Identifying and Differentiating Acknowledged Scanners in Network Traffic

Abstract

Acknowledged scanners are Internet scanners which engage with the community as a whole through, at the minimum through a public website. These scanners may provide a service, whether as an education institution, corporation, nonprofit or other organization and may engage in good citizen behaviors such as opt–out lists and by publishing their sources. In this paper, we describe the behavior and population of acknowledged scanners and demonstrate the difference between acknowledged scanners and other (unacknowledged) scanners. We quantitatively show acknowledged scanners, scan from a limited set of addresses, scan predictably, and most importantly the ports (and assumed vulnerabilities) that they scan for differ significantly from the targets of unacknowledged scanners. Failing to differentiate acknowledged and unacknowledged scanners impacts both research and operations, calling into question research results categorizing scanners and overloading operators in false positives. We show the differences between these two scanner classes based on a 30 day sample of darkspace data collected from the USC-ISI network that can be widely shared. We have also maintained an open access acknowledged scanner repository, a whitelist of 40+ acknowledged scanner entities and their IP addresses for the last three years. These acknowledged scanners are researchers, internet public health organizations, and threat intelligence companies. More than 12 unique security organizations track the whitelist to include into their threat assessments.