DPS Project

The DPS (Distributed Port Scan) Project is a subset of a larger research plan that aims for the pro-active detection of network intrusion attempts. Rather than rely on intrusion detection systems, which attempt to detect intrusions as they occur, this research plan aims at predicting possible intrusion attempts based on the observation of reconnaissance activity as observed in traffic at the network borders.

The DPS Project itself is concerned with the modeling and detection of distributed port scans, where a distributed port scan is defined roughly as a port scan of some target space, where the target space has been distributed amongst multiple sources. Such a scan provides additional stealth to the adversary, as a defender is less likely to be alerted by some number of small scans. In addition, if the adversary has each source scan at approximately the same time, gains in speed can be achieved through the use of such parallelization.

The goal of this project is to develop a set of consistent definitions of scans, including distributed scans. From this formal model, an implementation will be developed to detect the presence of distributed scans.

At present, an initial model has been developed, along with an initial implementation that detects distributed port scans. The model has been compared with known distributed scanners to show

that it captures the essential characteristics of these scanners and that it is therefore representative of at least these scanners. The implementation is based on the assumption that an adversary will want to scan some large portion of the defender's network in a co-ordinated fashion, and so detects a more limited number of distributed scans.

Testing of this implementation will consist of two phases. The first phase, which is nearly complete, consists of testing the implementation using a simulation of different forms of distributed scans. This type of testing allows "stress" testing of the implementation in terms of sensitivity to the amount of network space covered, the number of sources, and the amount of noise.

The second phase consists of determining if this implementation can detect distributed port scans performed using a sample of known scanners. This requires a controlled experiment where distributed port scans are performed against a monitored network. This step will use the DETER Testbed, which will allow us to perform such controlled experiments using a variety of network topologies.

The investigators for this project are:

• Carrie Gates, Dalhousie University
  
• Jacob Slonim, Dalhousie University
  
• Marc Kellner, Carnegie Mellon University
  
• Michael McAllister , Dalhousie University