See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/251873688

Embedded Port Scanner (EPSS) System using linux and Single Board Computer

Article · December 2008

DOI: 10.1109/ICED.2008.4786717

CITATIONS READS
0 261

6 authors, including:

Nasim Ahmed Zahereel I. Abdul Khalib

Massey University, Auckland Universiti Malaysia Perlis
82 PUBLICATIONS   423 CITATIONS    31 PUBLICATIONS   59 CITATIONS   

SEE PROFILE SEE PROFILE

R.Badlishah Ahmad Ghossoon M. Waleed

Universiti Malaysia Perlis AMA International University
564 PUBLICATIONS   3,408 CITATIONS    41 PUBLICATIONS   73 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Reconfigurable Antenna View project

PENJURIAN View project

All content following this page was uploaded by Ghossoon M. Waleed on 07 November 2014.

The user has requested enhancement of the downloaded file.

 2008 International Conference on Electronic Design
Embedded Port Scanner (EPSS) System Using Linux and Single Board
Computer
N. Ahmed, Z. I. A. Khalib, R. B. Ahmed, W. M. Ghossoon , Suhizaz Sudin, Salina Asi
School of Computer and Communication Engineering
University Malaysia Perlis
P.O Box 77, d/a Pejabat Pos Besar
0100 Kangar, Perlis, Malaysia
E-mail: nasim751@yahoo.com
Abstract
This paper presents our effort and to realize possible
usage on embedded Linux platform for Intrusion
Detection (Port Scan). The approach was to develop
software which performs port scan using half-open
and udp technique. The software is then executed on a
Linux based Single Board Computer (SBC) which runs
TS-Linux 2.4.23 kernel developed by Technology
System (TS). It is interesting enough to find that
regardless of the limitation of processing power, the
system performance on the embedded platform is at
par with other port scanners running on a much better
performance PC. The findings indicate that low end
embedded Linux platform is suitable for network
security application and it is marketable at a lower
cost with the extra benefit ofportability.
Keywords: Embedded System, Port Scan, Network
defense, Intrusion Detection System.
1. INTRODUCTION
Network Intrusion Detection is the broad
technique of analyzing network traffic to determine
suspicious or harmful events that may undermine the
security of computer network. At present, security is
gaining overwhelming focus within computer network
community. As the number of network intrusions
grows, intrusion defense mechanisms are required to
urgently provide a secured network environment.
Intrusion detection systems (IDS) play an important
role in intrusion defense because the malicious
intrusions need to be identified first. Deploying IDS in
the network has the benefit of minimizing the reaction
time upon intrusions detection. Therefore research on
IDS has recently becomes an important direction in
network security [1,2]. To deploy IDS successfully on
embedded hardware with known issues of resource
constraint is not easy since assurance of accuracy,
efficiency/timeliness, scalability and power-awareness
978-1-4244-2315-6/08/$25.00 ©2008 IEEE.
Authorized licensed use limited to: Universiti Malaysia Perlis. Downloaded on June 30, 2009 at 01:01 from IEEE Xplore. Restrictions apply.
December 1-3, 2008, Penang, Malaysia
is a must for any IDS [3]. In order to detect an attack
the network detection mechanism of an operating
system needs to be enhanced. Nowadays, Linux has
become one of the most popular operating systems
since it is costless open source. As a result, Linux
operating system has been adopted in many gateways.
[4]. Embedded system has become ubiquitous. Many
systems and important devices have emerged, such as
wireless networks, PDAs and phones. An embedded
system is a system that is designed to serve a specific
task. It comprises of hardware and software
participating. Almost all embedded systems come with
compact size, so users are able to use them as
additional parts of other devices or construct specific
applications with them. Usage of embedded systems
has many advantages such as high efficiency, long life
usage, and less energy consumption. Usage Single
Board Computer (SBC) is one of the embedded
systems which are produced by Technology System
(TS) [5].
Port scanning is one of the most popular
reconnaissance techniques attackers use to discover
services. Many attackers perform port scan as a
beginning to find out vulnerable hosts to compromise.
Detecting such port scans indicates incoming network
intrusions. Besides, recent worm epidemics, such as
Code Red-II, Nimda, etc, scan other vulnerable hosts
for propagation [6, 7]. A Network administrator can
prevent viruses from spreading by detecting those port
scans and then prohibiting them. A port scan is
typically initiated by sending some packets from same
source and a same port to various destinations and
ports. If any destination has a service listening on the
scanned port, a connection is established and a reply is
sent back. From the reply, the attacker (or the worm)
can know whether a service is available on the
scanned port. It will then exploit the security problems
of the service for further intrusion. There are two
access patterns of port scans, horizontal (multiple
destinations, same ports) and vertical (same
destination, multiple ports). To detect port scans early
1
 and prevent their further damage, many networks
employ Network Intrusion Detection Systems (NIDS)
at network entrances. One of the popular methods for
finding susceptible hosts is port scanning. Port
scanning can be defined as "hostile Internet searches
for open 'doors', or ports, through which intruders gain
access to computers." [8]. Port scanning can be use for
a wide variety of applications, including network
mapping, service discovery and security scanning. The
network administrator uses port scanning technique to
determine what network-aware applications are
running on the network. The security consultant uses
the port scanning technique to find potential security
issues and violations [9].
The remainder of this paper is organized as
follows: Section 2 describes the port scanning activity
and detection methods. Section 3 describes the overall
system overview. Architecture of the system is
described in section 4. Section 5 describes the
embedded system TS-5500. Sections 6 summarize the
results and performance of the new system. Lastly
section 7 provides the conclusion.
2. RELATED WORK
Port scanning is a technique for discovering host's
weaknesses by sending port probes. Although
sometimes used by system administrators for network
exploration, port scanning generally refers to scans
carried out by malicious users seeking out network
vulnerabilities. The negative effects of port scans are
numerous and range from wasting resources, to
congesting the network, to enabling future more
serious attack. There is a plethora of tools that aim to
determine a system's weaknesses and determine the
best method for an attack. The best known and
documented tool is nmap by Fyodor [10]. Nmap uses a
variety of active probing techniques and changes the
packet probe options to determine a host's operating
system. Nmap offers its users the ability to randomize
destination IPs and change the order of timing
between packets.
Several port scan detection mechanisms have
been developed and are commonly included as part of
intrusion detection systems. However, many of the
detectors are easy to evade since they use simple rules
that classify a port scan as more than X distinct probes
within Y seconds from a single source. Typically, the
length of Y is severely limited to keep the amount of
state manageable. Spice, a tool developed at Silicon
Defense, tries to avoid this drawback. Spice maintains
records of event likelihood, from which it generates
Authorized licensed use limited to: Universiti Malaysia Perlis. Downloaded on June 30, 2009 at 01:01 from IEEE Xplore. Restrictions apply.
anomalousness score, which are stored longer, while
state for unsuspicious packets is safely discarded. This
heuristic allows Spice to detect stealthy port scans
while still being operationally practical. Another
approach is employed by Vern Paxon in Bro and
emphasizes real time performance and notification, as
well as clear separation between mechanism and
policy [11].
3. SYSTEM ARCHITECTURE
A. Overview (EPSS)
This system is called Embedded Port Scanner
System (EPSS) which is used for network security
(Network Intrusion Detection) purpose. Figure 1
shows an overview of the Embedded Port Scanner
System. Efficiency of size, weight, cost,
interchangeability, and consistency are the major
factors [12] which leads to the selection of embedded
PC as the hardware platform for the system. The
embedded PC standard, a commonly-used robotic
development platform [13][14], specifies a main board
of approximately 4 by 4 inches that houses a
processor, memory and the basic chipset needed to
function as a standalone embedded computer capable
of functioning with only a separate power supply and
whatever outside input or output devices the
application calls for. The embedded PC allows the use
of an 802.11b (Wi-Fi) and wired Ethernet that
provides high-speed two way communication link
between the system and PC Database Server.
The embedded PC itself is portable and can be
used for various purposes such as network based
identification system on human face, robot vision
platform and embedded web server. Utilizing Linux
based embedded PC allows us to manipulate the
availability of open source resources such as libraries,
kernels and drivers in developing and implementing
this system. The embedded PC comes with TS-Linux
OS, which also include TCP/IP network protocol. This
allows network centric applications to be easily
developed and implemented. It can also perform
internal comparison of the verification if users
database are available on the embedded PC. This is
useful if the size of user database is small and it will
not involve any communication with external
databases. The only issue is the speed of the
processing of the verification, which is slow compared
to the network based due to the low processing speed
of the embedded PC. However this can be improved
by using high speed embedded PC boards.

Internet
Figure 1. Embedded port scanner overview
Embedded port scanner is designed to operate as a
Network Intrusion Detection platform that scans the
network for all well known ports.
B. Software Framework
The main idea is to develop an embedded system
of Network Security (Intrusion Detection). The
approach proposed was the use of an embedded
system (Embedded PC) for controlling the external
devices such as Universal Serial Bus (USB), LCD
panel and matrix keypad and connectivity. The control
was executed via ANSI-C software coded on top of an
open source operating system (GNU/Linux).
Port Scan
(Active leoom.aissance)
P.ccket S:niff
(passive ncomaissance)
Figure 2. Overall software architecture
Authorized licensed use limited to: Universiti Malaysia Perlis. Downloaded on June 30, 2009 at 01:01 from IEEE Xplore. Restrictions apply.
The software code is portable to a desktop system for
integration with other software components such as
network security (IDS/IPS) software. Keypad module
is required in order to perform the task. The software
code is portable to a small embedded system without
the need of the specific 32 bit embedded PC or
without the use of 32 bit embedded PC based system.
The software works in any platform where Linux
kernel has been ported. The software code is written to
work regardless of any limitation of the hardware
platform such as slow processing speed.
5. THE HARDWARE PLATFORM
Looking into focus of this paper, which is to
evaluate the practicality of a low-end Embedded Linux
Platform for a relatively average speed computer
network application, we thus opted for the TS 5500
Single Board Computer. The board comes with TS-
Linux 3.07 (2.4.23 kernel) operating system. Network
support is one important feature of this 32 bit
embedded PC technology. TS5500 has one RJ45 port
and support standard network by supported Telnet and
file transfer protocol (FTP). But it does not support
Secure Shell (SSH) function. Furthermore, the Secure
Copy (SCP) is allowed in this model by activating the
dropbear functions provide by TS Linux. The board
comes with an AMD Elan 520 (x86 compatible)
processor that runs at 133MHz as well as 64 MB of
RAM. It also has a Type 1 Compact Flash card reader,
USB, PCMCIA a 10/100Base-T Ethernet interface and
an alphanumeric LCD and keypad interface.
COM
PON
ENT
Figure 3. Embedded system single board computer
(SBe)
6. RESULTS AND DISCUSSION
Embedded Port Scanner (EPS) has been
implemented on Linux 2.4.23 Single Board Computer
(SBC), using C as the programming language.
 Developing EPS for Intrusion Detection has the
benefit that the system modules are natively more 2.------------------.
1.8
secure with substantially good system performance. In
1.6
addition, a lot of legacy C library code can be easily 1.4
ported. The experiment, presents the performance of 1.2
the new Embedded Port Scan System (EPSS). The 1
performances of the new system are tested by 0.8
comparison of the CPU status and used of memory 0.6
before executing the program and at the time of 0.4
execution. Total memory of the new system is 62684 0.2
k. The new source code total file size is 6.0k and the O+----r----,--,..-----,--....,.----r---,--~---l

object file size is 25k. The object file was generated o 10 20 30 40 50 60 70 80 90

under chroot environment on Ubuntu Linux desktop.
The rest of the memory 45336k space is free. The new
system has been tested on our lab gateway. Table 1 Figure 5. CPU status at the time and before execute
shows the detail results which compare our system program
(EPSS) with other well known desktop windows based
port scanning software. Fig. 6 illustrates the memory used before and at the
time of executing the program. Our new system is 16-
bit. At the time of program execution it does not
Table 1. Comparison of EPSS and other port scan
allocate enough memory. The new software takes (3.5
software
%) of memory space out of the total memory space
Name of Software Total Port Total Time (62684 k). The rest of the memory space (45336 k) is
Embedded Port Scanner 100 81 Sec free.
System (EPSS)
Network Active Port Scan 100 120 Sec
(PC-Based) 3.5 - , - - - - - - - - - - - - - - - - - .

Advance Port Scanner (PC- 100 71 Sec

Based)
NMAP (PC-Based) 100 63Sec 2.5

Figure 5 illustrates the experimental result. This graph 1.5

shows the CPU status before execution and at the time
of execution of the program. At the execution time
maximum CPU utilization is 1.9% which is 1.3% at 0.5
no-execution time. For scan 100 ports the new system O-t-----r--....,.---r----r----r---,----,..---,...---;

takes 81 second respectively. For the experiment we o 10 20 30 40 50 60 70 80 90

used various techniques for all types and number of
ports (well known 0-1023, Registered Ports 1024-
49151 and Dynamic or Private 49152-65535). Table 2
shows the detail results. Figure 6. Memory used at the time and before
execute program
Table 2. Various techniques of scanning
Name of Total Port Time IP 7. CONCLUSIONS
Technique
TCPSYN 1024 33 min 10.172.1.90 The Embedded Port Scanner system (EPSS) was
TCPFIN 1024 30 min 10.172.1.90 implemented on a AMD based TS-5500 Single Board
TCPXMAS 1024 31min 10.172.1.90 Computer (SBC) provided by Technology System
UDP 1024 39 min 10.172.1.90 (TS). This low-end embedded platform has many
limitations but it is interesting enough to find that
regardless of the limitation of processing power, the
system performance on the embedded platform is at
par with other port scanners running on a much better
performance PC. The design approach of a Embedded

Authorized licensed use limited to: Universiti Malaysia Perlis. Downloaded on June 30, 2009 at 01:01 from IEEE Xplore. Restrictions apply.
 Port Scanning System would be utilize for network International Society for Optical Engineering, 1999, pp 122-
security purpose and this will help to generate better 133.
network intrusion detection systems (port scanning)
and increase network security with embedded system.
The implemented Embedded Port Scanner System can
provide a small size and low-priced equipment.

REFERENCES
[1]. J. P. Anderson, "Computer Security Threat Monitoring
and Surveillance", Fort Washington, PA, Apr. 1980. Seminal
paper on the use of auditing and logging for security.
[2]. J. Allen, A. Christie, W. Fithen, J, McHugh, J, Pickel
and E. Stoner, "State of the Practice of Intrusion Detection
Technologies", CMU/SEI-99-TR-028, Jan, 2000.
[3]. Eivind Naess, Debroah A. Frincke, A. David Mckinnon,
David E. Bakken. "In procedding 25 th International
Conferrence on Distributed Computing System Workshops
(ICDCSW'05)", IEEE, 2005.
[4]. Jichiang Tsai, Chung-Hsin Feng, and Chuyuan Tsai "
TENCON 2006, IEEE Region 10 Conference 14-17 Nov.
2006 page (s): 1-4.
[5]. TS-5500 PC/I04 SBC with AMD 586 Processor. Citing
Internet Source, URL
http://www.embeddedarm.comlepc/ts5500-spec-h.html
[6] S. Stainford, "Containment of Scanning Worms in
Enterprise Networks", IEEE, INFOCOM, 2002.
[7] N. Weaver, V. Paxson and S, Stainford, "A Taxonomy of
Computer Worms", ACM Workshop of Rapid Malcode,
2003.
[8] Agenda and Work Plan. Computer Security Incident
Response Team (CSIRT), Florida State
University,. http://www.security.fsu.edu/csirt mtg
[91 M. D. Schiffman. "Building Open Source Network
Security Tools Components and Technique". Wily
Publishing. Inc. ISBN 0-471-20544-3. pp 217-218.
[101 Fyodor. http://www.insecure.org/nmap
[Ill V. Paxon. Bro. "A System for Detecting Network
Intruders in Real-Time". ftp://ftp.ee.lbl.gov/papers/bro-
CN99

fI21 D. Hoopes. T. Davis. K. Norman. and R. Helps. "An

autonomous mobile robot development platform for teaching
a graduate level mechatronics course". Frontiers in
Education. 2003. FIE 2003. pp. 17-22.
[13] M. Krishnan, S. Das, and S.A. Yost, "Team-oriented,
project-based instruction in a new mechatronics course",
Proceedings of IEEE Computer Society Conference on
Frontiers in Education, Champaign, IL, USA, 1999, Stripes
Publishing L.L.C., pp. 13D4/1-6 vol.3.
[14] G S. Sukhatme, J.E Montgomery and MJ. Mataric,
"Design and implementation of a mechanically
heterogeneous robot group", Proceedings of SPIE - the

Authorized
View publication stats licensed use limited to: Universiti Malaysia Perlis. Downloaded on June 30, 2009 at 01:01 from IEEE Xplore. Restrictions apply.