| Abstrakt: |
Computer networks provide an excellent environment for stealth reconnaissance activities. Modern computer systems are predominantly connected to a network. Recent events like Duqu 2.0 showed that even if the systems are not publicly accessible, e.g. by a public IP-address, hostile activities frequently target also computer systems that are in isolated, for example air-gapped, networks. This threat landscape requires a professional set of methods to detect, classify and mitigate hostile network activities. To prevent data leakage, sabotage or other disruptive behaviour, a robust early warning system needs to be employed. In the majority of cases, port scans are used to identify systems and services in a computer network. Secondary, port scans reveal crucial information about the operating systems, patch levels and service versions. This information is the foundation for a successful compromisation and infiltration of computer networks. To impair network reconnaissance, an early warning framework is proposed to detect such activities, estimate the tools hostile entities are applying and mitigate their exploration attempts. Long short-term memory cells are employed by the framework to classify sequences of observations made at the network interface of computer systems. If malicious behaviour is detected, the framework triggers counter-measures to prevent hostile entities from collecting intelligence. The proposed framework is able to detect port scans after a small amount of scanned ports, effectively rendering the reconnaissance attempt impractical. Even if the scans are very fast, the framework is able to disrupt the activity. [ABSTRACT FROM AUTHOR] |
