Iteratively Detecting Collaborative Scanner Fingerprints
An Iterative Approach to Identifying Fingerprints using Stratified Sampling
J. Jongsma (TU Delft - Electrical Engineering, Mathematics and Computer Science)
H.J. Griffioen – Mentor (TU Delft - Cyber Security)
Georgios Smaragdakis – Mentor (TU Delft - Cyber Security)
Kubilay Atasu – Graduation committee member (TU Delft - Data-Intensive Systems)
More Info
expand_more
Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.
Abstract
The first step of many cyber attacks is the reconnaissance phase. One of many reconnaissance methods employed by adversaries is internet-wide scanning, which
probes the entire internet to find which hosts have open ports. These scans are practically
impossible to detect by a firewall or Intrusion Detection System if an attacker chooses to
distribute their scan on multiple hosts. Many of these scans embed a fingerprint in their
packets, which can easily be detected if they are known. Previous studies have developed
an algorithm that is able to identify these fingerprints, but they were not able to identify
fingerprints for large portion of their data. This study proposes an iterative approach
using stratified sampling, in order to see how this affects accuracy. An experiment showed
the algorithm is able to identify fingerprints for sets of packets that make up less than
0.5% of all packets, and less than 0.0001% of sources. Analysis of the fingerprinted groups
indicated that these groups are not part of a collaborative scanner, but hold for the same
fingerprint by coincidence.