Modeling and Recognizing Network Scanners with Finite Mixture Models and Hidden Markov Models

Speaker:  Giulia De Santis - Inria Nancy
  Monday, June 24, 2019 at 3:00 PM Aula Verde
The talk will present how stochastic models of ZMap and Shodan, respectively (two Internet-wide scanners) have been built. More in detail, packets originated by each of the two considered scanners have been collected by the High Security Lab hosted in Inria Nancy - Grand Est, and have been used to learn Hidden Markov Models (HMMs). The first part of the talk models intensity of the two considered Network Scanners, in order to know if the intensity of ZMap varies with respect to the targeted service, and if the intensities of the two scanners are comparable. Results will be presented: the answer to the first question is positive, whereas the answer to the second question is negative.     
   The talk follows with investigating  spatial and temporal movements, respectively, of the same Network Scanners. Datasets containing logs of one single execution of ZMap and Shodan, respectively have been created. Then, differences of IP addresses consecutively targeted by the same scanner (i.e., in each sample), and of the corresponding timestamps have been computed. The former have been used to model spatial movements, whereas the latter temporal ones. Once the Hidden Markov Models are available, they have been applied to detect scanners from other sets of logs. In both cases, our models are not able to detect the targeted service, but they correctly detect the scanner that originates new logs, with an accuracy of 95% when exploiting spatial movements, and of 98% when using temporal movements.

Contact person: Roberto Giacobazzi

Contact person

Publication date
June 11, 2019