Internet-Wide Scanner Fingerprint Identifier Based on TCP/IP Header

2021 Sixth International Conference on Fog and Mobile Edge Computing (FMEC) Pub Date : 2021-12-06 DOI:10.1109/FMEC54266.2021.9732414

Akira Tanaka, Chansu Han, Takeshi Takahashi, K. Fujisawa

{"title":"Internet-Wide Scanner Fingerprint Identifier Based on TCP/IP Header","authors":"Akira Tanaka, Chansu Han, Takeshi Takahashi, K. Fujisawa","doi":"10.1109/FMEC54266.2021.9732414","DOIUrl":null,"url":null,"abstract":"Identifying individual scan activities is a crucial and challenging activity for mitigating emerging cyber threats or gaining insights into security scans. Sophisticated adversaries distribute their scans over multiple hosts and operate with stealth; therefore, low-rate scans hide beneath other benign traffic. Although previous studies attempted to discover such stealth scans by observing the distribution of ports and hosts, well-organized scans are difficult to find. However, a scanner can embed a fingerprint into the packet fields to distinguish between the scan and other traffic. In this study, we propose a new algorithm to identify the flexible fingerprint in consideration of the genetic algorithm idea. To the best of our knowledge, this is the first such attempt. We successfully identified previously unknown fingerprints rather than existing ones through numer-ical experiments on darknet traffic. We analyzed the packets and discovered distinctive scan activities. Further, we collated the results with both cyber threat intelligence and investigation/large-scale scanner lists to ascertain the reliability of our model.","PeriodicalId":217996,"journal":{"name":"2021 Sixth International Conference on Fog and Mobile Edge Computing (FMEC)","volume":"120 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-12-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2021 Sixth International Conference on Fog and Mobile Edge Computing (FMEC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/FMEC54266.2021.9732414","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 6

Abstract

Identifying individual scan activities is a crucial and challenging activity for mitigating emerging cyber threats or gaining insights into security scans. Sophisticated adversaries distribute their scans over multiple hosts and operate with stealth; therefore, low-rate scans hide beneath other benign traffic. Although previous studies attempted to discover such stealth scans by observing the distribution of ports and hosts, well-organized scans are difficult to find. However, a scanner can embed a fingerprint into the packet fields to distinguish between the scan and other traffic. In this study, we propose a new algorithm to identify the flexible fingerprint in consideration of the genetic algorithm idea. To the best of our knowledge, this is the first such attempt. We successfully identified previously unknown fingerprints rather than existing ones through numer-ical experiments on darknet traffic. We analyzed the packets and discovered distinctive scan activities. Further, we collated the results with both cyber threat intelligence and investigation/large-scale scanner lists to ascertain the reliability of our model.

查看原文本刊更多论文

基于TCP/IP报头的全互联网扫描仪指纹标识

识别单个扫描活动对于减轻新出现的网络威胁或获得安全扫描的见解是一项至关重要且具有挑战性的活动。老练的对手将他们的扫描分布在多个主机上，并隐身操作;因此，低速率扫描隐藏在其他良性流量之下。虽然以前的研究试图通过观察端口和主机的分布来发现这种隐形扫描，但很难找到组织良好的扫描。但是，扫描器可以在报文字段中嵌入指纹，以区分扫描的流量和其他流量。在本研究中，我们提出了一种基于遗传算法的柔性指纹识别算法。据我们所知，这是第一次这样的尝试。通过对暗网流量的数值实验，我们成功地识别了以前未知的指纹，而不是现有的指纹。我们分析了数据包，发现了独特的扫描活动。此外，我们将结果与网络威胁情报和调查/大规模扫描仪列表进行比对，以确定我们模型的可靠性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2021 Sixth International Conference on Fog and Mobile Edge Computing (FMEC)

自引率

0.00%

发文量