TCP XMAS SCAN USING PATTERN ANALYSIS TECHNIQUES

VISVESVARAYA TECHNOLOGICAL UNIVERSITY

“JNANA SANGAM”, BELAGAVI-590018

MINI PROJECT ON COMPUTER NETWORKS (21CS52) BASED ON

WIRESHARK TOOL

REPORT ON

“TCP Xmas scan using pattern analysis techniques”

Submitted in partial fulfilment of the requirements of Internal assessment – Assignment
For the award of degree of
Bachelor of Engineering
In

Computer Science and Engineering

By
K SREE SAI

1KS21CS051
Under the guidance of
Dr. Rekha B Venkatapur,
Professor and Head, CSE

Department of Computer Science & Engineering

K.S. INSTITUTE OF TECHNOLOGY
#14, Raghuvanahalli, Kanakapura Main Road, Bengaluru-560109
TCP XMAS SCAN USING PATTERN ANALYSIS TECHNIQUES

K.S.INSTITUTE OF TECHNOLOGY
#14, Raghuvanahalli, Kanakapura Main Road, Bengaluru-560109

Department of Computer Science & Engineering

CERTIFICATE
This is to certify that mini project work entitled “TCP XMAS SCAN USING PATTERN
ANALYSIS TECHNIQUES” carried out by Team No. 1 of fifth Semester A section K.S.
Institute of Technology in the partial fulfilment for the award of the Bachelor of Engineering
in Computer Science & Engineering of the Visvesvaraya Technological University,
Belagavi, during the year 2023-24. It is certified that all corrections/suggestions indicated for
Internal Assessment of Computer Networks (21CS52) Course assignment have been
incorporated in the report deposited in the departmental library. The mini project report has
been approved as it satisfies the academic requirements in respect of Mini Project work
prescribed for the said degree for the 5tth semester.

Dr . Rekha. B. Venkatapur Dr. Dilip Kumar K

Prof & HOD, CS & E Department Principal/Director, KSIT
TCP XMAS SCAN USING PATTERN ANALYSIS TECHNIQUES

ACKNOWLEDGEMENT

We take this opportunity to thank everyone involved in making this project. We would
like to thank the college for providing us an opportunity to work on the project.

We would like to thank the management of K.S.Institute of Technology for providing all
the required resources for the project.

We would like to thank our faculty of Computer Networks course and Head of the
Department of Computer Science and Engineering, Dr. Rekha B Venkatapur.

We also thank all the other teaching and non-teaching staff members for supporting
andcooperating while making the project.
TCP XMAS SCAN USING PATTERN ANALYSIS TECHNIQUES

Team No. 1

Members
Sl. No. USN Name
1 1KS21CS051 Kongara Sree Sai
(Team Leader)
2 1KS21CS001 A Ramya Sree
3 1KS21CS003 Abhilasha V
4 1KS21CS004 Abhiram K
5 1KS21CS005 Abhiram YS
6 1KS21CS006 Adithi R
7 1KS21CS007 Adithi S Reddy
8 1KS21CS009 Afifah Ayesha Bijli
9 1KS21CS010 Aishwarya G
10 1KS21CS011 Akshay Vivekananda B
11 1KS21CS012 Ananya Prasad S
12 1KS21CS013 Archana P
13 1KS21CS015 Arthan M Gowda
14 1KS21CS016 Asha H P
15 1KS21CS017 Ashwini
16 1KS21CS018 B G Prajwal
17 1KS21CS020 Bhavana B
18 1KS21CS021 Chaitra M
19 1KS21CS022 Charishma A
TCP XMAS SCAN USING PATTERN ANALYSIS TECHNIQUES

ABSTRACT

TCP Xmas scan is a sophisticated network reconnaissance technique employed by attackers to

stealthily probe target systems for vulnerabilities. This scan works by sending TCP packets with
the FIN, URG, and PSH flags set, exploiting ambiguities in the TCP protocol stack to elicit
responses from the target system. While traditional detection methods focus on signature-based
approaches, they often fail to identify Xmas scans due to their subtle nature.

This paper proposes a novel approach to detecting TCP Xmas scans through pattern analysis.
By examining the unique patterns of network traffic generated by Xmas scans, our method aims
to unveil these covert activities amidst legitimate network traffic. Leveraging machine learning
algorithms and statistical analysis, we extract distinctive features from network packets
associated with Xmas scans and train a detection model capable of accurately identifying such
malicious behavior.

Through experimentation on diverse network datasets, we demonstrate the effectiveness of our

proposed approach in detecting TCP Xmas scans with high precision and recall rates.
Furthermore, we evaluate the resilience of our method against evasion techniques commonly
employed by attackers to evade detection.

Overall, this research contributes to the enhancement of network security by providing a

proactive defense mechanism against stealthy intrusions facilitated by TCP Xmas scans. By
incorporating pattern analysis into intrusion detection systems, organizations can better
safeguard their networks from emerging cyber threats and mitigate the risks associated with
unauthorized access and data breaches.
TCP XMAS SCAN USING PATTERN ANALYSIS TECHNIQUES
TCP XMAS SCAN USING PATTERN ANALYSIS TECHNIQUES

CONTENTS

1. INTRODUCTION

2. PROJECT SCOPE

3. HARDWARE & SOFTWARE

• Software Setup

4. UNDERSTANDING TCP XMAS SCAN USING PATTERN ANALYSIS

TECHNIQUES

5. TCP XMAS SCAN USING PATTERN ANALYSIS TECHNIQUES SIMULATION

• Step-by-Step Process

6. ANOMALY DETECTION USING WIRESHARK & PYTHON

7. LAB SETUP & TOPOLOGY

8. TCP XMAS SCAN USING PATTERN ANALYSIS TECHNIQUES GENERATION

9. SNAPSHOTS

10. CONCLUSION

11. FUTURE SCOPE AND ENHANCEMENT

12. REFERENCES

13. USER GUIDE

• Virtual Box
• Ubuntu
• Wireshark

14. PRESENTATION
TCP XMAS SCAN USING PATTERN ANALYSIS TECHNIQUES CN Mini Project

1.INTRODUCTION

In the realm of cybersecurity, understanding the intricacies of network scanning techniques is

paramount to fortifying digital defenses. Among these techniques, TCP Xmas scan stands out
as a stealthy and sophisticated method employed by both attackers and defenders alike.
Leveraging the subtleties of TCP protocol behaviour, a TCP Xmas scan seeks to unveil
potential vulnerabilities within a target network without arousing suspicion.

At its core, a TCP Xmas scan operates by sending TCP packets with specific flags set: the FIN,
URG, and PUSH flags, often likened to the flickering lights of a festive Xmas tree. Unlike
conventional network scans that rely on established connections or predictable responses, the
TCP Xmas scan exploits the nuances of TCP protocol interpretation, aiming to elicit unique
reactions from targeted systems.

Pattern analysis emerges as a formidable tool in deciphering the cryptic signals of TCP Xmas
scans. By scrutinizing the patterns embedded within network traffic, security analysts can
discern anomalous behaviours indicative of scan activities. Through meticulous examination
of packet sequences, timing intervals, and response deviations, pattern analysis unveils the
clandestine footsteps of potential threats traversing the digital landscape
.
This paper embarks on an exploratory journey into the realm of TCP Xmas scans, delving deep
into the methodology of pattern analysis to decode their elusive signatures. By dissecting the
underlying principles of TCP protocol intricacies and scrutinizing the patterns woven into
network traffic, we aim to equip cybersecurity professionals with the knowledge and tools
necessary to detect and mitigate the stealthy incursions of TCP Xmas scans.

Join us as we unravel the mysteries of network scanning through the lens of pattern analysis,
shedding light on the shadows cast by TCP Xmas scans and empowering defenders to
safeguard the integrity of their digital domains.

pg. 8
TCP XMAS SCAN USING PATTERN ANALYSIS TECHNIQUES CN Mini Project

2.PROJECT SCOPE:
The scope of this project is to develop a novel approach for detecting TCP Xmas scans through
pattern analysis techniques. TCP Xmas scan is a stealthy port scanning method where an
attacker sends packets with the FIN, URG, and PUSH flags set, targeting ports on a remote
system. Traditional detection methods may struggle to identify these scans due to their minimal
footprint and evasion tactics. This project will leverage pattern analysis techniques, including
anomaly detection algorithms and machine learning models, to analyze network traffic patterns
and identify signatures indicative of TCP Xmas scans. By training the system on known attack
patterns and normal network behaviours, it will be able to accurately detect and classify TCP
Xmas scan attempts, thereby enhancing network security and thwarting potential threats.

The project scope involves several key phases, including data collection, feature extraction,
model training, and evaluation. Initially, network traffic data will be collected from various
sources, including packet captures and network logs. Next, relevant features will be extracted
from the data, such as packet header information, traffic volume, and temporal patterns. These
features will then be used to train machine learning models, such as decision trees, support
vector machines, or neural networks, to distinguish between normal network activity and TCP
Xmas scan attempts. Finally, the performance of the developed models will be evaluated using
metrics such as accuracy, precision, recall, and F1 score, ensuring their effectiveness in real-
world scenarios. The ultimate goal of this project is to provide network administrators with a
reliable and efficient tool for detecting TCP Xmas scans and enhancing the security posture of
their networks.

pg. 9
TCP XMAS SCAN USING PATTERN ANALYSIS TECHNIQUES CN Mini Project

3 .HARDWARE & SOFTWARE

Performing a TCP Xmas scan involves sending TCP packets with the FIN, URG, and PSH
flags set to target specific ports on a remote system. This type of scan is used to determine
whether ports are closed or filtered by a firewall. Pattern analysis techniques can be applied to
analyze the responses received from the target system.

Hardware and Software Requirements:

Hardware:
1. Computer or server: You'll need a computer or server capable of running the necessary
software and tools.
2. Network interface card (NIC): Ensure your computer has a functional NIC to communicate
with the target system over the network.
3. Network connection: Connect your computer to the network where the target system
resides, either through Ethernet or Wi-Fi.

Software:
1. Operating System: Choose an operating system compatible with the tools you'll be using.
Common choices include Linux distributions like Kali Linux, Parrot Security OS, or Ubuntu.
2. Nmap: Nmap (Network Mapper) is a powerful open-source network scanning tool that
supports various scanning techniques, including TCP Xmas scans. It's available for Linux,
Windows, and macOS. You can install Nmap from the official website or your distribution's
package manager.
3.Wireshark: Wireshark is a network protocol analyzer that allows you to capture and analyze
network traffic in real-time. It can help you inspect the responses received during the TCP
Xmas scan. Wireshark is available for multiple platforms, including Linux, Windows, and
macOS.
4. Packet crafting tools: Optionally, you may use packet crafting tools like Scapy (available
for Linux) or hoping (available for Linux and Windows) to manually craft and send TCP
packets with the desired flags set

pg. 10
TCP XMAS SCAN USING PATTERN ANALYSIS TECHNIQUES CN Mini Project

4. UNDERSTANDING TCP XMAS SCAN:

Understanding a TCP Xmas scan involves grasping the unique characteristics of the TCP Xmas
scan technique and how it differs from other types of port scanning. Let's break it down:

1. TCP Xmas Scan Overview:

- A TCP Xmas scan is a type of port scanning method used to determine the state of a port on
a target system.
- It's called "Xmas" because it sets the FIN, URG, and PSH flags in the TCP header, akin to
the blinking lights of a Christmas tree.
- Normally, when a TCP packet is sent to a closed port, the target system should respond with
a TCP RST (reset) packet. However, with a TCP Xmas scan, if the port is closed, there should
be no response.

2. Pattern Analysis Techniques:

- Analyzing the patterns in TCP packet headers is crucial in understanding and detecting a TCP
Xmas scan.
- Unlike regular TCP packets, a TCP Xmas scan packet will have specific flag combinations
set in its TCP header: FIN, URG, and PSH flags all set to 1.
- By examining the packet captures or logs, security analysts can identify these distinctive
patterns indicative of a TCP Xmas scan attempt.
- Anomaly detection systems and intrusion detection/prevention systems (IDS/IPS) often use
pattern analysis to detect and alert on such suspicious network activities.

3. Detection and Response:

- Network administrators and security personnel use pattern analysis techniques to detect TCP
Xmas scans in real-time or during post-event analysis.
- Upon detection of a TCP Xmas scan, appropriate responses may include:
- Blocking the IP address of the scanning source.
- Logging the incident for further investigation.
- Implementing firewall rules to prevent similar scan attempts.
- Notifying relevant stakeholders about the attempted scan.

pg. 11
TCP XMAS SCAN USING PATTERN ANALYSIS TECHNIQUES CN Mini Project

4. False Positives and Tuning:

- While pattern analysis is effective in detecting TCP Xmas scans, it's essential to consider
potential false positives.
- Some legitimate applications or network configurations might generate packets with similar
flag combinations, leading to false alarms.
- Fine-tuning detection rules and thresholds based on the network environment can help
minimize false positives while maintaining effective detection of malicious activities.
Understanding TCP Xmas scans through pattern analysis techniques empowers network
defenders to identify and respond to potential security threats effectively. Continual refinement
of detection mechanisms based on evolving attack techniques is crucial in maintaining robust
network security posture.

pg. 12
TCP XMAS SCAN USING PATTERN ANALYSIS TECHNIQUES CN Mini Project

5. TCP XMAS SCAN USING PATTERN ANALYSIS

TECHNIQUES SIMULATION:
A TCP Xmas scan is a type of port scanning method used by attackers to determine which ports
on a target system are open. In a TCP Xmas scan, the attacker sends TCP packets with the FIN,
URG, and PSH flags set to the target system. If a port is closed, the target system should
respond with a TCP RST (reset) packet. However, if the port is open, the target system should
not respond at all, thus indicating an open port.

STEP BY STEP SIMULATION PREOCESS:

1. Crafting the TCP Xmas packets:

We'll use a tool like Nmap to craft and send the TCP Xmas packets. Here's the command to do
that:

nmap -sX 192.168.1.100

This command tells Nmap to perform a TCP Xmas scan against the target IP address.

2. Analyzing the responses:

After sending the packets, we'll analyze the responses. If we receive a TCP RST packet, it
indicates that the port is closed. If we receive no response, it indicates that the port is open.

3. Interpreting the results:

Once the scan is complete, we'll analyze the results to determine which ports are open on the
target system. Ports that did not respond to the scan are likely open, while ports that sent a TCP
RST packet are likely closed.

4. Verifying the findings:

To verify the findings, we can use additional scanning techniques or manual inspection to
confirm the open and closed ports on the target system.

pg. 13
TCP XMAS SCAN USING PATTERN ANALYSIS TECHNIQUES CN Mini Project

6. ANOMALY DETECTION USING WIRESHARK AND

PYTHON
Detecting anomalies in network traffic using Wireshark and Python can be achieved through
various techniques, including pattern analysis. One common anomaly detection method
involves analyzing TCP Xmas scans, which are a type of port scanning technique used by
attackers to identify open ports on a target system. Here's a basic outline of how you could
implement this using Wireshark for packet capture and Python for analysis:

1. Packet Capture with Wireshark:

Use Wireshark to capture network traffic on the desired interface. You can apply filters to
capture only TCP packets or specific traffic of interest.

2. Identify TCP Xmas Scans:

Analyze the captured packets to identify TCP Xmas scans. Xmas scans are characterized by
TCP packets with the FIN, URG, and PSH flags set. You can use display filters in Wireshark
to filter packets matching this pattern.

3. Extract Relevant Data:

Extract relevant information from the captured packets, such as source IP addresses, destination
IP addresses, source ports, destination ports, and any other relevant metadata.

4. Analyze Patterns:
Use Python to analyze the extracted data for patterns indicative of TCP Xmas scans. This could
involve looking for repeated scans from the same source IP address, scanning of unusual port
ranges, or other suspicious behaviour.

5. Generate Alerts:
Implement logic in your Python script to generate alerts or notifications when potential TCP
Xmas scans are detected. This could involve logging the details of the suspicious activity or
sending alerts to a monitoring system.

6. Further Investigation:

pg. 14
TCP XMAS SCAN USING PATTERN ANALYSIS TECHNIQUES CN Mini Project

Investigate any detected anomalies further to determine if they represent legitimate network
activity or potential security threats. This may involve correlating the detected scans with other
security events or conducting additional analysis.

Here's a basic Python script outline for analyzing captured packets using the Scapy library:

python
from scapy.all import

def analyze_packets(pcap_file):
packets = rdpcap(pcap_file)
for packet in packets:
if packet.haslayer(TCP):
if packet[TCP].flags == 0x29: # FIN + URG + PSH
print("Potential TCP Xmas scan detected:")
print("Source IP:", packet[IP].src)
print("Destination IP:", packet[IP].dst)
print("Source Port:", packet[TCP].sport)
print("Destination Port:", packet[TCP].dport)
print("")

if __name__ == "__main__":
pcap_file = "captured_traffic.pcap"
analyze_packets(pcap_file)

This script uses the Scapy library to read packets from a pcap file and identifies potential TCP
Xmas scans based on the presence of specific TCP flags. You can extend this script to include
additional analysis and alerting logic as needed.

pg. 15
TCP XMAS SCAN USING PATTERN ANALYSIS TECHNIQUES CN Mini Project

7. LAB SETUP AND TOPOLOGY:

Setting up a lab environment to perform a TCP Xmas scan using pattern analysis techniques
involves creating a simulated network environment and using network scanning tools to
analyze the responses. Here's how you can set it up:
Lab Setup:
1.Virtualization Environment: Set up a virtualization platform like VirtualBox or VMware
to create virtual machines (VMs) for your lab.

2. Operating Systems: Create multiple virtual machines with different operating systems to
simulate a network environment. You might want to use Linux distributions like Kali Linux,
Ubuntu, and Windows for variety.

3. Network Configuration: Configure the network settings for your virtual machines. You
can use NAT, Host-Only, or Bridged networking to connect the VMs based on your
requirements.

4. Firewall Configuration: Ensure that firewalls on the VMs are configured to allow inbound
and outbound traffic for the scanning tools you'll be using.

5. Tools Installation: Install the necessary tools for performing network scans, such as Nmap,
Wireshark, and any additional tools for pattern analysis.

Topology:

For a basic lab setup, we can create a simple network topology with at least three VMs:
Attacker Machine: This VM will be used to initiate the TCP Xmas scan and perform pattern
analysis on the responses.

1.Target Machine: This VM will be the target of the TCP Xmas scan. Install a vulnerable
service or application on this machine to observe the scan responses.

2.Monitoring Machine: Optionally, you can set up another VM to monitor network traffic
using tools like Wireshark to analyze the scan packets and responses.

pg. 16
TCP XMAS SCAN USING PATTERN ANALYSIS TECHNIQUES CN Mini Project

TCP Xmas Scan Crafting:

Once your lab environment is set up, you can perform the TCP Xmas scan using Nmap, a
popular network scanning tool. Here's how you can do it:

1. Open a terminal on the attacker machine.

2. Use Nmap to perform the TCP Xmas scan against the target machine:

nmap -sX <target_ip>

Replace <target_ip> with the IP address of the target machine.

3. Analyze the scan results to identify open, closed, or filtered ports on the target machine.

Pattern Analysis Techniques:

After performing the TCP Xmas scan, you can analyze the scan results using pattern analysis
techniques to identify any anomalies or patterns in the responses. This might involve examining
the packet payloads, timing, or other characteristics of the responses to detect any signs of
tampering or evasion techniques.

TCP Xmas scan using pattern analysis techniques GENERATION:

The TCP Xmas scan is a type of port scanning technique used in cybersecurity to identify open
ports on a target system. It works by sending TCP packets with specific flags set to a target
port and analyzing the response to determine the port's status. In a "Christmas tree" (Xmas)
scan, the TCP flags are set to FIN, URG, and PSH, making the packet resemble a lit-up
Christmas tree.

Implementing a TCP Xmas scan using pattern analysis techniques:

1. Crafting TCP Packets:

Generate TCP packets with the appropriate flags set to FIN, URG, and PSH. These flags are
typically used to indicate specific conditions in a TCP packet. In the context of a Christmas
tree scan, setting all these flags creates an unusual and distinctive pattern.

pg. 17
TCP XMAS SCAN USING PATTERN ANALYSIS TECHNIQUES CN Mini Project

2. Sending Packets:
Send the crafted TCP packets to the target system's ports that you want to scan. Each packet is
sent to a specific port, and the response (or lack thereof) from the target system provides
information about the port's status.

3. Analyzing Responses:
Analyze the responses received from the target system. The behaviour of the target system in
response to the unusual TCP packet pattern can reveal information about the port's status:

No Response: If the target system does not respond at all, it could indicate that the port is
closed, filtered, or protected by a firewall.

Response with RST: If the target system responds with a TCP RST (Reset) packet, it indicates
that the port is closed and not accepting connections.

Silent Drop: Some systems may silently drop packets without responding, which can also
indicate a closed port.

4. Interpreting Results:
Based on the responses received, you can determine the status of the ports on the target system.
Open ports typically behave differently from closed or filtered ports, allowing you to identify
potential entry points or vulnerabilities in the target system's network.

pg. 18
TCP XMAS SCAN USING PATTERN ANALYSIS TECHNIQUES CN Mini Project

8. TCP XMAS SCAN USING PATTERN ANALYSIS

TECHNIQUES GENERATION:

The TCP Xmas scan is a type of port scanning technique used in cybersecurity to identify open
ports on a target system. It works by sending TCP packets with specific flags set to a target
port and analyzing the response to determine the port's status. In a "Christmas tree" (Xmas)
scan, the TCP flags are set to FIN, URG, and PSH, making the packet resemble a lit-up
Christmas tree.

Here's a general overview of how you could implement a TCP Xmas scan using pattern analysis
techniques:

1. Crafting TCP Packets: Generate TCP packets with the appropriate flags set to FIN, URG,
and PSH. These flags are typically used to indicate specific conditions in a TCP packet. In the
context of a Christmas tree scan, setting all these flags creates an unusual and distinctive
pattern.

2. Sending Packets: Send the crafted TCP packets to the target system's ports that you want to
scan. Each packet is sent to a specific port, and the response (or lack thereof) from the target
system provides information about the port's status.

3. Analyzing Responses: Analyze the responses received from the target system. The behavior
of the target system in response to the unusual TCP packet pattern can reveal information about
the port's status:

No Response: If the target system does not respond at all, it could indicate that the port is
closed, filtered, or protected by a firewall.

Response with RST: If the target system responds with a TCP RST (Reset) packet, it indicates
that the port is closed and not accepting connections.

Silent Drop: Some systems may silently drop packets without responding, which can also
indicate a closed port.

pg. 19
TCP XMAS SCAN USING PATTERN ANALYSIS TECHNIQUES CN Mini Project

9. SNAPSHOTS:

pg. 20
TCP XMAS SCAN USING PATTERN ANALYSIS TECHNIQUES CN Mini Project

pg. 21
TCP XMAS SCAN USING PATTERN ANALYSIS TECHNIQUES CN Mini Project

10.CONCLUSION:
In conclusion, the TCP Xmas scan, a stealthy port scanning technique, leverages pattern
analysis to detect open ports on a target system. By sending TCP packets with the FIN, URG,
and PUSH flags set, the Xmas scan aims to elicit specific responses from the target's TCP/IP
stack. By analyzing the patterns of responses or lack thereof, security analysts can infer the
state of ports on the target system.

However, it's important to note that while Xmas scans are less likely to be logged by traditional
firewall and intrusion detection systems due to their stealthy nature, they can still be detected
by more advanced network monitoring tools that analyze traffic anomalies. Additionally, some
modern operating systems may respond differently or inconsistently to Xmas scan packets,
making interpretation more challenging.

Incorporating pattern analysis techniques allows security professionals to not only detect Xmas
scans but also understand the behaviour of target systems, enhancing overall network security
posture. It's crucial for organizations to continually update their defensive strategies to mitigate
the risks posed by stealthy scanning techniques like the TCP Xmas scan.

pg. 22
TCP XMAS SCAN USING PATTERN ANALYSIS TECHNIQUES CN Mini Project

11. FUTURE SCOPE AND ENHANCEMENT:

The TCP Xmas scan is a stealthy port scanning technique used by attackers to identify open
ports on a target system. It works by sending TCP packets with the FIN, URG, and PUSH flags
set, but no ACK or RST flags, which is unusual behavior for a TCP packet. The response of the
target system to these packets can reveal whether a port is open, closed, or filtered by a firewall.

Enhancing the TCP Xmas scan using pattern analysis techniques involves leveraging advanced
data analysis methods to extract more meaningful insights from the scan results. Here are some
future scope and enhancement ideas for TCP Xmas scan using pattern analysis techniques:

1.Pattern Recognition Algorithms:

Implement pattern recognition algorithms to analyze the responses from the target system.
Machine learning algorithms such as clustering, classification, or anomaly detection can be
trained to identify patterns in the responses and distinguish between open, closed, and filtered
ports more accurately.

2. Behavioral Analysis:

Perform behavioral analysis of the target system's responses to Xmas scan packets. Look for
deviations from expected behavior, such as unusual response times, packet sequence patterns,
or variations in packet sizes. These anomalies can provide valuable insights into the system's
port status and potential security vulnerabilities.

3.Statistical Analysis:

Apply statistical analysis techniques to the scan results to identify statistically significant
patterns or trends. Analyze factors such as response rates, packet timings, and frequency
distributions of port states to uncover patterns indicative of specific network configurations or
security measures.

4. Feature Engineering:

Develop novel features based on packet attributes, network traffic characteristics, or system
behavior to enhance the effectiveness of pattern analysis. These features could include packet
header information, payload content, timing parameters, or contextual metadata extracted from
the network environment.

pg. 23
TCP XMAS SCAN USING PATTERN ANALYSIS TECHNIQUES CN Mini Project

5. Integration with Threat Intelligence:

Integrate threat intelligence feeds and databases into the pattern analysis framework to enrich
the analysis with contextual information about known attack patterns, malware signatures, or
historical security incidents. This integration can help identify correlations between Xmas scan
patterns and known threats, enabling proactive threat detection and response.

6. Visualization and Interpretation Tools:

Develop visualization and interpretation tools to present the results of pattern analysis in a
user-friendly manner. Graphical representations, interactive dashboards, and intuitive
visualizations can facilitate the identification of meaningful patterns and actionable insights
from the scan data.

7. Dynamic Adaptation and Learning:

Implement adaptive algorithms that continuously learn and evolve based on feedback from
ongoing scan activities. These algorithms can dynamically adjust scan parameters, update
pattern recognition models, and refine analysis techniques based on real-time observations and
feedback from the target environment.

8. Privacy and Ethics Considerations:

Ensure that pattern analysis techniques adhere to privacy regulations and ethical guidelines.
Implement mechanisms to anonymize sensitive data, obtain appropriate consent for data
collection and analysis, and protect the confidentiality of information obtained through
scanning activities.

By incorporating these enhancements, the TCP Xmas scan can become a more sophisticated
and effective tool for network reconnaissance, enabling security professionals to identify and
mitigate potential security risks more efficiently.

pg. 24
TCP XMAS SCAN USING PATTERN ANALYSIS TECHNIQUES CN Mini Project

12.REFERENCES:
1. Rajni Ranjan Singh and Deepak Singh Tomar, "Network Forensics: Detection and
Analysis of Stealth Port Scanning Attack", International journal of computer networks
and communication security, vol. 3, no. 2, February 2015.

2. N Muraleedharan, Analysis of TCP Flow data for Traffic Anamoly and Scan Detection,
2014.

3. F. Hernandez-Campos, F. Donelson Smith and K. Jeffay, "Understanding Patterns of

TCP Connection Usage with Statistical Clustering", University of North Carolina at
Chapel Hill, 2015.

4. Mamta Bhavsar, Dr. Priyanka Sharma and Manish Gokani, Port Scanning using Nmap,
2017.

5. B Soniya and M Wiscy, "Detection of TCP SYN Scanning using Packet Counts and
Neural Network", International Conference of Signal Image Technology and Internet
Based Systems, 2012.

6. Marco de Vivo, Eddy Carrasco and Gabriela Ode Vivo, A Review of Port Scanning
Techniques, 2016.

7. Urupoj Kanlaya siri, Surasak Sanguanpong and Wipa Jaratmanachot, A Rule base
Approach for Port Scanning Detection, Bangkok:Department of computer engineering,
Kasetsart University, 2015.

8. Kuruvilla Mathew, Mujahid Tabassum and Marlene Valerie Lu Ai Siok, "A Study of
Open Ports As Security Vulnerabilities In common User Computers", International
Conference on Computational Science and Technology, 2015.

pg. 25
TCP XMAS SCAN USING PATTERN ANALYSIS TECHNIQUES CN Mini Project

13. USER GUIDE

Virtual Box:
1. Download VirtualBox installer from official website.

2. Run the installer.

3. Follow installation wizard.

4. Optionally install VirtualBox Extensions.

5. Complete installation.

6. Optionally configure virtual machine settings.

7. Launch VirtualBox.

Ubuntu:

1. Download Ubuntu ISO image from official website.

2. Launch VirtualBox and click "New" to create a new virtual machine.

3. Follow the wizard to set up the virtual machine:

• Name the virtual machine.

• Choose type as "Linux" and version as "Ubuntu" (if available).

• Allocate memory (RAM) to the virtual machine.

• Create a virtual hard disk (accept default settings).

4. Select the Ubuntu ISO image as the bootable disk for the virtual machine.

5. Start the virtual machine to begin the Ubuntu installation process.

6. Follow the Ubuntu installation wizard:

• Choose language and keyboard layout.

• Select "Install Ubuntu" option.

pg. 26
TCP XMAS SCAN USING PATTERN ANALYSIS TECHNIQUES CN Mini Project

• Follow on-screen prompts to configure disk partitioning, user account, and

system settings.

7. Complete the installation and restart the virtual machine.

8. Install VirtualBox Guest Additions (optional) for enhanced functionality.

9. Ubuntu is now installed and ready to use on VirtualBox.

Wireshark:

1. Open a terminal window on your Ubuntu virtual machine.

2. Update the package list using the command: sudo apt update.

3. Install Wireshark using the command: sudo apt install wireshark.

4. During the installation process, you will be prompted to choose whether non-superusers
should be able to capture packets. Select "Yes" and press Enter.

5. When asked to configure Wireshark to allow non-superusers to capture packets, select

"Yes" and press Enter.

6. After the installation is complete, Wireshark will be installed on your Ubuntu system.

7. You may need to add your user to the "wireshark" group to allow packet capture without
superuser privileges. Use the command: sudo usermod -aG wireshark <username>
(replace <username> with your actual username).

8. Log out and log back in for the group changes to take effect.

9. Launch Wireshark from the applications menu or by running the command wireshark
in the terminal.

10. Wireshark is now installed and ready to capture and analyze network traffic on your
Ubuntu virtual machine.

pg. 27
TCP XMAS SCAN USING PATTERN ANALYSIS TECHNIQUES CN Mini Project

Personal Reflections and Learnings

Personal Reflections:

Understanding of Network Security: Through this project, I gained a deeper understanding

of network security concepts, particularly regarding port scanning techniques and their
implications for network defense.

Hands-On Experience: The hands-on experience of setting up a laboratory environment,

crafting TCP Xmas scans, and analyzing packet data in Wireshark provided invaluable practical
insights into network security practices.

Challenges Faced: During the project, I encountered challenges such as configuring software
tools, interpreting packet data accurately, and discerning legitimate traffic from scan activity.
Overcoming these challenges required patience, persistence, and resourcefulness.

Appreciation for Detection Techniques: I developed a greater appreciation for the importance
of detection techniques in identifying and mitigating potential security threats. Detecting TCP
Xmas scans using pattern analysis techniques highlighted the significance of proactive
monitoring and analysis in safeguarding network assets.

Collaborative Learning: Collaborating with peers, seeking assistance from online resources,
and leveraging community forums enriched the learning experience. Engaging in discussions,
sharing insights, and troubleshooting together enhanced my understanding and problem-
solving skills.

Key Learnings:

TCP Xmas Scan Methodology: I learned about the methodology behind TCP Xmas scans,
including how they exploit specific flags in the TCP header to determine port status on target
systems.

NMAP and Wireshark Proficiency: Utilizing tools like NMAP for scan crafting and
Wireshark for packet analysis enhanced my proficiency in network security tools and
methodologies.

pg. 28
TCP XMAS SCAN USING PATTERN ANALYSIS TECHNIQUES CN Mini Project

Pattern Analysis Techniques: Learning how to detect TCP Xmas scans using pattern analysis
techniques in Wireshark deepened my understanding of packet inspection and detection
methodologies.

Importance of Documentation: Documenting the project scope, procedures, and findings in

a comprehensive report reinforced the importance of clear and concise documentation in
research and technical projects.

Continuous Learning: This project underscored the dynamic nature of cybersecurity and the
need for continuous learning and adaptation to stay abreast of evolving threats and defense
strategies.

By reflecting on these experiences and learnings, I gained insights into the practical application
of network security principles and acquired valuable skills that will contribute to my
professional development in the field of cybersecurity.

Final Acknowledgement

pg. 29
TCP XMAS SCAN USING PATTERN ANALYSIS TECHNIQUES CN Mini Project

I would like to express my sincere gratitude to [Instructor/Mentor's Name] for their invaluable
guidance and support throughout this project. Their expertise and encouragement played a
pivotal role in shaping the direction of the research and ensuring its successful completion.
I am also thankful to our dedicated team members(Sree Sai, Ramya, Abhilasha, Abhiram,
Abhiram YS, Adithi R, Adithi S, Afifah, Aishwarya, Akshay, Ananya, Archana, Arthan, Aasha,
Ashwini, Prajwal, Bhavana, Chaitra, Charishma) for their collaboration, insightful discussions,
and assistance during various stages of the project. Their contributions enriched the learning
experience and fostered a collaborative environment conducive to innovation and knowledge
sharing.
Furthermore, I extend my appreciation to the developers and contributors of NMAP and
Wireshark for providing powerful and indispensable tools that facilitated the execution and
analysis of the project.
Lastly, I would like to acknowledge the academic institution or organization for providing the
necessary resources and infrastructure to undertake this project.
This project has been a rewarding journey, and I am grateful to all who have contributed to its
realization.

pg. 30