IMDEA Software

IMDEA initiative

Home > Events > Invited Talks > 2017 > Classifying Internet-wide scanners using Gaussian Mixture and Hidden Markov Models

Giulia De Santis

Tuesday, November 21, 2017

10:45am Meeting room 302 (Mountain View), level 3

Giulia De Santis, PhD Student, INRIA Nancy-Grand Est., France

Classifying Internet-wide scanners using Gaussian Mixture and Hidden Markov Models

Abstract:

Internet-wide scanning techniques and services, like Zmap, Shodan, NMap, Masscan, etc. are heavily used for malicious activities. To enable early identification of advanced threats, this work models scanners from the scanned software system point of view. More in detail, three of the network scanning activities features are modeled: intensity, spatial and temporal movements. Intensity is related to the number of packets received by the scanned system within a given (fixed) window of time. The latter two features are respectively related to the difference of successive scanned IP addresses and timestamps. Based on real logs of incoming IP packets collected from a darknet, hidden Markov models (HMMs) are used to assess what scanning technique is operating. Furthermore, only spatial or temporal movements of the scanning technique can be used to fingerprint, with an accuracy up to 98%, what network scanner originated the perceived darknet traffic.