Connection Attempt Analysis
Definition
Analyzing failed connections in a network to detect unauthorized activity.
Synonyms: Network Scan Detection .How it works
Connection Attempt Analysis in multiple ways.
Monitoring traffic to unallocated IP space
One approach looks for failed connection attempts against unallocated IP space. First, network traffic is captured to map out the network to identify network assets as well as unallocated IP space. The map is then used to determine if connection attempts are being made to the unallocated IP space.
Monitoring for sequentially transmitted traffic
Another approach passively inspects network traffic with application protocol analyzers observing network activity characteristics such as volume of packets sent/ received, TCP session attributes, and connection information between hosts (start time, source/destination host, services, etc.). Then using pattern matching to identify traffic which appears to be probing for network hosts.
Considerations
- Implementations that rely on analysis of unallocated IP address space increase in their complexity with network size and decentralized network infrastructure.
- Inventory of unallocated IP space should should be continuously updated to mitigate the risk of false positives.
- IPv6 also introduces challenges including IPv6 traffic bypassing IPv4 specific protection systems (ex. firewalls and IDS) and complexity in managing both IPv6 and IPv4 addresses.
References
The following references were used to develop the Connection Attempt Analysis knowledge-base article.
(Note: the consideration of references does not imply specific functionality exists in an offering.)
Detecting network reconnaissance by tracking intranet dark-net communications
MITRE Comments
This patent describes detecting an attacker performing internal reconnaissance within an organization's network to gather intelligence about the configuration of the network or identify the next target. Network packets are collected (ex. tapped from a network switch) and processed to create flows that are used to map out the network to identify network assets as well as ghost assets (addresses not assigned to a device or an existing device that is temporarily disabled). Once this mapping is complete it is used to monitor the network to determine if an attacker is attempting to connect to a ghost asset. If an attacker attempts to connect to a ghost asset over a threshold (ex. contacting four ghost assets in less than seven minutes), an alert is generated.