Remote Identification of Port Scan Toolchains

Vincent Ghiëtte; Norbert Blenn; Christian Doerr

doi:10.1109/NTMS.2016.7792471

Remote Identification of Port Scan Toolchains

Vincent Ghiëtte, Norbert Blenn, Christian Doerr

Cyber Security

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

10 Citations (Scopus)

331 Downloads (Pure)

Abstract

Port scans are typically at the begin of a chain of events that will lead to the attack and exploitation of a host over a network. Since building an effective defense relies on information what kind of threat an organization is facing, threat intelligence outlining an actor’s modus operandi is a critical ingredient for network security. In this paper, we describe characteristic patterns in port scan packets that can be used to identify the tool chain used by an adversary. In an empirical analysis of scan traffic received by two /16 networks, we find that common open source port scan tools are adopted differently by communities across the globe, and that groups specializing to use a particular tool have also specialized to exploit particular services.

Original language	English
Title of host publication	IFIP International Conference on New Technologies, Mobility and Security
Editors	Mohamad Badra, Giovanni Pau, Vasos Vassiliou
Place of Publication	Piscataway, NJ
Publisher	IEEE
Pages	1-5
Number of pages	5
ISBN (Electronic)	978-1-5090-2914-3
DOIs	https://doi.org/10.1109/NTMS.2016.7792471
Publication status	Published - 2016

Bibliographical note

Accepted Author Manuscript

Keywords

threat intelligence
port scan

Access to Document

10.1109/NTMS.2016.7792471

10611102Accepted author manuscript, 616 KB

Cite this

@inproceedings{4abea0f64fae4d57950bcd30d51c3c89,

title = "Remote Identification of Port Scan Toolchains",

abstract = "Port scans are typically at the begin of a chain of events that will lead to the attack and exploitation of a host over a network. Since building an effective defense relies on information what kind of threat an organization is facing, threat intelligence outlining an actor{\textquoteright}s modus operandi is a critical ingredient for network security. In this paper, we describe characteristic patterns in port scan packets that can be used to identify the tool chain used by an adversary. In an empirical analysis of scan traffic received by two /16 networks, we find that common open source port scan tools are adopted differently by communities across the globe, and that groups specializing to use a particular tool have also specialized to exploit particular services.",

keywords = "threat intelligence, port scan",

author = "Vincent Ghi{\"e}tte and Norbert Blenn and Christian Doerr",

note = "Accepted Author Manuscript",

year = "2016",

doi = "10.1109/NTMS.2016.7792471",

language = "English",

pages = "1--5",

editor = "Mohamad Badra and Giovanni Pau and Vasos Vassiliou",

booktitle = "IFIP International Conference on New Technologies, Mobility and Security",

publisher = "IEEE",

address = "United States",

}

Remote Identification of Port Scan Toolchains. / Ghiëtte, Vincent; Blenn, Norbert; Doerr, Christian.
IFIP International Conference on New Technologies, Mobility and Security. ed. / Mohamad Badra; Giovanni Pau; Vasos Vassiliou. Piscataway, NJ: IEEE, 2016. p. 1-5.

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

TY - GEN

T1 - Remote Identification of Port Scan Toolchains

AU - Ghiëtte, Vincent

AU - Blenn, Norbert

AU - Doerr, Christian

N1 - Accepted Author Manuscript

PY - 2016

Y1 - 2016

N2 - Port scans are typically at the begin of a chain of events that will lead to the attack and exploitation of a host over a network. Since building an effective defense relies on information what kind of threat an organization is facing, threat intelligence outlining an actor’s modus operandi is a critical ingredient for network security. In this paper, we describe characteristic patterns in port scan packets that can be used to identify the tool chain used by an adversary. In an empirical analysis of scan traffic received by two /16 networks, we find that common open source port scan tools are adopted differently by communities across the globe, and that groups specializing to use a particular tool have also specialized to exploit particular services.

AB - Port scans are typically at the begin of a chain of events that will lead to the attack and exploitation of a host over a network. Since building an effective defense relies on information what kind of threat an organization is facing, threat intelligence outlining an actor’s modus operandi is a critical ingredient for network security. In this paper, we describe characteristic patterns in port scan packets that can be used to identify the tool chain used by an adversary. In an empirical analysis of scan traffic received by two /16 networks, we find that common open source port scan tools are adopted differently by communities across the globe, and that groups specializing to use a particular tool have also specialized to exploit particular services.

KW - threat intelligence

KW - port scan

UR - http://resolver.tudelft.nl/uuid:4abea0f6-4fae-4d57-950b-cd30d51c3c89

U2 - 10.1109/NTMS.2016.7792471

DO - 10.1109/NTMS.2016.7792471

M3 - Conference contribution

SP - 1

EP - 5

BT - IFIP International Conference on New Technologies, Mobility and Security

A2 - Badra, Mohamad

A2 - Pau, Giovanni

A2 - Vassiliou, Vasos

PB - IEEE

CY - Piscataway, NJ

ER -

Remote Identification of Port Scan Toolchains

Abstract

Bibliographical note

Keywords

Access to Document

Other files and links

Fingerprint

Cite this