Classifying scanners

Abstract

This thesis focuses on the classification of behavioural aspects of scanners based on unroutable traffic collected from two /16 subnets. Firstly the study determines that the use of a smaller dataset achieves similar results and allows for the same correctness compared to larger ones. Secondly different scanning tools are analysed, and methods for their fingerprinting are explained. The implementation of detection methods reveals the usage of particular tools and the the existence of previously unknown software. Analysing these previously unknown tools shows that there is a difference in levels of sophistication of the tools used by scanners. Following, this thesis confirms the existence of the horizontal, vertical and strobe scanner classes, it also describes a new method in which a destination port and address are only scanned once. In addition a method to identify individual scans from traffic captures for further analysis is presented and evaluated. This method is then used to reveal similarities between scans from one address but also confirming collaboration between multiple addresses. Finally the behaviour of scanners is compared showing cyclic behaviours are common amongst single and multi host scanners.