Skip to Main content Skip to Navigation
Journal articles

Deep Mining Port Scans from Darknet

Abstract : TCP/UDP port scanning or sweeping is one of the most common technique used by attackers to discover accessible and potentially vulnerable hosts and applications. Although extracting and distinguishing different port scanning strategies is a challenging task, the identification of dependencies among probed ports is primordial for profiling attacker behaviors, with as a final goal to better mitigate them. In this paper, we propose an approach that allows to track port scanning behavior patterns among multiple probed ports and identify intrinsic properties of observed group of ports. Our method is fully automated based on graph modeling and data mining techniques including text mining. It provides to security analysts and operators relevant information about services that are jointly targeted by attackers. This is helpful to assess the strategy of the attacker, such that understanding the types of applications or environment she targets. We applied our method to data collected through a large Internet telescope (or Darknet).
Document type :
Journal articles
Complete list of metadata

Cited literature [32 references]  Display  Hide  Download
Contributor : Jérôme François <>
Submitted on : Tuesday, December 10, 2019 - 11:54:35 PM
Last modification on : Monday, November 30, 2020 - 10:26:03 PM
Long-term archiving on: : Wednesday, March 11, 2020 - 9:58:03 PM


Files produced by the author(s)




Sofiane Lagraa, Yutian Chen, Jérôme François. Deep Mining Port Scans from Darknet. International Journal of Network Management, Wiley, 2019, Special Issue: Advanced Security Management, 29 (3), pp.e2065. ⟨10.1002/nem.2065⟩. ⟨hal-02403715⟩