Modeling of IP scanning activities with Hidden Markov Models: Darknet case study

Abstract : We propose a methodology based on Hidden Markov Models (HMMs) to model scanning activities monitored by a darknet. The HMMs of scanning activities are built on the basis of the number of scanned IP addresses within a time window and fitted using mixtures of Poisson distributions. Our methodology is applied on real data traces collected from a darknet and generated by two large scale scanners, ZMap and Shodan. We demonstrated that the built models are able to characterize their scanning activities.
Document type :
Conference papers
Complete list of metadatas

Cited literature [12 references]  Display  Hide  Download

https://hal.inria.fr/hal-01404127
Contributor : Jérôme François <>
Submitted on : Monday, November 28, 2016 - 1:46:42 PM
Last modification on : Thursday, February 7, 2019 - 2:35:35 PM
Long-term archiving on : Tuesday, March 21, 2017 - 11:32:12 AM

File

NTMS2016.pdf
Files produced by the author(s)

Identifiers

  • HAL Id : hal-01404127, version 1

Collections

Citation

Giulia de Santis, Abdelkader Lahmadi, Jerome Francois, Olivier Festor. Modeling of IP scanning activities with Hidden Markov Models: Darknet case study. 8th IFIP International Conference on New Technologies, Mobility and Security, Nov 2016, Larnaca, Cyprus. ⟨hal-01404127⟩

Share

Metrics

Record views

510

Files downloads

475