2008 International Conference on Electronic Design December 1-3, 2008, Penang, Malaysia

Embedded Port Scanner (EPSS) System Using Linux and Single BoardComputer

N. Ahmed, Z. I. A. Khalib, R. B. Ahmed, W. M. Ghossoon , Suhizaz Sudin, Salina Asi

School of Computer and Communication EngineeringUniversity Malaysia Perlis

P.O Box 77, d/a Pejabat Pos Besar0100 Kangar, Perlis, MalaysiaE-mail: nasim751@yahoo.com

Abstract

This paper presents our effort and to realize possibleusage on embedded Linux platform for IntrusionDetection (Port Scan). The approach was to developsoftware which performs port scan using half-openand udp technique. The software is then executed on aLinux based Single Board Computer (SBC) which runsTS-Linux 2.4.23 kernel developed by TechnologySystem (TS). It is interesting enough to find thatregardless of the limitation of processing power, thesystem performance on the embedded platform is atpar with other port scanners running on a much betterperformance PC. The findings indicate that low endembedded Linux platform is suitable for networksecurity application and it is marketable at a lowercost with the extra benefit ofportability.

Keywords: Embedded System, Port Scan, Networkdefense, Intrusion Detection System.

1. INTRODUCTION

Network Intrusion Detection is the broadtechnique of analyzing network traffic to determinesuspicious or harmful events that may undermine thesecurity of computer network. At present, security isgaining overwhelming focus within computer networkcommunity. As the number of network intrusionsgrows, intrusion defense mechanisms are required tourgently provide a secured network environment.Intrusion detection systems (IDS) play an importantrole in intrusion defense because the maliciousintrusions need to be identified first. Deploying IDS inthe network has the benefit of minimizing the reactiontime upon intrusions detection. Therefore research onIDS has recently becomes an important direction innetwork security [1,2]. To deploy IDS successfully onembedded hardware with known issues of resourceconstraint is not easy since assurance of accuracy,efficiency/timeliness, scalability and power-awareness

978-1-4244-2315-6/08/$25.00 ©2008 IEEE.

is a must for any IDS [3]. In order to detect an attackthe network detection mechanism of an operatingsystem needs to be enhanced. Nowadays, Linux hasbecome one of the most popular operating systemssince it is costless open source. As a result, Linuxoperating system has been adopted in many gateways.[4]. Embedded system has become ubiquitous. Manysystems and important devices have emerged, such aswireless networks, PDAs and phones. An embeddedsystem is a system that is designed to serve a specifictask. It comprises of hardware and softwareparticipating. Almost all embedded systems come withcompact size, so users are able to use them asadditional parts of other devices or construct specificapplications with them. Usage of embedded systemshas many advantages such as high efficiency, long lifeusage, and less energy consumption. Usage SingleBoard Computer (SBC) is one of the embeddedsystems which are produced by Technology System(TS) [5].

Port scanning is one of the most popularreconnaissance techniques attackers use to discoverservices. Many attackers perform port scan as abeginning to find out vulnerable hosts to compromise.Detecting such port scans indicates incoming networkintrusions. Besides, recent worm epidemics, such asCode Red-II, Nimda, etc, scan other vulnerable hostsfor propagation [6, 7]. A Network administrator canprevent viruses from spreading by detecting those portscans and then prohibiting them. A port scan istypically initiated by sending some packets from samesource and a same port to various destinations andports. If any destination has a service listening on thescanned port, a connection is established and a reply issent back. From the reply, the attacker (or the worm)can know whether a service is available on thescanned port. It will then exploit the security problemsof the service for further intrusion. There are twoaccess patterns of port scans, horizontal (multipledestinations, same ports) and vertical (samedestination, multiple ports). To detect port scans early

1

and prevent their further damage, many networksemploy Network Intrusion Detection Systems (NIDS)at network entrances. One of the popular methods forfinding susceptible hosts is port scanning. Portscanning can be defined as "hostile Internet searchesfor open 'doors', or ports, through which intruders gainaccess to computers." [8]. Port scanning can be use fora wide variety of applications, including networkmapping, service discovery and security scanning. Thenetwork administrator uses port scanning technique todetermine what network-aware applications arerunning on the network. The security consultant usesthe port scanning technique to find potential securityissues and violations [9].

The remainder of this paper is organized asfollows: Section 2 describes the port scanning activityand detection methods. Section 3 describes the overallsystem overview. Architecture of the system isdescribed in section 4. Section 5 describes theembedded system TS-5500. Sections 6 summarize theresults and performance of the new system. Lastlysection 7 provides the conclusion.

2. RELATED WORK

Port scanning is a technique for discovering host'sweaknesses by sending port probes. Althoughsometimes used by system administrators for networkexploration, port scanning generally refers to scanscarried out by malicious users seeking out networkvulnerabilities. The negative effects of port scans arenumerous and range from wasting resources, tocongesting the network, to enabling future moreserious attack. There is a plethora of tools that aim todetermine a system's weaknesses and determine thebest method for an attack. The best known anddocumented tool is nmap by Fyodor [10]. Nmap uses avariety of active probing techniques and changes thepacket probe options to determine a host's operatingsystem. Nmap offers its users the ability to randomizedestination IPs and change the order of timingbetween packets.

Several port scan detection mechanisms havebeen developed and are commonly included as part ofintrusion detection systems. However, many of thedetectors are easy to evade since they use simple rulesthat classify a port scan as more than X distinct probeswithin Y seconds from a single source. Typically, thelength of Y is severely limited to keep the amount ofstate manageable. Spice, a tool developed at SiliconDefense, tries to avoid this drawback. Spice maintainsrecords of event likelihood, from which it generates

anomalousness score, which are stored longer, whilestate for unsuspicious packets is safely discarded. Thisheuristic allows Spice to detect stealthy port scanswhile still being operationally practical. Anotherapproach is employed by Vern Paxon in Bro andemphasizes real time performance and notification, aswell as clear separation between mechanism andpolicy [11].

3. SYSTEM ARCHITECTURE

A. Overview (EPSS)

This system is called Embedded Port ScannerSystem (EPSS) which is used for network security(Network Intrusion Detection) purpose. Figure 1shows an overview of the Embedded Port ScannerSystem. Efficiency of size, weight, cost,interchangeability, and consistency are the majorfactors [12] which leads to the selection of embeddedPC as the hardware platform for the system. Theembedded PC standard, a commonly-used roboticdevelopment platform [13][14], specifies a main boardof approximately 4 by 4 inches that houses aprocessor, memory and the basic chipset needed tofunction as a standalone embedded computer capableof functioning with only a separate power supply andwhatever outside input or output devices theapplication calls for. The embedded PC allows the useof an 802.11b (Wi-Fi) and wired Ethernet thatprovides high-speed two way communication linkbetween the system and PC Database Server.

The embedded PC itself is portable and can beused for various purposes such as network basedidentification system on human face, robot visionplatform and embedded web server. Utilizing Linuxbased embedded PC allows us to manipulate theavailability of open source resources such as libraries,kernels and drivers in developing and implementingthis system. The embedded PC comes with TS-LinuxOS, which also include TCP/IP network protocol. Thisallows network centric applications to be easilydeveloped and implemented. It can also performinternal comparison of the verification if usersdatabase are available on the embedded PC. This isuseful if the size of user database is small and it willnot involve any communication with externaldatabases. The only issue is the speed of theprocessing of the verification, which is slow comparedto the network based due to the low processing speedof the embedded PC. However this can be improvedby using high speed embedded PC boards.

2

Internet

Figure 1. Embedded port scanner overview

Embedded port scanner is designed to operate as aNetwork Intrusion Detection platform that scans thenetwork for all well known ports.

B. Software Framework

The main idea is to develop an embedded systemof Network Security (Intrusion Detection). Theapproach proposed was the use of an embeddedsystem (Embedded PC) for controlling the externaldevices such as Universal Serial Bus (USB), LCDpanel and matrix keypad and connectivity. The controlwas executed via ANSI-C software coded on top of anopen source operating system (GNU/Linux).

The software code is portable to a desktop system forintegration with other software components such asnetwork security (IDS/IPS) software. Keypad moduleis required in order to perform the task. The softwarecode is portable to a small embedded system withoutthe need of the specific 32 bit embedded PC orwithout the use of 32 bit embedded PC based system.The software works in any platform where Linuxkernel has been ported. The software code is written towork regardless of any limitation of the hardwareplatform such as slow processing speed.

5. THE HARDWARE PLATFORM

Looking into focus of this paper, which is toevaluate the practicality of a low-end Embedded LinuxPlatform for a relatively average speed computernetwork application, we thus opted for the TS 5500Single Board Computer. The board comes with TS­Linux 3.07 (2.4.23 kernel) operating system. Networksupport is one important feature of this 32 bitembedded PC technology. TS5500 has one RJ45 portand support standard network by supported Telnet andfile transfer protocol (FTP). But it does not supportSecure Shell (SSH) function. Furthermore, the SecureCopy (SCP) is allowed in this model by activating thedropbear functions provide by TS Linux. The boardcomes with an AMD Elan 520 (x86 compatible)processor that runs at 133MHz as well as 64 MB ofRAM. It also has a Type 1 Compact Flash card reader,USB, PCMCIA a 10/100Base-T Ethernet interface andan alphanumeric LCD and keypad interface.

Port Scan(Active leoom.aissance)

P.ccket S:niff(passive ncomaissance)

COMPONENT

Figure 3. Embedded system single board computer(SBe)

6. RESULTS AND DISCUSSION

Figure 2. Overall software architecture Embedded Port Scanner (EPS) has beenimplemented on Linux 2.4.23 Single Board Computer(SBC), using C as the programming language.

3

3.5 -,-----------------.

O-t-----r--....,.---r----r----r---,----,..---,...---;

o 10 20 30 40 50 60 70 80 90

0.5

1.5

Figure 6. Memory used at the time and beforeexecute program

2.5

Figure 5. CPU status at the time and before executeprogram

2.------------------.1.8

1.6

1.4

1.2

1

0.8

0.6

0.4

0.2

O+----r----,--,..-----,--....,.----r---,--~---l

o 10 20 30 40 50 60 70 80 90

Fig. 6 illustrates the memory used before and at thetime of executing the program. Our new system is 16­bit. At the time of program execution it does notallocate enough memory. The new software takes (3.5%) of memory space out of the total memory space(62684 k). The rest of the memory space (45336 k) isfree.

Table 1. Comparison of EPSS and other port scansoftware

Developing EPS for Intrusion Detection has thebenefit that the system modules are natively moresecure with substantially good system performance. Inaddition, a lot of legacy C library code can be easilyported. The experiment, presents the performance ofthe new Embedded Port Scan System (EPSS). Theperformances of the new system are tested bycomparison of the CPU status and used of memorybefore executing the program and at the time ofexecution. Total memory of the new system is 62684k. The new source code total file size is 6.0k and theobject file size is 25k. The object file was generatedunder chroot environment on Ubuntu Linux desktop.The rest of the memory 45336k space is free. The newsystem has been tested on our lab gateway. Table 1shows the detail results which compare our system(EPSS) with other well known desktop windows basedport scanning software.

Figure 5 illustrates the experimental result. This graphshows the CPU status before execution and at the timeof execution of the program. At the execution timemaximum CPU utilization is 1.9% which is 1.3% atno-execution time. For scan 100 ports the new systemtakes 81 second respectively. For the experiment weused various techniques for all types and number ofports (well known 0-1023, Registered Ports 1024­49151 and Dynamic or Private 49152-65535). Table 2shows the detail results.

Name of Software Total Port Total Time

Embedded Port Scanner 100 81 SecSystem (EPSS)

Network Active Port Scan 100 120 Sec(PC-Based)

Advance Port Scanner (PC- 100 71 SecBased)

NMAP (PC-Based) 100 63Sec

Table 2. Various techniques of scanning

Name of Total Port Time IPTechniqueTCPSYN 1024 33 min 10.172.1.90TCPFIN 1024 30 min 10.172.1.90

TCPXMAS 1024 31min 10.172.1.90UDP 1024 39 min 10.172.1.90

7. CONCLUSIONS

The Embedded Port Scanner system (EPSS) wasimplemented on a AMD based TS-5500 Single BoardComputer (SBC) provided by Technology System(TS). This low-end embedded platform has manylimitations but it is interesting enough to find thatregardless of the limitation of processing power, thesystem performance on the embedded platform is atpar with other port scanners running on a much betterperformance PC. The design approach of a Embedded

4

Port Scanning System would be utilize for networksecurity purpose and this will help to generate betternetwork intrusion detection systems (port scanning)and increase network security with embedded system.The implemented Embedded Port Scanner System canprovide a small size and low-priced equipment.

REFERENCES

[1]. J. P. Anderson, "Computer Security Threat Monitoringand Surveillance", Fort Washington, PA, Apr. 1980. Seminalpaper on the use of auditing and logging for security.

[2]. J. Allen, A. Christie, W. Fithen, J, McHugh, J, Pickeland E. Stoner, "State of the Practice of Intrusion DetectionTechnologies", CMU/SEI-99-TR-028, Jan, 2000.

[3]. Eivind Naess, Debroah A. Frincke, A. David Mckinnon,David E. Bakken. "In procedding 25th InternationalConferrence on Distributed Computing System Workshops(ICDCSW'05)", IEEE, 2005.

[4]. Jichiang Tsai, Chung-Hsin Feng, and Chuyuan Tsai "TENCON 2006, IEEE Region 10 Conference 14-17 Nov.2006 page (s): 1-4.

[5]. TS-5500 PC/I04 SBC with AMD 586 Processor. CitingInternet Source, URLhttp://www.embeddedarm.comlepc/ts5500-spec-h.html

[6] S. Stainford, "Containment of Scanning Worms inEnterprise Networks", IEEE, INFOCOM, 2002.

[7] N. Weaver, V. Paxson and S, Stainford, "A Taxonomy ofComputer Worms", ACM Workshop of Rapid Malcode,2003.

[8] Agenda and Work Plan. Computer Security IncidentResponse Team (CSIRT), Florida StateUniversity,.http://www.security.fsu.edu/csirt mtg

[91 M. D. Schiffman. "Building Open Source NetworkSecurity Tools Components and Technique". WilyPublishing. Inc. ISBN 0-471-20544-3. pp 217-218.

[101 Fyodor. http://www.insecure.org/nmap

[Ill V. Paxon. Bro. "A System for Detecting NetworkIntruders in Real-Time". ftp://ftp.ee.lbl.gov/papers/bro­CN99

fI21 D. Hoopes. T. Davis. K. Norman. and R. Helps. "Anautonomous mobile robot development platform for teachinga graduate level mechatronics course". Frontiers inEducation. 2003. FIE 2003. pp. 17-22.

[13] M. Krishnan, S. Das, and S.A. Yost, "Team-oriented,project-based instruction in a new mechatronics course",Proceedings of IEEE Computer Society Conference onFrontiers in Education, Champaign, IL, USA, 1999, StripesPublishing L.L.C., pp. 13D4/1-6 vol.3.

[14] G S. Sukhatme, J.E Montgomery and MJ. Mataric,"Design and implementation of a mechanicallyheterogeneous robot group", Proceedings of SPIE - the

International Society for Optical Engineering, 1999, pp 122­133.

5