posted on 2007-01-01, 00:00authored byMin G Kang, Juan Caballero, Dawn Song
Scan detection and suppression methods are an important means for
preventing the disclosure of network information to attackers. However, despite
the importance of limiting the information obtained by the attacker, and the wide
availability of such scan detection methods, there has been very little research
on evasive scan techniques, which can potentially be used by attackers to avoid
detection. In this paper, we first present a novel classification of scan detection
methods based on their amnesty policy, since attackers can take advantage of
such policies to evade detection. Then we propose two novel metrics to measure
the resources that an attacker needs to complete a scan without being detected.
Next, we introduce z-Scan, a novel evasive scan technique that uses distributed
scanning, and show that it is extremely effective against TRW, one of the state-ofthe-
art scan detection methods. Finally, we investigate possible countermeasures
including hybrid scan detection methods and information-hiding techniques. We
provide theoretical analysis, as well as simulation results, to quantitatively measure
the effectiveness of the evasive scan techniques and the countermeasures.