Detecting Collaborative Scanners Using Clustering Methods
A. Ionescu (TU Delft - Electrical Engineering, Mathematics and Computer Science)
H.J. Griffioen – Mentor (TU Delft - Cyber Security)
G. Smaragdakis – Mentor (TU Delft - Cyber Security)
Kubilay Atasu – Graduation committee member (TU Delft - Data-Intensive Systems)
More Info
expand_more
Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.
Abstract
This paper investigates the effectiveness of various clustering algorithms in detecting collaborative Internet scanning groups. The packet dataset used is collected from TU Delft's network telescope, and is aggregated into scanning sessions and analyzed using K-Means, Hierarchical Clustering, Density-Based Spatial Clustering of Applications with Noise (DBSCAN), Clustering Using Representatives (CURE), and Bradley-Fayyad-Reina (BFR). This paper also introduces an evaluation framework based on five degrees of certainty to assess the likelihood that a cluster is collaboratively scanning. The findings indicate that DBSCAN consistently outperforms other methods in identifying collaborative scanning groups, while CURE shows superior performance to BFR, K-Means, and Hierarchical Clustering. It is hoped that these insights help provide a strong foundation for enhancing network security through improved detection of collaborative scanning behaviors.