Over the past decade, the scanning landscape has significantly changed. Powerful tools such as Masscan or Zmap allow anyone to scan the entire Internet in a matter of hours. Simultaneously, we witnessed the emergence of stealthy scanners, which map the Internet from thousands of vantage points at a low rate attempting to forego detection. As scanning is typically the first step towards later intrusion, organizations need to track, understand and draw intelligence from these scan campaigns. Organizations benefit from obtaining insights into what adversaries are currently looking for, which might reveal some new vulnerabilities. Furthermore, relating IP addresses with each other participating in scan campaigns provides valuable insights into the adversary's capabilities. In this paper, we describe a protocol-agnostic approach to extract commonalities and patterns from UDP scan traffic, relate individual scan packets regardless of whether they are sending static data or randomizing their payloads across destinations, and obtain 97% pattern accuracy with a data coverage of 96%. We apply our methodology on seven years of NTP and DNS scan traffic demonstrating that our automatic clustering provides stable tracking of strategies over time and identifies groups of source IPs with these behavioral characteristics effectively.
|Title of host publication||Proceedings of the 2022 IFIP Networking Conference (IFIP Networking)|
|Number of pages||9|
|Publication status||Published - 2022|
|Event||2022 IFIP Networking Conference (IFIP Networking) - Catania, Italy|
Duration: 13 Jun 2022 → 16 Jun 2022
|Name||2022 IFIP Networking Conference, IFIP Networking 2022|
|Conference||2022 IFIP Networking Conference (IFIP Networking)|
|Period||13/06/22 → 16/06/22|
Bibliographical noteGreen Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care
Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.
- network scans