This goal of this project is to investigate next-generation network attack reconnaissance techniques, and explore the limitation for existing defenses. The result of this investigation offers understanding of potential game-changing in network reconnaissance attacks and how they can evolve in order to enable discovering and navigating the network quickly and safely. The project particularly explores novel scanning techniques to discover firewall security polices remotely via intelligent active probing, and without probing the end-hosts. The outcome of this project, if successful, is expected to offer transformative views to network defense, particularly counter-scanning techniques, beyond traditional intrusion detection/prevention systems. As this far-forward looking EAGER proposal exhibits high-risk, it also entails high-value that is to be always many steps ahead of attackers.
This research arises serious concerns about the privacy of security configuration and the effectiveness of existing counter-measures against future advanced attacks. The proposed research agenda may make researchers as well as vendors consider fundamentally new defense concepts beyond the current IDS and IPS. This project also stimulates theorizing and predicting next-generation network attacks.
Network scanning has been the key step for adversaries in order to perform reconnaissance and gathering information critical to launch successful attack. Although many intrusion detectors (IDS) have been proposed, next-generation scanning tools have been advanced to be highly evasive and yet effective. The next-generation reconnaissance tools can intelligently use low-rate probes to hardly detectable by IDS to scan security devices such as firewalls and identify network targets without reaching the end host. In this project, we investigated various advanced stealthy scanning techniques that can reconstruct the network policy intelligently using minimum number of probing packets. The project also investigated effectiveness of new countermeasures techniques for detecting and deceiving. We show that detection countermeasures may have a limited accuracy but this can be complemented with the combining with deceptive countermeasure techniques. We developed three scanning techniques (split-and-merge, region growing and hybrid) inspired from image processing to probe firewalls and analyze the responses intelligently in order to construct the firewall policy with least number of probes. We also demonstrated the feasibility of using probing technique by attackers to remotely discover the last-matching rules of a network firewall. An attacker can subsequently target these rules to launch an effective and low-rate DoS attack to trigger worst-case or near worst case processing, thereby overwhelming the firewall and bringing it to its knees. We investigated number of detection techniques based on the temporal and special correlation of the probes. Both region growing and split and merge techniques exhibit a weak space correlation. For example, the split-and-merge in general causes a shrink in the distance between the subsequent scans. However, in case of region growing, distance of subsequent scans will increase since region growing exponentially traverses the space in order to identify the boundary when the probes are falling into the accept space. We also show that the region growing and split-and-merge exhibit temporal oscillating auto-correlation trends. We showed that such scanning techniques exhibit certain level of temporal dependence since the next scan target is decided based on the response of the previous scans, thereby subsequent packets would be somehow correlated to each other. This can serve as an important statistical metric for analyzing the behavior of next generation scanning technique. We developed deceptive counter scanning technique called Random Host IP Mutation (RHM). It enables changing the IP address of the end hosts randomly and frequently to decay the reconnaissance information collected by external scanners about the network end hosts. We run various experiments to evaluate the effectiveness of RHM against scanning and reconnassiance attacks.
