Scanners: Discovery of distributed slow scanners in telescope data

Abstract

The internet is rapidly growing, and with it grows the number of malicious actors. For many attacks, the attacker first scans the internet to detect vulnerable devices. In order to evade detection, the attacker distributes the scanning over a large number of machines. Because attackers are distributing this scanning and there is no way to find these scanners, we have no knowledge of what groups are actually scanning the internet and what they are up to. This thesis proposes a method to identify and fingerprint these distributed scanning groups. It does so in order to detect and analyze slow scanning groups that are actively trying to remain undetected by companies. The data used for this thesis originates from a large network telescope operated by the TU Delft, which contains packet data aimed at the TU delft network range. First, this data is analyzed in detail and several patterns are discovered. Using the analysis, a method is created to cluster the dataset without losing critical information needed to identify scanning groups. After the clustering, the resulting smaller datasets are analyzed in more detail. To do this post-processing, a new method of analyzing scanning behavior is created. This method is called XOR-analysis and works by looking at different patterns that scanners use to re-identify their packets. From the analysis, groups are extracted and fingerprinted. These fingerprints can ultimately be used as Indicators of Compromise to detect and mitigate scanning behavior in order to deny adversaries the possibility to learn about weaknesses of a system.