使用高斯混合和隐马尔可夫模型的互联网扫描器分类

2018 9th IFIP International Conference on New Technologies, Mobility and Security (NTMS) Pub Date : 2018-02-26 DOI:10.1109/NTMS.2018.8328698

Giulia De Santis, Abdelkader Lahmadi, J. François, O. Festor

{"title":"使用高斯混合和隐马尔可夫模型的互联网扫描器分类","authors":"Giulia De Santis, Abdelkader Lahmadi, J. François, O. Festor","doi":"10.1109/NTMS.2018.8328698","DOIUrl":null,"url":null,"abstract":"Internet-wide scanners are heavily used for malicious activities. This work models, from the scanned system point of view, spatial and temporal movements of Network Scanning Activities (NSAs), related to the difference of successive scanned IP addresses and timestamps, respectively. Based on real logs of incoming IP packets collected from a darknet, Hidden Markov Models (HMMs) are used to assess what scanning tool is operating. The proposed methodology, using only one of the aforementioned features of the scanning tool, is able to fingerprint what network scanner originated the perceived darknet traffic.","PeriodicalId":140704,"journal":{"name":"2018 9th IFIP International Conference on New Technologies, Mobility and Security (NTMS)","volume":"15 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-02-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":"{\"title\":\"Internet-Wide Scanners Classification using Gaussian Mixture and Hidden Markov Models\",\"authors\":\"Giulia De Santis, Abdelkader Lahmadi, J. François, O. Festor\",\"doi\":\"10.1109/NTMS.2018.8328698\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Internet-wide scanners are heavily used for malicious activities. This work models, from the scanned system point of view, spatial and temporal movements of Network Scanning Activities (NSAs), related to the difference of successive scanned IP addresses and timestamps, respectively. Based on real logs of incoming IP packets collected from a darknet, Hidden Markov Models (HMMs) are used to assess what scanning tool is operating. The proposed methodology, using only one of the aforementioned features of the scanning tool, is able to fingerprint what network scanner originated the perceived darknet traffic.\",\"PeriodicalId\":140704,\"journal\":{\"name\":\"2018 9th IFIP International Conference on New Technologies, Mobility and Security (NTMS)\",\"volume\":\"15 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2018-02-26\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"2\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2018 9th IFIP International Conference on New Technologies, Mobility and Security (NTMS)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/NTMS.2018.8328698\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2018 9th IFIP International Conference on New Technologies, Mobility and Security (NTMS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/NTMS.2018.8328698","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

摘要

互联网扫描器被大量用于恶意活动。本文从被扫描系统的角度，分别模拟了网络扫描活动(NSAs)的空间和时间运动与连续扫描IP地址和时间戳的差异有关。基于从暗网收集的传入IP数据包的真实日志，使用隐马尔可夫模型(hmm)来评估哪些扫描工具正在运行。所提出的方法，仅使用上述扫描工具的一个特征，能够指纹网络扫描仪产生感知的暗网流量。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Internet-Wide Scanners Classification using Gaussian Mixture and Hidden Markov Models

Internet-wide scanners are heavily used for malicious activities. This work models, from the scanned system point of view, spatial and temporal movements of Network Scanning Activities (NSAs), related to the difference of successive scanned IP addresses and timestamps, respectively. Based on real logs of incoming IP packets collected from a darknet, Hidden Markov Models (HMMs) are used to assess what scanning tool is operating. The proposed methodology, using only one of the aforementioned features of the scanning tool, is able to fingerprint what network scanner originated the perceived darknet traffic.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2018 9th IFIP International Conference on New Technologies, Mobility and Security (NTMS)

自引率

0.00%

发文量