Analysis of Vertical Scans Discovered by Naive Detection
Network scans are very common and frequent events that appear in almost every network. Generally, the scans are quite harmless. Scanning can be useful for network operators, who need to know state of their infrastructures. Contrary, scans can be used also for gathering sensitive information by attackers. This paper describes a simple detection method that was used to detect vertical scans. Our aim is to show results of long-term measurement on backbone network and to show that it is possible to detect scans efficiently even with a simple method. The paper presents several interesting statistics that characterize network behavior and scanning frequency in a large high-speed national academic network.
This work was partially supported by the “CESNET E-Infrastructure” (LM2015042) and CTU grant No. SGS16/124/OHK3/1T/18 both funded by the Ministry of Education, Youth and Sports of the Czech Republic.
- 1.Bartoš, V., et. al.: Nemea: framework for stream-wise analysis of network traffic. Technical report, CESNET, a.l.e. (2013). http://www.cesnet.cz/wp-content/uploads/2014/02/trapnemea.pdf
- 2.Bartos, V., Zadnik, M.: An analysis of correlations of intrusion alerts in an NREN. In: 2014 IEEE 19th International Workshop on Computer Aided Modeling and Design of Communication Links and Networks (CAMAD), pp. 305–309. IEEE (2014)Google Scholar
- 4.Cejka, T., Svepes, M.: Vertical Scan Detector README. https://github.com/CESNET/Nemea-Detectors/tree/master/vportscan_detector
- 5.CESNET, a. l. e.: NEMEA: Network Measurements Analysis Framework. https://github.com/CESNET/Nemea
- 6.Dainotti, A., et al.: Analysis of a /0 stealth scan from a botnet. In: Proceedings of the 2012 ACM Conference on Internet Measurement Conference, pp. 1–14. ACM (2012)Google Scholar
- 7.Jung, J., et. al.: Fast portscan detection using sequential hypothesis testing. In: Proceedings 2004 IEEE Symposium on Security and Privacy, pp. 211–225. IEEE (2004)Google Scholar
- 8.Lyon, G.F.: Nmap network scanning: the official Nmap project guide to network discovery and security scanning. In: Insecure (2009)Google Scholar
- 9.Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation. In: ACM SIGPLAN Notices, vol. 42, pp. 89–100. ACM (2007)Google Scholar
- 11.Raftopoulos, E., Glatz, E., Dimitropoulos, X., Dainotti, A.: How dangerous is internet scanning? In: Steiner, M., Barlet-Ros, P., Bonaventure, O. (eds.) TMA 2015. LNCS, vol. 9053, pp. 158–172. Springer, Heidelberg (2015)Google Scholar
- 12.Roesch, M., et al.: Snort: Lightweight intrusion detection for networks. In: LISA, vol. 99, pp. 229–238 (1999)Google Scholar
- 13.Sridharan, A., Ye, T., Bhattacharyya, S.: Connectionless port scan detection on the backbone. In: 25th IEEE International Performance, Computing, and Communications Conference. IPCCC 2006, p. 10. IEEE (2006)Google Scholar