Detection of intranet scanning traffic and tool detection based on multi-feature fusion

IF 3.8 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Information Security and Applications Pub Date : 2025-04-04 DOI:10.1016/j.jisa.2025.104051

Yan Cao , Xuanren Qu , Yu Wang , Tianrui Li , Jiabin Li

{"title":"Detection of intranet scanning traffic and tool detection based on multi-feature fusion","authors":"Yan Cao , Xuanren Qu , Yu Wang , Tianrui Li , Jiabin Li","doi":"10.1016/j.jisa.2025.104051","DOIUrl":null,"url":null,"abstract":"<div><div>Network port scanning is a crucial information gathering technique that precedes various types of cyberattacks, and it poses a primary challenge in the network defense process. Detecting port scanning traffic and identifying the types of scanning tools used can help security personnel discover unknown scanning activities, understand the attackers’ intentions, and implement targeted defenses. This paper proposes a multi-feature fusion-based scanning tool identification method, MUST, to address this challenge. First, the core data packets within each network session are extracted and transformed into Traffic Graphs (TGs). These TGs represent the communication behavior of the sessions through their shape and color characteristics. Then, the sliding window and window attention mechanisms of the Swin Transformer model are employed to extract Traffic Graph Features (TGFs) from the TGs. MUST leverages a deep fusion of the typical statistical features of the session traffic and the TGFs to detect intranet scanning traffic and accurately identify the scanning tool types. Comparative evaluations show that the multi-feature fusion approach of MUST effectively distinguishes different scanning tool traffic and achieves superior detection accuracy across various scenarios. Moreover, MUST demonstrates robust detection performance for unknown scanning activities, with accuracy and recall rates exceeding 0.97 on the CICIDS2017 and InSDN dataset.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"90 ","pages":"Article 104051"},"PeriodicalIF":3.8000,"publicationDate":"2025-04-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Security and Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2214212625000882","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Network port scanning is a crucial information gathering technique that precedes various types of cyberattacks, and it poses a primary challenge in the network defense process. Detecting port scanning traffic and identifying the types of scanning tools used can help security personnel discover unknown scanning activities, understand the attackers’ intentions, and implement targeted defenses. This paper proposes a multi-feature fusion-based scanning tool identification method, MUST, to address this challenge. First, the core data packets within each network session are extracted and transformed into Traffic Graphs (TGs). These TGs represent the communication behavior of the sessions through their shape and color characteristics. Then, the sliding window and window attention mechanisms of the Swin Transformer model are employed to extract Traffic Graph Features (TGFs) from the TGs. MUST leverages a deep fusion of the typical statistical features of the session traffic and the TGFs to detect intranet scanning traffic and accurately identify the scanning tool types. Comparative evaluations show that the multi-feature fusion approach of MUST effectively distinguishes different scanning tool traffic and achieves superior detection accuracy across various scenarios. Moreover, MUST demonstrates robust detection performance for unknown scanning activities, with accuracy and recall rates exceeding 0.97 on the CICIDS2017 and InSDN dataset.

Abstract Image

查看原文本刊更多论文

基于多特征融合的内网扫描流量检测与工具检测

网络端口扫描是各种网络攻击前的一种重要信息收集技术，是网络防御过程中的一个主要挑战。通过检测端口扫描流量，识别所使用的扫描工具类型，可以帮助安全人员发现未知的扫描活动，了解攻击者的意图，从而实现有针对性的防御。为了解决这一问题，本文提出了一种基于多特征融合的扫描工具识别方法MUST。首先，提取每个网络会话中的核心数据包并将其转换为流量图（Traffic graph, tg）。这些tg通过其形状和颜色特征来表示会话的交流行为。然后，利用Swin Transformer模型的滑动窗口和窗口注意机制从交通图特征中提取交通图特征。MUST将会话流量的典型统计特征与TGFs进行深度融合，检测内网扫描流量，准确识别扫描工具类型。对比评价表明，MUST多特征融合方法能有效区分不同的扫描工具流量，在不同场景下均能取得较好的检测精度。此外，MUST对未知扫描活动表现出强大的检测性能，在CICIDS2017和InSDN数据集上的准确率和召回率超过0.97。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Information Security and Applications Computer Science-Computer Networks and Communications

CiteScore

10.90

自引率

5.40%

发文量

206

审稿时长

56 days

期刊介绍： Journal of Information Security and Applications (JISA) focuses on the original research and practice-driven applications with relevance to information security and applications. JISA provides a common linkage between a vibrant scientific and research community and industry professionals by offering a clear view on modern problems and challenges in information security, as well as identifying promising scientific and "best-practice" solutions. JISA issues offer a balance between original research work and innovative industrial approaches by internationally renowned information security experts and researchers.