Journal of Network and Computer Applications 40 (2014) 307–324 Contents lists available at ScienceDirect Journal of Network and Computer Applications journal homepage: www.elsevier.com/locate/jnca Review Network attacks: Taxonomy, tools and systems N. Hoque a,n, Monowar H. Bhuyan a, R.C. Baishya a, D.K. Bhattacharyya a, J.K. Kalita b a Department of Computer Science & Engineering, Tezpur University, Napaam, Tezpur 784028, Assam, India b Department of Computer Science, University of Colorado at Colorado Springs, CO 80933-7150, USA article info abstract Article history: To prevent and defend networks from the occurrence of attacks, it is highly essential that we have a Received 28 January 2013 broad knowledge of existing tools and systems available in the public domain. Based on the behavior and Received in revised form possible impact or severity of damages, attacks are categorized into a number of distinct classes. In this 11 July 2013 survey, we provide a taxonomy of attack tools in a consistent way for the benefit of network security Accepted 5 August 2013 researchers. This paper also presents a comprehensive and structured survey of existing tools and Available online 15 August 2013 systems that can support both attackers and network defenders. We discuss pros and cons of such tools Keywords: and systems for better understanding of their capabilities. Finally, we include a list of observations and Network attacks some research challenges that may help new researchers in this field based on our hands-on experience. Tools & 2013 Elsevier Ltd. All rights reserved. Systems Protocol DoS Contents 1. Introduction . 308 1.1. Motivation................................................................................................... 308 1.2. Prior surveys . 308 1.3. Contributions . 309 1.4. Organization . 309 2. Network attacks and related concepts . 309 2.1. Anomalies in network . 309 2.2. Steps in launching an attack . 309 2.3. Launching and detecting attacks. 309 3. Network security tools . 310 3.1. Information gathering tools . 310 3.1.1. Sniffingtools..........................................................................................310 3.1.2. Scanning tools . 312 3.2. Attack launching tools. 313 3.2.1. Trojans...............................................................................................313 3.2.2. DoS/DDoS attacks. 314 3.2.3. Packet forging attack tools . 315 3.2.4. Application layer attack tools . 316 3.2.5. Fingerprinting attack tools . 316 3.2.6. User attack tools . 317 3.2.7. Other attack tools . 317 3.3. Network monitoring tools . 318 3.3.1. Visualization and analysis tools . 318 4. Attack detection systems. 318 5. Observations and conclusions . 321 n Corresponding author. Tel.: 91 9864967675. þ E-mail addresses: [email protected] (N. Hoque), [email protected] (M.H. Bhuyan), [email protected] (R.C. Baishya), [email protected] (D.K. Bhattacharyya), [email protected] (J.K. Kalita). 1084-8045/$ - see front matter & 2013 Elsevier Ltd. All rights reserved. http://dx.doi.org/10.1016/j.jnca.2013.08.001 308 N. Hoque et al. / Journal of Network and Computer Applications 40 (2014) 307–324 Acknowledgments. 323 References.............................................................................................................323 1. Introduction et al. (2009) discuss some popular anomaly based intrusion detec- tion techniques and systems. They focus on NIDSs and several Due to the Internet's explosive growth and its all-pervasive nature, detection techniques under three major categories, viz., statistical, users these days rely on computer networks for most day-to-day knowledge based, and machine learning. Corona et al. (2013) activities. Network attacks attempt to bypass security mechanisms of a present an overview of adversarial attacks against intrusion detec- network by exploiting the vulnerabilities of the target network. tion systems. They provide a general taxonomy of attacks against Network attacks disrupt legitimate network operations and include IDSs, use of IDS weaknesses for attack implementation, and solu- malfunctioning of network devices, overloading a network and deny- tions for each attack they include. An overview of IDSs in terms of ing services of a network to legitimate users, highly reducing network detection and operation is given in Axelsson (2000). Debar et al. throughput, scanning maliciously and other similar activities. (1999a) present a taxonomy of IDSs from several security aspects. fi An attacker may also exploit loopholes, bugs, and miscon gurations in Afewfingerprinting attack tools with their detection meth- software services to disrupt normal network activities. Network odologies are briefly summarized in Conti and Abdullah (2004). security tools facilitate network attackers as well as network Out of the top 75 network security tool list produced by fyodor, the fi defenders in identi cation of network vulnerabilities and collec- creator of nmap, a few tools have been included. Barber (2001) tion of network statistics. Network attackers intentionally try to present a few sophisticated attack tools with their usefulness in identify loopholes based on common services open on a host and brief. Our survey differs from these previous surveys in view of the gather relevant information for launching a successful attack. Thus following points. it is of considerable interest to attackers to determine whether or not the defenders of a network are monitoring network activities (a) Unlike (Sherif and Dearmond, 2002), we present tools and regularly. Network defenders try to reduce abnormal activities attack detection systems under two main categories viz., tools fi from live network traf c. Defenders do not usually hide their for network defenders and tools for attackers. Our survey also identity during observation while attackers do. includes a comparison of tools with parameters that are useful Alargenumberofnetworksecuritytoolshavebeendesignedto to the network traffic analyzer. launch, capture, visualize, and detect different types of attacks with (b) A survey of network forensic analysis methods is reported in multiple objectives. Example tools include LOIC (Pras et al., 2010), Pilli et al. (2010). Similar to this survey, we describe tools for fi HOIC (Mans eld-Devine, 2011), Wireshark (Orebaugh et al., 2006), network defenders as well as tools for attackers used during Gulp (Satten, 2007), Ntop (Deri et al., 2001), etc. These tools can be network traffic capture, analysis and visualization. In addi- fi used for capture of live network traf c, preprocessing, feature extrac- tion, we also include a discussion on several IDSs, with fi tion, vulnerability analysis, traf cvisualizationandactualdetectionof architectures to improve the reader's understanding of the attacks. Thus, network security tools help in network security engi- detection mechanisms. neering from the viewpoint of both attackers and defenders. (c) Unlike Corona et al. (2013),weincludeataxonomyofnetwork attacks, tools and detection systems. Tools are categorized into 1.1. Motivation two classes: tools for network defenders and tools for attackers. The tools and systems are evaluated using parameters that may Even though there are several published surveys of network help in choosing a tool or a system for experiment or for specific security tools such as Conti and Abdullah (2004), Barber (2001), applications. Pilli et al. (2010),theirscopesarelimitedandtheyusuallydiscuss only a few tools. In Conti and Abdullah (2004),theauthorsdiscuss A comparison of the existing surveys on network security tools network attack tools which are specifictovisualfingerprinting. In and systems is given in Table 1. Barber (2001),theauthorsincludeafewtoolsthatarecommonlyused by hackers. An exhaustive survey of network forensics is presented in Pilli et al. (2010).Theauthorscategorizethetoolsintotwomajor Table 1 groups, viz., network forensic analysis tools and network security Comparison with existing surveys. tools. None of the surveys (Conti and Abdullah, 2004; Barber, 2001; Pilli et al., 2010)includeataxonomy,attacklaunchingtools,and References Tools Systems information gathering tools. They also do not discuss recent network Attack Defense Both Host Network Hybrid intrusion detection systems. Hence, in this paper we present a structured and comprehensive survey on network attacks in terms Conti and Abdullah (2004) √ of general overview, taxonomy, tools, and systems with a discussion of Barber (2001) √ challenges and observations. Our paper is detailed with ample Pilli et al. (2010) √√√ √ comparisons where necessary and intended for readers who wish to Zhou et al. (2010) √√ begin research in this field. Lunt (1993) √√ Peng et al. (2007) √√ Dhanjani and Clarke (2005) 1.2. Prior surveys √ Debar et al. (1999a) √√ Axelsson (2000) Several surveys on network security are available in the litera- √√ √ Sherif and Dearmond (2002) √√ √ ture (Conti and Abdullah, 2004; Barber, 2001; Pilli et al., 2010; Lazarevic et al. (2005) √√ Gogoi et al., 2011; Zhou et al., 2010; Lunt, 1993; Peng et al., 2007; Chandola et al. (2009) √√ √ Dhanjani and Clarke, 2005; Li et al., 2013). However, only a few Bhuyan et al. (2013) √√√√ surveys cover network security tools in general. Garcia-Teodoro N. Hoque et al. / Journal of Network and Computer Applications 40 (2014) 307–324 309 1.3. Contributions (ii) Assessing vulnerability: Based on the vulnerabilities learned in the previous step, the attacker attempts to compromise some This paper provides a structured and comprehensive survey