Remote Identification of Port Scan Toolchains

Vincent Ghiëtte, Norbert Blenn, Christian Doerr

Research output: Chapter in Book/Conference proceedings/Edited volumeConference contributionScientificpeer-review

6 Citations (Scopus)
237 Downloads (Pure)


Port scans are typically at the begin of a chain of events that will lead to the attack and exploitation of a host over a network. Since building an effective defense relies on information what kind of threat an organization is facing, threat intelligence outlining an actor’s modus operandi is a critical ingredient for network security. In this paper, we describe characteristic patterns in port scan packets that can be used to identify the tool chain used by an adversary. In an empirical analysis of scan traffic received by two /16 networks, we find that common open source port scan tools are adopted differently by communities across the globe, and that groups specializing to use a particular tool have also specialized to exploit particular services.
Original languageEnglish
Title of host publicationIFIP International Conference on New Technologies, Mobility and Security
EditorsMohamad Badra, Giovanni Pau, Vasos Vassiliou
Place of PublicationPiscataway, NJ
Number of pages5
ISBN (Electronic)978-1-5090-2914-3
Publication statusPublished - 2016

Bibliographical note

Accepted Author Manuscript


  • threat intelligence
  • port scan


Dive into the research topics of 'Remote Identification of Port Scan Toolchains'. Together they form a unique fingerprint.

Cite this