Idle Port Scanning and Non-interference Analysis of Network Protocol Stacks Using Model Checking

Proceedings of the 19th USENIX Security Symposium

Volumn , Issue , 2010, Pages 257-272

  Ensafi, Roya ^a   Park, Jong Chun ^a   Kapur, Deepak ^a   Crandall, Jedidiah R ^a  

^a University of New Mexico   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

MODEL CHECKING; SIDE CHANNEL ATTACK;

BOUNDED MODEL CHECKING; EXPERIMENTAL VERIFICATION; NETWORK PROTOCOL STACK; PROTECTED NETWORKS; SYMBOLIC MODEL CHECKING; TRANSITION SYSTEM; TRUST RELATIONSHIP; UNTRUSTED NETWORK;

INTERNET PROTOCOLS;

EID: 84906789612     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (38)

1. ANTIREZ. new tcp scan method. Posted to the bugtraq mailing list, 18 December 1998.
2. BELLOVIN, S. M . A technique lor counting NATted hosts. In 1MW '02: Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment (New York, NY, USA, 2002), ACM, pp. 267-272.
3. BENSALEM, S., GANESH, V., LAKHNECH, Y, NOZ, C . M ., OWRE, S., RUESS, H ., RUSHBY, J., RUSU, V., SAIDI, H ., SHANKAR, N ., SINGERMAN, E., A N D TIWARI, A . A n overview of SAL. In LFM 2000: Fifth NASA Langiey Formal Methods Workshop (Hampton, VA, jun 2000), C. M. Holloway, Ed., NASA Langiey Research Center, pp. 187-196.
4. BERNSTIEN, D . J. SYN Cookies. http://er.yp.to/syncookies.html.
5. CHOI, Y. From NuSMV to SPIN: Experiences with model checking (light guidance systems. Form. Methods Syst. Des. 30, 3 (2007), 199-216.
6. DEMOURA, E. SAL tutorial. CSL technical note, Computer Science Laboratory, SRI International, Menlo Park, CA, Apr. 2004. Available at http://sal.csl.sri.com/doc/salenv_tutorial.pdf.
7. DIJKSTRA, E. W. Guarded commands, nondeterminacy and formal derivation of programs. Commun. ACM 18, 8 (1975), 453¬ 457.
8. [ 8 ] EDMUND, S . C, CLARKE, E . M ., SHARYGINA, N ., A N D SINHA, N . State/event-based software model checking. I n Integrated Formal Methods (2004), Springer-Verlag, pp. 128-147.
9. GATES, C. Co-ordinatedpon scans: a model, a detector and an evaluation methodology. PhD thesis, Dalhousie Univ., Halifax, Canada, Canada, 2006.
10. GATES, C. Coordinated scan detection. In Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS 09) (Feb. 2009).
11. GOGUEN, J. A ., A N D MESEGUER, J. Security policies and security models. In IEEE Symposium on Security and Privacy (1982), pp. 11-20.
12. Gu, G., SHARIF, M ., QIN, X ., DAGON, D ., LEE, W ., A N D RILEY, G. Worm detection, early warning and response based on local victim information. In ACSAC '04: Proceedings of the 20th Annual Computer Security Applications Conference (Washington, DC, USA, 2 0 0 4), IEEE Computer Society, pp. 136-145.
13. HAMED, H ., AL-SHAER, E., A N D MARRERO, W. Modeling and verification of IPSec and VPN security policies. In ICNP '05: Proceedings of the 1JTH IEEE International Conference on Network Protocols (Washington, DC, USA, 2005), IEEE Computer Society, pp. 259-278.
14. JUNG, J., PAXSON, V, BERGER, A . W., A N D BALAKRISH-NAN, H. Fast portscan detection using sequential hypothesis testing. In Proceedings of the IEEE Symposium on Security and Privacy (2004).
15. KANG, M . G., CABALLERO, J., A N D SONG, D . Distributed evasive scan techniques and countermeasures. In DIMVA '07: Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment (Berlin, Heidelberg, 2007), Springer-Verlag, pp. 157-174.
16. KEMMERER, R. A. Shared resource matrix methodology: an approach to identifying storage and timing channels. ACM Trans. Compia. Syst. 1, 3 (1983), 256-277.
17. KOHNO, T., BROIDO, A ., A N D CLAFFY, K . C. Remote Physical Device Fingerprinting. IEEE Symposium on Security and Privacy (May 2005).
18. LECKIE, C, A N D KOT. AGIRI, R. A probabilistic approach to detecting network scans. In IEEE/IFIP Network Operations and Management Symposium. (NOMS). (2002), pp. 359-372.
19. LEMON, J. Resisting SYN flood DoS attacks with a SYN cache, http://people.freebsd.org/~jlemon/papers/syncache.pdf.
20. LYON, G . Nmap Network Scanning: The Official Nmap Project Guide to Network Discover,- and Security Scanning. Insecure.Org L L C, Sunnyvale, CA, USA, 2009.
21. MCCAMANT, S., A N D ERNST, M . D. A simulation-based proof technique for dynamic information (low. In PLAS 2007: ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (San Diego, California, USA, June 14, 2007) .
22. MCCAMANT, S., A N D ERNST, M . D . Quantitative information (low as network (low capacity. In Proceedings of the ACM SIGPLAN 2008 Conference on Programming Language Design and Implementation (Tucson, A Z, USA, June 9-11, 2008) .
23. MUELDER, C, LIU, M.A.K ., A N D BARTOLETTI, T. Interactive visualization for network and port scan detection. In Proceedings of2005 Recent Advances in Intrusion Detection (2005), p. 05 .
24. PANG, R., YEGNESWARAN, V, BARFORD, P., PAXSON, V ., A N D PETERSON, L . Characteristics o f internet background radiation. In IMC '04: Proceedings of the 4th ACM SIGCOMM conference on Internet measurement (New York, NY, USA, 2004), ACM, pp. 27^0.
25. RITCHEY, R. W., A N D AMMANN, R Using model checking to analyze network vulnerabilities. In SP '00: Proceedings of the 2000 IEEE Symposium on Security and Privacy (Washington, DC, USA, 2000), IEEE Computer Society, p. 156.
26. RUSHBY, J. SAL tutorial: The Needham-Schroeder protocol in SAL. CSL technical note, Computer Science Laboratory, SRI International, Menlo Park, CA, Oct. 2003. Available at http://www.csl.sri.com/users/rushby/abstracts/needham03.
27. RUSHBY, J. SAL tutorial: Analyzing the fault-tolerant algorithm OM(l). CSL technical note, Computer Science Laboratory, SRI International, Menlo Park, CA, Apr. 2004. Available at http://www.csl.sri.com/users/rushby/abstracts/oml.
28. SAL PROJECT. Examples, http://sal.csl.sri.com/examples. shtml.
29. SCHECHTER, S., JUNG, J., A N D BERGER, A . W. Fast Detection ot Scanning Worm Infections. In 7lh International Symposium on Recent Advances in Intrusion Detection (RAID) (French Riviera, France, September 2004).
30. SRIDHARAN, A ., A N D YE, T. Tracking port scanners on the IP backbone. In LSAD '07: Proceedings of the 2007 workshop on Large Scale Attack Defense (New York, NY, USA, 2007), A C M, pp. 137-144.
31. SRIDHARAN, A ., YE, T., A N D BHATTACHARYYA, S. Connectionless port scan detection on the backbone. In Performance, Computing, and Communications Conference, 2006. IPCCC 2006. 25th IEEE International (April 2006), pp. 10 pp.-576.
32. STANIFORD, S., HOAGLAND, J.A ., A N D MCALERNEY, J . M . Practical automated detection of stealthy portscans. /. Compiti Secar. 10, 1-2 (2002), 105-136.
33. SUTHERLAND, D. A model ot information. In Proceedings of the 9th National Computer Security Conference (1986).
34. VirtualBox. http://www.virtualbox.org/.
35. WEAVER, N ., STANIFORD, S., A N D PAXSON, V. Very fast containment of scanning worms. In SSYM'04: Proceedings of the 13th conference on USENIX Security Symposium (Berkeley, CA, USA, 2004), USENIX Association, pp. 3-3.
36. WHYTE, D., KRANAKIS, E., A N D VAN OORSCHOT, P. C. DNSbased detection of scanning worms in an enterprise network. In Proc. ofthe 12th annual Network and Distributed System Security symposium (2005), pp. 181-195.
37. WRAY, J. C. An analysis of covert timing channels. In IEEE Symposium on Security and Privacy (1991), pp. 2-7.
38. YUMEREFENDI, A ., MICKLE, B ., A N D COX, L . P. TightLip: Keeping applications from spilling the beans. In Networked Systems Design and Implementation (NSDI) (2007).