Internet-Wide Scanners Classification using Gaussian Mixture and Hidden Markov Models

Abstract : Internet-wide scanners are heavily used for malicious activities. This work models, from the scanned system point of view, spatial and temporal movements of network scanning activities, related to the difference of successive scanned IP addresses and timestamps, respectively. Based on real logs of incoming IP packets collected from a darknet, Hidden Markov Models (HMMs) are used to assess what scanning technique is operating. The proposed methodology, using only one of the aforementioned features of the scanning technique, is able to fingerprint what network scanner originated the perceived darknet traffic.
Complete list of metadatas

Cited literature [17 references]  Display  Hide  Download

https://hal.inria.fr/hal-01935664
Contributor : Abdelkader Lahmadi <>
Submitted on : Monday, November 26, 2018 - 10:49:29 PM
Last modification on : Thursday, February 7, 2019 - 4:57:33 PM
Long-term archiving on : Wednesday, February 27, 2019 - 3:42:41 PM

File

NTMS2018.pdf
Files produced by the author(s)

Identifiers

  • HAL Id : hal-01935664, version 1

Collections

Citation

Giulia de Santis, Abdelkader Lahmadi, Jérôme François, Olivier Festor. Internet-Wide Scanners Classification using Gaussian Mixture and Hidden Markov Models. NTMS 2018 - 9th IFIP International Conference on New Technologies, Mobility and Security, Feb 2018, Paris, France. ⟨hal-01935664⟩

Share

Metrics

Record views

92

Files downloads

58