Early Detection of Reconnaissance Attacks on IoT Devices by Analyzing Performance and Traffic Characteristics

Cyber attackers use various techniques to gather information about a target in order to identify the vulnerabilities of the target and plan their attack on the target. The first step in planning an attack is reconnaissance. A simple port scan can reveal a lot of useful information about the target machine. Open source tools like 'nmap' can quickly scan and gather significant information about hosts on the Internet and provide a great insight into these systems. One cannot attack a system that is not visible to them. When a target system does not respond to scans by attackers, that can be an effective 'prevention is better than cure' approach to defense. When a host is actively scanned for multiple open ports by one or more sources, unusual transformations occur in its CPU utilization, the number of incoming and outgoing packets and their average sizes. The purpose of this work is to identify the reliable anomaly markers and demonstrate how they may be used in detecting and preventing reconnaissance scans extremely quickly. We demonstrate promising results for automated early reconnaissance detection and blocking, with live packet capture and analysis. Our proposed solution requires only modest computational resources and can thus operate on resource-constrained Internet of Things (IoT) devices and other embedded systems.