper/lower threshold. Input the IPList file. Read a line of the IPList and look it up in TRW. (Here the key for lookup is the source IP found in the line from the IPList.) Check whether Is_Failure is 1 if a matching key exists, insert into the source IP in the TRW if not. (Here the value is 1.) Calculate the TRW depending on the Is_Inbound and record the TRW in the TRW. ISB: 978-960-474-341-4 169

Repeat steps 2 through 4 until all the lines of the IPList file are processed. Read a line of the TRW. Check whether the TRW of the line is greater than the upper threshold. Output the result and delete the line if the result in step 8 is true, check whether the TRW of the line is greater than the lower threshold. (Here the result is the source IP and TRW.) Delete the line if the result in step 9 is true, then read the next line in the TRW. Repeat steps 8 through 10 until all the lines of the TRW are processed. 4.3 Identifying the Detected Mobile Terminal In general, mobile terminals are assigned a dynamic IP address because mobile networks are AT-based configured. The history of the allocation of IP addresses is not managed. Therefore mobile network administrators may not correctly identify the mobile terminal with an IP address. The authors of this paper previously proposed a method that manages the session of each mobile terminal on a WCDMA network in real-time [3]. This makes it possible to identify the mobile terminal causing a port scan attack with an IP address as shown in Fig. 10. Details of the procedure are as follows. 5 Test Results in a Mobile etwork The proposed method was implemented and tested for two months in a WCDMA network operating in Korea. The test environment is the same as in Fig. 11. ormal User's Traffic (Average 0.6Gbps/sec) Port Scanner SGS GTP Packet Capture & Parser Gn Interface Tapper CDR GGS Port Scanner Detection System ormal User's Traffic (Average 7.4Gbps/sec) Fig. 11. Test environment implemented in a WCDMA mobile network in Korea. GTP packet capture and parsing was input at about 8Gbps/sec for GTP traffic (outbound: 0.6Gbps/sec, inbound: 7.4Gbps/sec) without loss, and output a CDR every minute. The Port Scanner Detection System analyzed the CDR and detected the mobile terminal that caused the port scan attack. About 700 port scan attacks were generated for testing purposes. The results of the test are shown in Table 3. (A) o. of port scan attacks Internet Table 3. Test Results of Port Scanner Detection (C) o. of (D) o. of Results (B) o. of False additional detections Detection positives detections ratio False positive ratio 700 9,578 0 8,878 100% 0% IP address of the detected mobile terminal 2 Lookup Session 1 Lookup EUA [End User Address(EUA) ] KE VALUE EUA IP Timestamp Here, when a mobile terminal is incorrectly deemed to have caused a port scan the incident is noted as a False Positive. The Correct Detection and False Positive ratio are calculated as follows: KE Timestamp UC TEID [Session ] VALUE UD TEID DC TEID MSISD IMSI EUA SGS IP B ( C + D) Detection Ratio = 100 (3) A 3 Information extraction of the detected mobile terminal Fig. 10. Procedure for Identifying the Detected Mobile Terminal. Lookup the End User Address in the Hash Table. (Here the key for lookup is the IP address.) Extract the Value field in the matched line. Lookup the Session in the. (Here the key for lookup is the value extracted in step 2.) Extract the identification information (MSISD, IMSI) of the mobile terminal in the matched line. C False egative Ratio = 100 (4) B Initially a total of 700 port scan attacks were generated for the test of which all were detected successfully. Then a further 8878 port scan attacks were detected. After analyzing the traffic of the detected mobile terminals, all of them were confirmed as port scanners. Most of them attack the SSH(22) port of other mobile terminals with the same IP range as mobile terminals infected with malicious code (done by rooting). Fig. 12. An example of the traffic of a detected mobile terminal. ISB: 978-960-474-341-4 170

6 Conclusion The authors of this paper proposed a method for detecting a port scanner on a WCDMA network last year. The proposed method used a TRW algorithm that was used for detecting a port scanner in a wired environment. However, the method considered only connection attempts, not any response to them. As a result many mobile terminals trying to connect to Google and Apple push servers were deemed as illicit port scanners. This paper proposes an improved method for detecting port scanners in a mobile network. The improved method considers both connection attempts and a response to them. It is also able to extract important identification information (MSISD, IMSI) of the detected mobile terminals. The improved method was implemented and tested for two months in a WCDMA network operating in Korea. The method detected effectively all of the mobile terminals causing port scan attacks. Acknowledgment: This research was funded by the MSIP(Ministry of Science, ICT & Future Planning), Korea in the ICT R&D Program 2013. References: [1] Peng Chunyi, Chi-yu Li, Guan-hua Tu, Songwu Lu, and Lixia Zhang, Mobile data charging: new attacks and countermeasures, In Proceedings of the 2012 ACM conference on Computer and communications security, pp. 195-204. ACM, 2012. [2] Enno Rey, Rene Graf, and Daniel Mende, Attacking 3G and 4G mobile telecommunications networks, Shmoocon 2011. [3] Sekwon Kim, Joohyung Oh, Chaetae Im, and Inho Kim, A System for Detecting a Port Scanner in 3G WCDMA Mobile etworks, Conference on Security and Management 2012, pp. 183-189, July 2012. [4] Sekwon Kim, Joohyung Oh, Byoungki Moon, and Chaetae Im, A Method for Real-Time Session Management in WCDMA etworks, Circuits, System, Electronics, Control & Signal Processing, unpublished. [5] Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan, Fast Portscan Detection Using Sequential Hypothesis Testing, In Security and Privacy, 2004. Proceedings. 2004 IEEE Symposium on, pp. 211-225. IEEE, 2004. ISB: 978-960-474-341-4 171

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information