Detecting Collaborative ZMap Scans
Detection of distributed ZMap scans in network telescope data using an algorithmic approach
M.F. Açıkkollu (TU Delft - Electrical Engineering, Mathematics and Computer Science)
H.J. Griffioen – Mentor (TU Delft - Cyber Security)
G. Smaragdakis – Mentor (TU Delft - Cyber Security)
Kubilay Atasu – Graduation committee member (TU Delft - Data-Intensive Systems)
More Info
expand_more
Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.
Abstract
Detecting distributed scans is crucial for understanding network security threats. This research uses an algorithmic approach to identify collaborative ZMap scanning activities in the network telescope data from TU Delft. ZMap is a high-speed network scanner capable of scanning the entire IPv4 address space. The main research question centers on creating an algorithm for detecting these distributed scans. The research method includes analyzing network telescope data, examining ZMap packets and modifying the set cover algorithm to detect collaborative ZMap scans. Key contributions include adapting the set cover algorithm to find sources that perfectly cover the entire destination address range without overlaps, which is a unique feature of ZMap scans. Results indicate that this method effectively identifies coordinated scanning activities. It is concluded that utilizing network telescope data and an adapted version of the greedy set cover algorithm significantly improves the detection of distributed scanning operations using ZMap.