Clustering Payloads: Grouping Randomized Scan Probes Into Campaign Templates

Research output: Chapter in Book/Conference proceedings/Edited volumeConference contributionScientificpeer-review

9 Downloads (Pure)


Over the past decade, the scanning landscape has significantly changed. Powerful tools such as Masscan or Zmap allow anyone to scan the entire Internet in a matter of hours. Simultaneously, we witnessed the emergence of stealthy scanners, which map the Internet from thousands of vantage points at a low rate attempting to forego detection. As scanning is typically the first step towards later intrusion, organizations need to track, understand and draw intelligence from these scan campaigns. Organizations benefit from obtaining insights into what adversaries are currently looking for, which might reveal some new vulnerabilities. Furthermore, relating IP addresses with each other participating in scan campaigns provides valuable insights into the adversary's capabilities. In this paper, we describe a protocol-agnostic approach to extract commonalities and patterns from UDP scan traffic, relate individual scan packets regardless of whether they are sending static data or randomizing their payloads across destinations, and obtain 97% pattern accuracy with a data coverage of 96%. We apply our methodology on seven years of NTP and DNS scan traffic demonstrating that our automatic clustering provides stable tracking of strategies over time and identifies groups of source IPs with these behavioral characteristics effectively.
Original languageEnglish
Title of host publicationProceedings of the 2022 IFIP Networking Conference (IFIP Networking)
Number of pages9
ISBN (Electronic)978-3-903176-48-5
ISBN (Print)978-1-6654-8726-9
Publication statusPublished - 2022
Event2022 IFIP Networking Conference (IFIP Networking) - Catania, Italy
Duration: 13 Jun 202216 Jun 2022

Publication series

Name2022 IFIP Networking Conference, IFIP Networking 2022


Conference2022 IFIP Networking Conference (IFIP Networking)

Bibliographical note

Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project
Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.


  • UDP
  • payload
  • clustering
  • network scans

Cite this