SpringerLink
Log in

Automatic Data Generation and Rule Creation for Network Scanning Tools

  • Conference paper
  • First Online:
Proceedings of the Future Technologies Conference (FTC) 2023, Volume 2 (FTC 2023)

Part of the book series: Lecture Notes in Networks and Systems ((LNNS,volume 814))

Included in the following conference series:

  • 200 Accesses

Abstract

Detecting adversaries and their intentions during the intelligence gathering step of the attack lifecycle will provide defenders with a strategic advantage. During this step, network scanning tools are a primary resource used by attackers to discover hosts and enumerate services. Tool capabilities and their intent vary and range from scanning for specific services and specific vulnerabilities to large-scale information extraction. By detecting specific tools used during scanning, a defender can infer, to a certain extent, the intentions of an attacker and react accordingly by invoking defenses like dynamic redirection, service blocking, and customized and adaptive honeypots. This paper describes the GEM (Generate, Examine, and Match) system, which implements an automated pipeline mechanism to create rules for intelligence gathering tools. GEM starts by running and collecting data for the tools. It then extracts signatures using differential packet analysis, and finally, it creates Suricata intrusion detection system rules. We tested the system against several scanning tools available on the Kali Linux operating system, totaling 54 configurations. Our analysis shows that the GEM can generate rules for all of the tool configurations. All plaintext configurations can be uniquely identified, and all but six of the 21 encryption configurations can be uniquely identified.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 229.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 299.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free ship** worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    https://github.com/ARL-UTEP-OC/GEM_dataset

References

  1. Acosta, J.C., Medina, S., Ellis, J., Clarke, L., Rivas, V., Newcomb, A.: Network data curation toolkit: cybersecurity data collection, aided-labeling, and rule generation. In: MILCOM 2021 IEEE Military Communications Conference (MILCOM), pp. 849–854. IEEE (2021)

    Google Scholar 

  2. Ahrenholz, J., Danilov, C., Henderson, T.R., Kim, J.H.: Core: a real-time network emulator. In: IEEE Military Communications Conference (MILCOM), pp. 1–7. IEEE (2008)

    Google Scholar 

  3. Fallahi, N., Sami, A., Tajbakhsh, M.: Automated flow-based rule generation for network intrusion detection systems. In: 2016 24th Iranian Conference on Electrical Engineering (ICEE), pp. 1948–1953. IEEE (2016)

    Google Scholar 

  4. Fisher, J.: directory-list. https://github.com/daviddias/node-dirbuster/blob/master/lists/directory-list-2.3-small.txt. Accessed 15 Jun 2022

  5. Graham, R.D.: MASSCAN: mass IP port scanner. https://github.com/robertdavidgraham/masscan. Accessed 15 Jun 2022

  6. Jajodia, S., Ghosh, A.K., Swarup, V., Wang, C., Wang, X.S.: Moving Target Defense: Creating Asymmetric Uncertainty for Cyber Threats, vol. 54. Springer, New York (2011). https://doi.org/10.1007/978-1-4614-0977-9

  7. Merkel, D.: Docker: lightweight Linux containers for consistent development and deployment. Linux J. 2014(239), 2 (2014)

    Google Scholar 

  8. Nmap.org: Ncat - Netcat for the 21st Century. https://nmap.org/ncat/. Accessed 15 Jun 2022

  9. Offensive Security: Kali Tools. https://www.kali.org/tools/. Accessed 15 Jun 2022

  10. Open Information Security Foundation (OISF): Suricata. https://suricata.io/. Accessed 15 Jun 2022

  11. Oracle: VirtualBox. https://www.virtualbox.org/. Accessed 15 Jun 2022

  12. The Zeek Project: Zeek. https://zeek.org/. Accessed 15 Jun 2022

  13. Inc Proofpoint: Emerging Threats Rule Documentation Wiki. https://doc.emergingthreats.net/. Accessed 17 Jun 2021

  14. Python Software Foundation: difflib. https://docs.python.org/3/library/difflib.html. Accessed 15 Jun 2022

  15. Sagala, A.: Automatic snort IDS rule generation based on honeypot log. In: 2015 7th International Conference on Information Technology and Electrical Engineering (ICITEE), pp. 576–580. IEEE (2015)

    Google Scholar 

  16. Sanders, M.: AutoPy. https://www.autopy.org/. Accessed 15 Jun 2022

  17. Shiravi, A., Shiravi, H., Tavallaee, M., Ghorbani, A.A.: Toward develo** a systematic approach to generate benchmark datasets for intrusion detection. Comput. Secur. 31(3), 357–374 (2012)

    Article  Google Scholar 

  18. Tenable: Nessus. https://www.tenable.com/. Accessed 15 Jun 2022

  19. The Pallets Projects: **ja2. https://palletsprojects.com/p/**ja/. Accessed 15 Jun 2022

  20. The Wireshark Team: Dumpcap. https://www.wireshark.org/docs/man-pages/dumpcap.html. Accessed 15 Jun 2022

  21. The Wireshark Team: TShark. https://www.wireshark.org/docs/man-pages/tshark.html. Accessed 15 Jun 2022

Download references

Author information

Authors and Affiliations

  1. DEVCOM Army Research Laboratory, Adelphi, USA

    Jaime C. Acosta

  2. University of Texas at El Paso, El Paso, USA

    Monika Akbar, M. Shahriar Hossain & Veronica Rivas

Authors
  1. Jaime C. Acosta
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Monika Akbar
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. M. Shahriar Hossain
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Veronica Rivas
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jaime C. Acosta .

Editor information

Editors and Affiliations

  1. Faculty of Science and Engineering, Saga University, Saga, Japan

    Kohei Arai

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Acosta, J.C., Akbar, M., Hossain, M.S., Rivas, V. (2023). Automatic Data Generation and Rule Creation for Network Scanning Tools. In: Arai, K. (eds) Proceedings of the Future Technologies Conference (FTC) 2023, Volume 2. FTC 2023. Lecture Notes in Networks and Systems, vol 814. Springer, Cham. https://doi.org/10.1007/978-3-031-47451-4_38

Download citation

Publish with us

Policies and ethics

Search

Navigation