Remote Identification of Port Scan Toolchains

None, None; None, None; None, None

Remote Identification of Port Scan Toolchains

Conference Paper (2016)

Author(s)

Vincent Ghiëtte

Norbert Blenn (TU Delft - Electrical Engineering, Mathematics and Computer Science)

Christian Doerr (TU Delft - Electrical Engineering, Mathematics and Computer Science)

Research Group

Cyber Security

Port scan Threat intelligence

DOI related publication

https://doi.org/10.1109/NTMS.2016.7792471 Final published version

To reference this document use

https://resolver.tudelft.nl/uuid:4abea0f6-4fae-4d57-950b-cd30d51c3c89

More Info

expand_more

Publication Year

2016

Language

English

Research Group

Cyber Security

Pages (from-to)

1-5

ISBN (electronic)

978-1-5090-2914-3

Downloads counter

353

Collections

Institutional Repository

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Abstract

Port scans are typically at the begin of a chain of events that will lead to the attack and exploitation of a host over a network. Since building an effective defense relies on information what kind of threat an organization is facing, threat intelligence outlining an actor’s modus operandi is a critical ingredient for network security. In this paper, we describe characteristic patterns in port scan packets that can be used to identify the tool chain used by an adversary. In an empirical analysis of scan traffic received by two /16 networks, we find that common open source port scan tools are adopted differently by communities across the globe, and that groups specializing to use a particular tool have also specialized to exploit particular services.

Files

10611102.pdf

(pdf | 0.69 Mb)

License info not available