Modeling of IP scanning activities with Hidden Markov Models: Darknet case study

We propose a methodology based on Hidden Markov Models (HMMs) to model scanning activities monitored by a darknet. The HMMs of scanning activities are built on the basis of the number of scanned IP addresses within a time window and fitted using mixtures of Poisson distributions. Our methodology is applied on real data traces collected from a darknet and generated by two large scale scanners, ZMap and Shodan. We demonstrated that the built models are able to characterize their scanning activities.

Keywords

Index Terms—Network scanning ZMap Shodan Poisson dis- tribution models Hidden Markov Models HMMs

Domains

Networking and Internet Architecture [cs.NI]

Fichier principal

NTMS2016.pdf (2.54 Mo)

Origin : Files produced by the author(s)

Jérôme François : Connect in order to contact the contributor

https://inria.hal.science/hal-01404127

Submitted on : Monday, November 28, 2016-1:46:42 PM

Last modification on : Monday, September 11, 2023-5:41:18 PM

Long-term archiving on: Tuesday, March 21, 2017-11:32:12 AM

Dates and versions

hal-01404127 , version 1 (28-11-2016)

Identifiers

HAL Id : hal-01404127 , version 1

Cite

Giulia de Santis, Abdelkader Lahmadi, Jerome Francois, Olivier Festor. Modeling of IP scanning activities with Hidden Markov Models: Darknet case study. 8th IFIP International Conference on New Technologies, Mobility and Security, Nov 2016, Larnaca, Cyprus. ⟨hal-01404127⟩

Export

BibTeX XML-TEI Dublin Core DC Terms EndNote DataCite

Collections

CNRS INRIA UNIV-LORRAINE INRIA2 LORIA LORIA-NSS LHS

333 View

557 Download