Classifying Internet-wide scanners using Gaussian Mixture and Hidden Markov Models

November 21, 2017

Giulia De Santis


Classifying Internet-wide scanners using Gaussian Mixture and Hidden Markov Models

Time:   10:45am
Location:   Meeting room 302 (Mountain View), level 3

Internet-wide scanning techniques and services, like Zmap, Shodan, NMap, Masscan, etc. are heavily used for malicious activities. To enable early identification of advanced threats, this work models scanners from the scanned software system point of view. More in detail, three of the network scanning activities features are modeled: intensity, spatial and temporal movements. Intensity is related to the number of packets received by the scanned system within a given (fixed) window of time. The latter two features are respectively related to the difference of successive scanned IP addresses and timestamps. Based on real logs of incoming IP packets collected from a darknet, hidden Markov models (HMMs) are used to assess what scanning technique is operating. Furthermore, only spatial or temporal movements of the scanning technique can be used to fingerprint, with an accuracy up to 98%, what network scanner originated the perceived darknet traffic.