Internet-Wide Scanners Classification using Gaussian Mixture and Hidden Markov Models

Internet-wide scanners are heavily used for malicious activities. This work models, from the scanned system point of view, spatial and temporal movements of network scanning activities, related to the difference of successive scanned IP addresses and timestamps, respectively. Based on real logs of incoming IP packets collected from a darknet, Hidden Markov Models (HMMs) are used to assess what scanning technique is operating. The proposed methodology, using only one of the aforementioned features of the scanning technique, is able to fingerprint what network scanner originated the perceived darknet traffic.

Mots clés

Gaussian distribution models Darknet Hidden Markov Models Network scanning ZMap Shodan

Domaines

Modélisation et simulation Réseaux et télécommunications [cs.NI] Apprentissage [cs.LG]

Fichier principal

NTMS2018.pdf (379.36 Ko)

Origine : Fichiers produits par l'(les) auteur(s)

Abdelkader Lahmadi : Connectez-vous pour contacter le contributeur

https://inria.hal.science/hal-01935664

Soumis le : lundi 26 novembre 2018-22:49:29

Dernière modification le : lundi 11 septembre 2023-17:41:19

Archivage à long terme le : mercredi 27 février 2019-15:42:41

Dates et versions

hal-01935664 , version 1 (26-11-2018)

Identifiants

HAL Id : hal-01935664 , version 1

Citer

Giulia de Santis, Abdelkader Lahmadi, Jérôme François, Olivier Festor. Internet-Wide Scanners Classification using Gaussian Mixture and Hidden Markov Models. NTMS 2018 - 9th IFIP International Conference on New Technologies, Mobility and Security, Feb 2018, Paris, France. ⟨hal-01935664⟩

Exporter

BibTeX XML-TEI Dublin Core DC Terms EndNote DataCite

Collections

CNRS INRIA UNIV-LORRAINE INRIA2 TDS-MACS LORIA LORIA-NSS LHS

103 Consultations

249 Téléchargements