How to Own the Internet in Your Spare Time
Proceedings of the 11th USENIX Security Symposium
Characteristics of internet background radiation
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Profiling internet backbone traffic: behavior models and applications
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Identifying and tracking suspicious activities through IP gray space analysis
Proceedings of the 3rd annual ACM workshop on Mining network data
Identifying dynamic IP address blocks serendipitously through background scanning traffic
CoNEXT '07 Proceedings of the 2007 ACM CoNEXT conference
Characterizing Intelligence Gathering and Control on an Edge Network
ACM Transactions on Internet Technology (TOIT)
SEC'13 Proceedings of the 22nd USENIX conference on Security
Hi-index | 0.00 |
In this paper, we study the scanning activities towards a large campus network using a month-long netflow traffic trace. Based on the novel notion of "gray" IP space (namely, collection of IP addresses within our campus network that are not assigned to any "active" host during a certain period of time), we identify and extract potential outside scanners and their associated activities. We then apply data mining and machine learning techniques to analyze the scanning patterns of these scanners and classify them into a few groups (e.g., focused hitters, random address scanners, and blockwise scanners). The goal is to infer the scanning strategies of the scanners so as to provide some assessment of the potential harmfulness of these scanning activities - for example, whether the observed scanning activities are simply part of background radiation of global random scanning or more focused scanning targeted at our campus network. This is an on-going work; we report some preliminary, yet promising results obtained so far.