TR-06-06: Exposure Maps: Removing Reliance on Attribution During Scan Detection

Abstract

Current scanning detection algorithms are based on an underlying assumption that scanning activity can be attributed to a meaningful specific source (i.e. the root cause or scan controller). Sophisticated scanning activity including the use of botnets, idle scanning, and throwaway systems violates this fundamental assumption. We propose that scanning detection algorithms should focus on what is being scanned for instead of who is performing the scanning. We pursue this idea, introduce the concept of exposure maps, and report on a preliminary proof-of-concept that allows one to: (1) estimate the information or exposures revealed to an adversary as a result of scanning activity, (2) detect sophisticated or targeted scanning activity with a footprint as low as a single packet or event, and (3) discover real-time changes in network exposures that may be indicative of a successful attack.