Network attacks represent a major threat to the continuous operation of network devices. The initial stages of a network attack may involve a source device “probing” or “scanning” a destination device to determine whether a particular network service (e.g., a database service that stores financial data or any other type of service that may be of interest to a network hacker) is operating and available on that destination device. In a malicious context, the source device may be attempting to identify the availability of a service that is vulnerable to exploitation. Although a source device may have knowledge of (possibly published) vulnerabilities associated with such services, in general, the source device has no advance knowledge of the location of these services (i.e., on what specific network devices these services are available). Hence, the source device must “probe” or “scan” network devices in order to locate these services.
Tools are widely available on the Internet to assist attackers in unauthorized probing of networks. The Network Mapper (Nmap) tool from www.insecure.org/nmap is one example. Nmap comes complete with a graphical user interface, which allows an attacker to easily customize his or her probing activities. Moreover, Nmap can be customized to probe at a specified rate (e.g., x probes per second).
Conventionally, probing is detected using rate-based techniques. That is, for the purposes of detection, a probe is defined in terms of “more than x connections (or connection attempts) in y second(s).” For example, the Snort pre-processor for detecting scans, known as spp portscan, is based upon an administrator-configurable detection specification of “x connection(s) per y second(s).” This type of detection technique has several serious drawbacks. First, the Snort pre-processor generates a myriad of false positives (e.g., benign usage of passive file transfer protocol communications, benign use of web service, etc.) and, therefore, can be quite inaccurate. Second, the Snort pre-processor misses true positives that occur below the specified threshold. For example, a source device that is scanning very slowly may avoid detection by operating below the detection threshold of the Snort pre-processor. Third, there is poor differentiation between false positives and true positives using this conventional detection technique, since all alerts and indications of potential scanning are reported as equal.
Conventional attack detection techniques, like the Snort pre-processor described above, often report anomalies in terms of an absolute score for a source device, making it difficult to discriminate between benign and malicious usage. For example, in the case of the conventional scan detection technique described above, the absolute score is binary (i.e., either a source device exceeded the probing threshold or did not). As another example, a source device may execute a highly unlikely event, such as contacting a new service (a rare event with respect to the typical usage pattern associated with all other source devices). Alternatively, in an environment such as a peering point, the frequent occurrence of new source devices may be reported as anomalous using conventional detection techniques, even though the appearance of new malicious source devices may occur no more or less frequently than the appearance of new benign source devices. These absolute measures confound the ability to adequately discriminate between malicious and benign sources.
In addition, conventional detection techniques often rely exclusively on the definition of attack signatures for subsequent detection of an attack. Such techniques are, therefore, incapable of detecting novel attacks, since they require an established pattern for comparison and detection. As a consequence, these techniques are heavily dependent on distribution channels, such as advisory organizations, to promulgate detection signatures. Therefore, there is often a period of inadequate protection between the appearance of an attack and the delivery (and development) of the corresponding detection signature. Typically, this delay is on the order of days and weeks, not minutes or hours, thus leaving an enterprise vulnerable for a repeat attack.
Therefore, there exists a need for systems and methods that improve the ability to detect malicious network activity.