Popis: |
A great deal of effort has been dedicated to the study of network scanning. Nonetheless, previous studies focused on simple char- acteristics such as the number of scanning IPs (also called scanners) or targets, but usually neglected scanner behavior. We analyze 15 years of backbone traffic and propose a method for profiling scanning IPs. Our analysis first details evolution of targeted services, mass-scanning tool usage and scanning pattern. Then, we propose a new method to classify scanning IPs’ spatial and temporal structure into three profiles that re- veal vastly different intent. In particular, we find that 33% of scanners repeatedly target the same set of hosts. If unsolicited, this behavior pro- vides an early warning to administrators regarding the malicious intent of scanners. Finally, we study publicly documented scanners’ activities and show that security research-related scanning IPs behave differently than non-documented scanners. We also show that only 39% of scanning entities follow online documentation best practices. |