Remote Identification of Port Scan Toolchains

Ghiëtte, Vincent; Blenn, N.; Dörr, C.

doi:10.1109/NTMS.2016.7792471

Remote Identification of Port Scan Toolchains

Title

Remote Identification of Port Scan Toolchains

Author

Ghiëtte, Vincent
Blenn, N. (TU Delft Cyber Security)
Dörr, C. (TU Delft Cyber Security)

Contributor

Badra, Mohamad (editor)
Pau, Giovanni (editor)
Vassiliou, Vasos (editor)

Date

2016

Abstract

Port scans are typically at the begin of a chain of events that will lead to the attack and exploitation of a host over a network. Since building an effective defense relies on information what kind of threat an organization is facing, threat intelligence outlining an actor’s modus operandi is a critical ingredient for network security. In this paper, we describe characteristic patterns in port scan packets that can be used to identify the tool chain used by an adversary. In an empirical analysis of scan traffic received by two /16 networks, we find that common open source port scan tools are adopted differently by communities across the globe, and that groups specializing to use a particular tool have also specialized to exploit particular services.

Subject

threat intelligence
port scan

To reference this document use:

http://resolver.tudelft.nl/uuid:4abea0f6-4fae-4d57-950b-cd30d51c3c89

DOI

https://doi.org/10.1109/NTMS.2016.7792471

Publisher

IEEE, Piscataway, NJ

ISBN

978-1-5090-2914-3

Source

IFIP International Conference on New Technologies, Mobility and Security

Bibliographical note

Accepted Author Manuscript

Part of collection

Institutional Repository

Document type

conference paper

Rights

Files

PDF

10611102.pdf

706.67 KB

Close viewer