Network Forensics: Detection and Analysis of Stealth Port Scanning Attack

Network administrator performs port scanning for the purpose of network monitoring and troubleshooting on the other hand this facility become vulnerability when attacker performs port scanning for probing networks, searching for vulnerabilities and then infiltrate IT assets. It is often a primarily tactic that is adopted by attacker prior to launching a targeted cyber-attack. Moreover in recent times, port scanning techniques become highly distributed, composite, hybrid, and stealthy, therefore almost all current detection techniques are unfeasible. Stealth is considered to be a type of port scan which is undetected by available auditing tools such as firewall, routes, filters etc. A stealth port scan method does not produce any TCP sessions; hence, none of these scans should appear in any of the application logs. Therefore, it is of vital importance to research and adopt methods for the detection and attribution of stealth port scanning attack. In this work a network forensic architecture for detection and analysis of stealth port Scanning attack is proposed. It consist of two main modules, a capturing module that captures fine grained evidences from the network traffic and an analysis module that classifies each packet based on the predefined signature. A proof of concept prototype is implemented which utilize, operational network traffic data injected with crafted scans to test the system. It is reported that the proposed system correctly identifies crafted scans injected into real traffic.