It poses security challenges in the form of cyber-attacks, prompting rigorous cybersecurity measures. While the idea of detecting scans by correlating network flows with preceding DNS query/responses has been proposed in the literature, this work extends the state-of-the-art by offering four contributions: 1) we show that without decreasing TTL values of RRs in DNS responses, attackers can piggyback on cached DNS records to bypass our detection thus we incorporate a TTL reduction mechanism to enhance the effectiveness of this approach, especially against stealthy and adaptive scanners 2) while prior works work against internal scanners, we use the relatively new extension of DNS protocol, ENDS0 Client Subnet (ECS) option, to expand this approach toward detecting external scanners 3) we present a novel adaptive scanning technique, called DNS-cache-based scanning, that exploits local DNS cache to bypass prior detection methods, and shows that, while prior approaches fail to defeat this threat model, our approach is effective against this evolved threat model as well and 4) contrary to existing work that focuses on defeating fast network scanning worms, this approach is effective against any scanning, including stealthy scanning that uses conservative timing profiles to evade detection.Įmerging Connected and Autonomous Vehicles (CAVs) technology have a ubiquitous communication framework. Through rigorous evaluation, we show that our method is effective against both external and internal port scanners and network worms, its effectiveness is independent of scanning rate or technique, and its deployment incurs negligible overhead on DNS and network response times. In our approach, an inline scan detection system (SDS) monitors the ingress and egress flows of an enterprise network subnet and detects scanning probes based on the correlation of flows with preceding DNS query/responses and reducing TTL values of DNS Resource Records (RR). In this paper, we propose an approach for detecting internal and external network scanning attacks on enterprise networks. © 2016 by World Scientific Publishing Europe Ltd. In addition, we will provide an overview of a newly released, comprehensive, real-world cyber security data set that is now openly available to the research community. We will discuss a variety of data source opportunities, usefulness and value, along with potential problems. Nonetheless, there is a rich and abundant potential for useful cyber security data sets. From a dynamic network point of view, they are often lacking in comprehensive coverage, difficult to integrate across disparate sources, likely have significant noise in various forms, and generally lack any form of normalisation.
Access for research purposes is even more problematic. The majority of useful information technology (IT) data sources were intended for operational monitoring and not for cyber security purposes.
Unfortunately, the use of real-world data in most cyber security research either for motivation or validation is rare. The importance of using real-world data to enable and validate dynamic network research for the purposes of cyber security cannot be understated.
0 kommentar(er)
