Deep Mining Port Scans from Darknet - Archive ouverte HAL Access content directly
Journal Articles International Journal of Network Management Year : 2019

Deep Mining Port Scans from Darknet

(1) , (2) , (3)


TCP/UDP port scanning or sweeping is one of the most common technique used by attackers to discover accessible and potentially vulnerable hosts and applications. Although extracting and distinguishing different port scanning strategies is a challenging task, the identification of dependencies among probed ports is primordial for profiling attacker behaviors, with as a final goal to better mitigate them. In this paper, we propose an approach that allows to track port scanning behavior patterns among multiple probed ports and identify intrinsic properties of observed group of ports. Our method is fully automated based on graph modeling and data mining techniques including text mining. It provides to security analysts and operators relevant information about services that are jointly targeted by attackers. This is helpful to assess the strategy of the attacker, such that understanding the types of applications or environment she targets. We applied our method to data collected through a large Internet telescope (or Darknet).
Fichier principal
Vignette du fichier
deepminingportscans.pdf (575.72 Ko) Télécharger le fichier
Origin : Files produced by the author(s)

Dates and versions

hal-02403715 , version 1 (10-12-2019)



Sofiane Lagraa, Yutian Chen, Jérôme François. Deep Mining Port Scans from Darknet. International Journal of Network Management, 2019, Special Issue: Advanced Security Management, 29 (3), pp.e2065. ⟨10.1002/nem.2065⟩. ⟨hal-02403715⟩
153 View
766 Download



Gmail Facebook Twitter LinkedIn More