NII Technical Report (NII-2016-008E)

Title Profiling Internet Scanners: Spatial and Temporal Structures
Authors Johan Mazel, Romain Fontugne, Kensuke Fukuda
Abstract A great deal of effort has been dedicated to the study of network scanning. Nonetheless, previous studies focused on simple char- acteristics such as the number of scanning IPs (also called scanners) or targets, but usually neglected scanner behavior. We analyze 15 years of backbone traffic and propose a method for profiling scanning IPs. Our analysis first details evolution of targeted services, mass-scanning tool usage and scanning pattern. Then, we propose a new method to classify scanning IPs’ spatial and temporal structure into three profiles that re- veal vastly different intent. In particular, we find that 33% of scanners repeatedly target the same set of hosts. If unsolicited, this behavior pro- vides an early warning to administrators regarding the malicious intent of scanners. Finally, we study publicly documented scanners’ activities and show that security research-related scanning IPs behave differently than non-documented scanners. We also show that only 39% of scanning entities follow online documentation best practices.
Language English
Published December 22, 2016
Pages 12p
PDF File 16-008E.pdf



ISSN:1346-5597
NII Technical Reports
National Institute of Informatics