Abnormal Behavior-Based Detection of Shodan and Censys-Like Scanning

Abstract

Shodan and Censys, also known as IP Device search engines, build searchable databases of internet devices and networks. Even these tools are useful for security, those also can provide the vulnerabilities to malicious users. To prevent the information disclosure of own IP devices on those search engines, a fundamental solution is blocking the access from the scanners of them. Therefore, it is needed to understand and consider their scanning mechanism. Therefore, we propose an abnormal behavior based scan detection of Shodan and Censys. To do this, several traditional scan detection approaches are combined and applied to satisfy their specification. Proposed idea is monitoring packets whether it is abnormal or not and adding on the suspicious list if it is. This is based on traditional threshold approaches. To figure out it is abnormal, stateful TCP stateful packet inspection is used. The response behavior during the connection can be identified with TCP flag and abnormal behavior can be classified with SYN Scan, Banner Grabbing, and Combined SYN and Banner Grabbing. Demonstration is simulated in a Censys-like environment and detected time variation per variance of distributed detectors and Threshold value is analyzed.