NII Technical Report (NII-2016-008E):Profiling Internet Scanners: Spatial and Temporal Structures

Autor: Mazel, Johan, Fontugne, Romain, Fukuda, Kensuke
Jazyk: angličtina
Rok vydání: 2016
Předmět:
Zdroj: NIIテクニカル・レポート.
ISSN: 1346-5597
Popis: A great deal of effort has been dedicated to the study of network scanning. Nonetheless, previous studies focused on simple char- acteristics such as the number of scanning IPs (also called scanners) or targets, but usually neglected scanner behavior. We analyze 15 years of backbone traffic and propose a method for profiling scanning IPs. Our analysis first details evolution of targeted services, mass-scanning tool usage and scanning pattern. Then, we propose a new method to classify scanning IPs’ spatial and temporal structure into three profiles that re- veal vastly different intent. In particular, we find that 33% of scanners repeatedly target the same set of hosts. If unsolicited, this behavior pro- vides an early warning to administrators regarding the malicious intent of scanners. Finally, we study publicly documented scanners’ activities and show that security research-related scanning IPs behave differently than non-documented scanners. We also show that only 39% of scanning entities follow online documentation best practices.
Databáze: OpenAIRE