Classifying and identifying slow scanners based on their behavior and attributes
How can clustering techniques be applied to classify and identify slow scanners based on their behavior and attributes
More Info
expand_more
Abstract
In this research, we propose a new method for detecting slow, distributed port scanners by utilizing clustering techniques based on the behavioral characteristics of scan sources. Traditional methods often rely on identifying sources within the same subnet and using frequency-based algorithms; however, our method operates independently of source address correlations. We assign numeric features based on these characteristics to packet sources observed through our network telescope. These features are then processed using a clustering algorithm to identify distributed scans without depending on the origin of source addresses.
Our findings demonstrate the effectiveness of this method in accurately clustering and identifying slow scanners. We verified the results by comparing the detected scan clusters against the expected behavior derived from our simulations. This approach not only reveals complete distributed scans but also offers insight into different scanning strategies employed across the internet.
The implications of our research are significant for network security, enabling early detection and mitigation of potential cyber threats. Our methodology lays a foundation for further research and optimization, offering a valuable tool for both understanding and securing internet infrastructure against scanning techniques.