Remote Identification of Port Scan Toolchains

None, None; None, None; None, None

Remote Identification of Port Scan Toolchains

Conference Paper (2016)

Author(s)

Vincent Ghiëtte

N Blenn (TU Delft - Cyber Security)

C. Dörr (TU Delft - Cyber Security)

Research Group

Cyber Security

Copyright

DOI related publication

https://doi.org/10.1109/NTMS.2016.7792471

Port scan Threat intelligence

To reference this document use:

https://resolver.tudelft.nl/uuid:4abea0f6-4fae-4d57-950b-cd30d51c3c89

More Info

expand_more

Publication Year

2016

Language

English

Copyright

Research Group

Cyber Security

Pages (from-to)

1-5

ISBN (electronic)

978-1-5090-2914-3

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Abstract

Port scans are typically at the begin of a chain of events that will lead to the attack and exploitation of a host over a network. Since building an effective defense relies on information what kind of threat an organization is facing, threat intelligence outlining an actor’s modus operandi is a critical ingredient for network security. In this paper, we describe characteristic patterns in port scan packets that can be used to identify the tool chain used by an adversary. In an empirical analysis of scan traffic received by two /16 networks, we find that common open source port scan tools are adopted differently by communities across the globe, and that groups specializing to use a particular tool have also specialized to exploit particular services.

Files

10611102.pdf

(pdf | 0.69 Mb)

License info not available