Clustering Payloads: Grouping Randomized Scan Probes Into Campaign Templates

Vincent Ghiette; Christian Dörr

doi:10.23919/IFIPNetworking55013.2022.9829757

Clustering Payloads: Grouping Randomized Scan Probes Into Campaign Templates

Cyber Security

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

17 Downloads (Pure)

Abstract

Over the past decade, the scanning landscape has significantly changed. Powerful tools such as Masscan or Zmap allow anyone to scan the entire Internet in a matter of hours. Simultaneously, we witnessed the emergence of stealthy scanners, which map the Internet from thousands of vantage points at a low rate attempting to forego detection. As scanning is typically the first step towards later intrusion, organizations need to track, understand and draw intelligence from these scan campaigns. Organizations benefit from obtaining insights into what adversaries are currently looking for, which might reveal some new vulnerabilities. Furthermore, relating IP addresses with each other participating in scan campaigns provides valuable insights into the adversary's capabilities. In this paper, we describe a protocol-agnostic approach to extract commonalities and patterns from UDP scan traffic, relate individual scan packets regardless of whether they are sending static data or randomizing their payloads across destinations, and obtain 97% pattern accuracy with a data coverage of 96%. We apply our methodology on seven years of NTP and DNS scan traffic demonstrating that our automatic clustering provides stable tracking of strategies over time and identifies groups of source IPs with these behavioral characteristics effectively.

Original language	English
Title of host publication	Proceedings of the 2022 IFIP Networking Conference (IFIP Networking)
Publisher	IEEE
Pages	1-9
Number of pages	9
ISBN (Electronic)	978-3-903176-48-5
ISBN (Print)	978-1-6654-8726-9
DOIs	https://doi.org/10.23919/IFIPNetworking55013.2022.9829757
Publication status	Published - 2022
Event	2022 IFIP Networking Conference (IFIP Networking) - Catania, Italy Duration: 13 Jun 2022 → 16 Jun 2022

Publication series

Name	2022 IFIP Networking Conference, IFIP Networking 2022

Conference

Conference	2022 IFIP Networking Conference (IFIP Networking)
Country/Territory	Italy
City	Catania
Period	13/06/22 → 16/06/22

Bibliographical note

Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care
Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.

Keywords

UDP
payload
clustering
network scans

Access to Document

10.23919/IFIPNetworking55013.2022.9829757

Clustering_Payloads_Grouping_Randomized_Scan_Probes_Into_Campaign_TemplatesFinal published version, 1.14 MB

Cite this

@inproceedings{3418244b2493446bb5230d0d421faf3c,

title = "Clustering Payloads: Grouping Randomized Scan Probes Into Campaign Templates",

abstract = "Over the past decade, the scanning landscape has significantly changed. Powerful tools such as Masscan or Zmap allow anyone to scan the entire Internet in a matter of hours. Simultaneously, we witnessed the emergence of stealthy scanners, which map the Internet from thousands of vantage points at a low rate attempting to forego detection. As scanning is typically the first step towards later intrusion, organizations need to track, understand and draw intelligence from these scan campaigns. Organizations benefit from obtaining insights into what adversaries are currently looking for, which might reveal some new vulnerabilities. Furthermore, relating IP addresses with each other participating in scan campaigns provides valuable insights into the adversary's capabilities. In this paper, we describe a protocol-agnostic approach to extract commonalities and patterns from UDP scan traffic, relate individual scan packets regardless of whether they are sending static data or randomizing their payloads across destinations, and obtain 97% pattern accuracy with a data coverage of 96%. We apply our methodology on seven years of NTP and DNS scan traffic demonstrating that our automatic clustering provides stable tracking of strategies over time and identifies groups of source IPs with these behavioral characteristics effectively.",

keywords = "UDP, payload, clustering, network scans",

author = "Vincent Ghiette and Christian D{\"o}rr",

note = "Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.; 2022 IFIP Networking Conference (IFIP Networking) ; Conference date: 13-06-2022 Through 16-06-2022",

year = "2022",

doi = "10.23919/IFIPNetworking55013.2022.9829757",

language = "English",

isbn = "978-1-6654-8726-9",

series = "2022 IFIP Networking Conference, IFIP Networking 2022",

publisher = "IEEE",

pages = "1--9",

booktitle = "Proceedings of the 2022 IFIP Networking Conference (IFIP Networking)",

address = "United States",

}

Ghiette, V & Dörr, C 2022, Clustering Payloads: Grouping Randomized Scan Probes Into Campaign Templates. in Proceedings of the 2022 IFIP Networking Conference (IFIP Networking)., 9829757, 2022 IFIP Networking Conference, IFIP Networking 2022, IEEE, pp. 1-9, 2022 IFIP Networking Conference (IFIP Networking), Catania, Italy, 13/06/22. https://doi.org/10.23919/IFIPNetworking55013.2022.9829757

Clustering Payloads: Grouping Randomized Scan Probes Into Campaign Templates. / Ghiette, Vincent ; Dörr, Christian.
Proceedings of the 2022 IFIP Networking Conference (IFIP Networking). IEEE, 2022. p. 1-9 9829757 (2022 IFIP Networking Conference, IFIP Networking 2022).

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

TY - GEN

T1 - Clustering Payloads

T2 - 2022 IFIP Networking Conference (IFIP Networking)

AU - Ghiette, Vincent

AU - Dörr, Christian

N1 - Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.

PY - 2022

Y1 - 2022

N2 - Over the past decade, the scanning landscape has significantly changed. Powerful tools such as Masscan or Zmap allow anyone to scan the entire Internet in a matter of hours. Simultaneously, we witnessed the emergence of stealthy scanners, which map the Internet from thousands of vantage points at a low rate attempting to forego detection. As scanning is typically the first step towards later intrusion, organizations need to track, understand and draw intelligence from these scan campaigns. Organizations benefit from obtaining insights into what adversaries are currently looking for, which might reveal some new vulnerabilities. Furthermore, relating IP addresses with each other participating in scan campaigns provides valuable insights into the adversary's capabilities. In this paper, we describe a protocol-agnostic approach to extract commonalities and patterns from UDP scan traffic, relate individual scan packets regardless of whether they are sending static data or randomizing their payloads across destinations, and obtain 97% pattern accuracy with a data coverage of 96%. We apply our methodology on seven years of NTP and DNS scan traffic demonstrating that our automatic clustering provides stable tracking of strategies over time and identifies groups of source IPs with these behavioral characteristics effectively.

AB - Over the past decade, the scanning landscape has significantly changed. Powerful tools such as Masscan or Zmap allow anyone to scan the entire Internet in a matter of hours. Simultaneously, we witnessed the emergence of stealthy scanners, which map the Internet from thousands of vantage points at a low rate attempting to forego detection. As scanning is typically the first step towards later intrusion, organizations need to track, understand and draw intelligence from these scan campaigns. Organizations benefit from obtaining insights into what adversaries are currently looking for, which might reveal some new vulnerabilities. Furthermore, relating IP addresses with each other participating in scan campaigns provides valuable insights into the adversary's capabilities. In this paper, we describe a protocol-agnostic approach to extract commonalities and patterns from UDP scan traffic, relate individual scan packets regardless of whether they are sending static data or randomizing their payloads across destinations, and obtain 97% pattern accuracy with a data coverage of 96%. We apply our methodology on seven years of NTP and DNS scan traffic demonstrating that our automatic clustering provides stable tracking of strategies over time and identifies groups of source IPs with these behavioral characteristics effectively.

KW - UDP

KW - payload

KW - clustering

KW - network scans

UR - http://www.scopus.com/inward/record.url?scp=85136279981&partnerID=8YFLogxK

U2 - 10.23919/IFIPNetworking55013.2022.9829757

DO - 10.23919/IFIPNetworking55013.2022.9829757

M3 - Conference contribution

SN - 978-1-6654-8726-9

T3 - 2022 IFIP Networking Conference, IFIP Networking 2022

SP - 1

EP - 9

BT - Proceedings of the 2022 IFIP Networking Conference (IFIP Networking)

PB - IEEE

Y2 - 13 June 2022 through 16 June 2022

ER -

Clustering Payloads: Grouping Randomized Scan Probes Into Campaign Templates

Abstract

Publication series

Conference

Bibliographical note

Keywords

Access to Document

Other files and links

Fingerprint

Cite this