Network reconnaissance detection system provides early warning of impending cyberattacks
Cybersecurity experts at the CSIR have developed a prototype software package for personal computers and servers that rapidly and accurately detects network port scan activity.
Conventional signature-based network intrusion detection technology is designed to detect cyberthreats by matching network traffic against a database of threat signatures. While this technology is effective in detecting threats that are known to the security community, it cannot provide reliable and early warning of emerging cyberthreats. These threats may spread rapidly and compromise a network before the threat database is updated with a new signature. Sophisticated malware may also change its internal structure over time, thereby evading technology that is designed to detect the original signature. This has led to increased research effort aimed at developing reliable and accurate techniques for detecting network anomalies – unusual or suspicious activity that surfaces during the various phases of cyberattacks.
As an initial step in compromising a network, cybercriminals often perform network reconnaissance in order to discover computers that are connected to the network, as well as services offered by these systems. The latter activity is referred to as network port scanning. The early detection of such activity can alert a host to an impending cyberattack.
By automatically detecting network port scan activity, the technology that the CSIR developed creates an opportunity for that host to block further network communication from the initiator of the scan, thereby preventing it from discovering certain security vulnerabilities that may exist on the host.
The researchers proposed a network port scan detection algorithm that uses a novel detection metric that incorporates statistical modelling of connection attempts. It significantly improves the accuracy and the reliability of port scan detection as compared to a widely used open source intrusion detection system.
The technology’s ability to accurately and rapidly detect network port scans was demonstrated on network traffic data recorded over three weeks on a segment of the CSIR’s intranet. The researchers used the technology to detect port scans that were injected into the recorded network traffic data. Port scans of different intensities were considered, including low intensity port scans that are specifically designed to evade intrusion detection systems.
The technology facilitates the rapid containment of cyberthreats in computer networks, thereby limiting the damage caused by these threats and ultimately saving time and money. Future work will involve the development of algorithms for detecting additional types of network reconnaissance activity.