Remote Identification of Port Scan Toolchains

Conference paper (2016)

Authors

Vincent Ghiëtte

N. Blenn Cyber Security -

C. Dörr Cyber Security -

Research Group

Cyber Security () (TU Delft)

DOI

https://doi.org/10.1109/NTMS.2016.7792471

Port scan Threat intelligence

More Info

expand_more

To reference this document use:

http://resolver.tudelft.nl/uuid:4abea0f6-4fae-4d57-950b-cd30d51c3c89

Published Date

2016

Language

English

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Faculty

Electrical Engineering, Mathematics and Computer Science

Department

Intelligent Systems

Research Group

Cyber Security

Abstract

Port scans are typically at the begin of a chain of events that will lead to the attack and exploitation of a host over a network. Since building an effective defense relies on information what kind of threat an organization is facing, threat intelligence outlining an actor’s modus operandi is a critical ingredient for network security. In this paper, we describe characteristic patterns in port scan packets that can be used to identify the tool chain used by an adversary. In an empirical analysis of scan traffic received by two /16 networks, we find that common open source port scan tools are adopted differently by communities across the globe, and that groups specializing to use a particular tool have also specialized to exploit particular services.

Files

10611102.pdf

(.pdf | 0.69 Mb)