Zhaohui Hu,Qi Chen,Ruizhao Yu

DOI: https://doi.org/10.3321/j.issn:1002-8331.2001.10.020

2001-01-01

Abstract:This article introduces the implementation of TCP Protocol and the technique of Port Scanning based on the characteristic of TCP Protocol,at the same time,the several implementations of Port Scanning are also described. We also analyze the potential external attacks that can be made because of the weakness of operation system and the ways to avoid suck kinds of attack are also put up.

Yi Xiao,Guanqiu Qi,Mengjie Jin,Kum Fai Yuen,Zhuo Chen,Kevin X. Li

DOI: https://doi.org/10.1016/j.tranpol.2021.04.003

IF: 6.173

2021-01-01

Transport Policy

Abstract:Port State Control (PSC) guarantees that foreign ships do not jeopardize marine safety, security, and the environment when entering foreign ports. To share inspection information and improve the efficiency of PSC, countries in the same regions cooperate and follow memoranda of understanding (MoUs). Globally, a total of ten MoUs govern three different inspection regimes designed to select and inspect substandard ships. In this study, we use a super-slacks-based measure (super-SBM) to evaluate and compare the inspection efficiency of the three inspection regimes implemented by these ten MoUs and relies on the Malmquist production index (MPI) to identify the most applicable regimes. Our analyses produce three main conclusions. First, we use the average scores of the super-SBM in the past 11 years to confirm the efficiency rankings of the ten MoUs. Second, we combine the average efficiency scores of the three inspection regimes to show that the New Inspection Regime (NIR) is more economically efficient than other inspection regimes. Third, we use MPI scores to obtain a better understanding of the efficiency changes in MoUs? productivity over time and confirm that the NIR is more stable than other inspection regimes.

Jason M. Pittman

DOI: https://doi.org/10.48550/arXiv.2302.09317

2023-02-18

Abstract:Port scanning is the process of attempting to connect to various network ports on a computing endpoint to determine which ports are open and which services are running on them. It is a common method used by hackers to identify vulnerabilities in a network or system. By determining which ports are open, an attacker can identify which services and applications are running on a device and potentially exploit any known vulnerabilities in those services. Consequently, it is important to detect port scanning because it is often the first step in a cyber attack. By identifying port scanning attempts, cybersecurity professionals can take proactive measures to protect the systems and networks before an attacker has a chance to exploit any vulnerabilities. Against this background, researchers have worked for over a decade to develop robust methods to detect port scanning. One such method revealed by a recent systematic review is the random forest supervised machine learning algorithm. The review revealed six existing studies using random forest since 2021. Unfortunately, those studies each exhibit different results, do not all use the same training and testing dataset, and only two include source code. Accordingly, the goal of this work was to reproduce the six random forest studies while addressing the apparent shortcomings. The outcomes are significant for researchers looking to explore random forest to detect port scanning and for practitioners interested in reliable technology to detect the early stages of cyber attack.

Cryptography and Security,Machine Learning

Lanjia Wang,Haixin Duan,Xing Li

DOI: https://doi.org/10.1007/11602897_21

2005-01-01

Abstract:Detecting and identifying port scans is important for tracking malicious activities at early stage. The previous work mainly focuses on detecting individual scanners, while cares little about their common scan patterns that may imply important security threats against network. In this paper we propose a scan vector model, in which a scanner is represented by a vector that combines different scan features online, such as target ports and scan rate. A center-based clustering algorithm is then used to partition the scan vectors into groups, and provide a condense view of the major scan patterns by a succinct summary of the groups. The experiment on traffic data gathered from two subnets in our campus network shows that our method can accurately identify the major scan patterns without being biased by heavy hitters, meanwhile, possessing simplicity and low computation cost.

Guanglei Song,Lin He,Tao Chen,Jinlei Lin,Linna Fan,Kun Wen,Zhiliang Wang,Jiahai Yang

DOI: https://doi.org/10.1109/tnet.2024.3491314

2024-01-01

IEEE/ACM Transactions on Networking

Abstract:Internet-wide scanning is a commonly used research technique in various network surveys, such as measuring service deployment and security vulnerabilities. However, these network surveys are limited to the given port set, not comprehensively obtaining the real network landscape, and even misleading survey conclusions. In this work, we introduce PMap, a port scanning tool that efficiently discovers the most open ports from all 65K ports in the whole network. PMapuses the correlation of ports to build an open port correlation graph of each network, using a reinforcement learning framework to update the correlation graph based on feedback results and dynamically adjust the order of port scanning. Compared to current port scanning methods, PMapperforms better on hit rate, coverage, and intrusiveness. Our experiments over real networks show that PMapcan find 90% open ports by only scanning 125 ports (90%@125) to each address, which is 99.3% less than the state-of-the-art port scanning methods. It reduces the number of scanned ports to decrease the intrusive nature of port scanning. In addition, PMapis highly parallel and lightweight. It scans 500 networks in parallel, achieving a port recommendation rate of up to 18 million per second, consuming only 7GB of memory. PMapis the first effective practice for scanning open ports using reinforcement learning. It bridges the gap of existing scanning tools and effectively supports subsequent service discovery and security research.

Guanglei Song,Lin He,Tianyun Zhao,Yirui Luo,Yichao Wu,Linna Fan,Chenglong Li,Zhiliang Wang,Jiahai Yang

DOI: https://doi.org/10.1109/iwqos57198.2023.10188692

2023-01-01

Abstract:Internet-wide scanning is a commonly used research technique in various network surveys, such as measuring service deployment and security vulnerabilities. However, these network surveys are limited to the given port set, not comprehensively obtaining the real network landscape, and even misleading survey conclusions. In this work, we introduce PMap, a port scanning tool that efficiently discovers the majority of open ports from all 65K ports in the whole network. PMap uses the correlation of ports to build an open port correlation graph of each network, using a reinforcement learning framework to update the correlation graph based on feedback results and dynamically adjust the order of port scanning. Compared to current port scanning methods, PMap achieves better performance on hit rate, coverage, and intrusiveness. Our experiments over real-world networks show that PMap can find 90% open ports by only scanning 125 ports (90% @125) to each active address with 136× less than the state-of-the-art port probing methods. PMap reduces the number of scanned ports to decrease the intrusive nature of port scanning. PMap is the first effective practice for scanning open ports using reinforcement learning. It bridges the gap of existing scanning tools and effectively supports subsequent service discovery and security research.

Rana Abu Bakar,Boonserm Kijsirikul

DOI: https://doi.org/10.3390/s23177541

2023-08-30

Abstract:Network security is paramount in today's digital landscape, where cyberthreats continue to evolve and pose significant risks. We propose a DPDK-based scanner based on a study on advanced port scanning techniques to improve network visibility and security. The traditional port scanning methods suffer from speed, accuracy, and efficiency limitations, hindering effective threat detection and mitigation. In this paper, we develop and implement advanced techniques such as protocol-specific probes and evasive scan techniques to enhance the visibility and security of networks. We also evaluate network scanning performance and scalability using programmable hardware, including smart NICs and DPDK-based frameworks, along with in-network processing, data parallelization, and hardware acceleration. Additionally, we leverage application-level protocol parsing to accelerate network discovery and mapping, analyzing protocol-specific information. In our experimental evaluation, our proposed DPDK-based scanner demonstrated a significant improvement in target scanning speed, achieving a 2× speedup compared to other scanners in a target scanning environment. Furthermore, our scanner achieved a high accuracy rate of 99.5% in identifying open ports. Notably, our solution also exhibited a lower CPU and memory utilization, with an approximately 40% reduction compared to alternative scanners. These results highlight the effectiveness and efficiency of our proposed scanning techniques in enhancing network visibility and security. The outcomes of this research contribute to the field by providing insights and innovations to improve network security, identify vulnerabilities, and optimize network performance.

Shan Rong-sheng,Li Xiao-yong D.,Li Jian-hua

DOI: https://doi.org/10.1007/s11741-004-0073-8

2004-01-01

Abstract:Detection of port scan is an important component in a network intrusion detection and prevention system. Traditional statistical methods can be easily evaded by stealthy scans and are prone to DoS attacks. This paper presents a new mechanism termed PSD(port scan detection), which is based on TCP packet anomaly evaluation. By learning the port distribution and flags of TCP packets arriving at the protected hosts, PSD can compute the anomaly score of each packet and effectively detect port scans including slow scans and stealthy scans. Experiments show that PSD has high detection accuracy and low detection latency.

Pei-sheng LIN,Yi-jun WANG,Zhi XUE

DOI: https://doi.org/10.3969/j.issn.1002-0802.2017.12.026

2017-01-01

Abstract:With the development of port scanning technology, some fast single-node port scanning tools, such as ZMap and MASSCAN, are proposed to maximize the use of bandwidth resources for port scanning. However, the performance of these tools is limited by the bandwidth of a single node. In order to further improve the performance of these tools, a distributed task scheduling algorithm and its supporting protocol is proposed, which can be used to implement a rapid distributed port scanning system. With the addresses sharding technology, the target address can be sent to all available nodes for simultaneous port-scanning, and this could theoretically utilize the bandwidth resources of all nodes. In addition, the algorithm also has some exception handling mechanisms, and these mechanisms maybe used to ensure the availability of the system and the accuracy of the results.

Mohammad Borhani,Gurjot Singh Gaba,Juan Basaez,Ioannis Avgouleas,Andrei Gurtov

DOI: https://doi.org/10.1016/j.jii.2024.100623

IF: 11.718

2024-05-06

Journal of Industrial Information Integration

Abstract:Industrial device scanners allow anyone to scan devices on private networks and the Internet. They were intended as network security tools, but they are commonly exploited as attack tools, as scanning can reveal vulnerable devices. However, from a defensive perspective, this vulnerability disclosure could be used to secure devices if characteristics such as type, model, manufacturer, and firmware could be identified. Automated scanning reports can help to apply security measures before an attacker finds a vulnerability. A complete device recognition procedure can then be seen as the basis for auditing networks and identifying vulnerabilities to mitigate cyber-attacks, especially among Industrial Internet of Things (IIoT) devices that are part of critical systems. In this survey, considering SCADA (Supervisory Control and Data Acquisition) systems as monitoring and control components of essential infrastructure, we focus on analyzing the architectures, specifications, and constraints of several industrial device scanners. In addition, we examine the information revealed by the scanners to identify the threats posed by them on industrial systems and networks. We analyze monthly and yearly statistics of cyber-attack incidents to investigate the role of these scanners in accelerating attacks. By presenting the findings of an experimentation, we highlight how easily anyone could identify hundreds of Internet-connected industrial devices in Sweden, which could lead to a major service interruption in industrial environments designed for minimal human involvement. We also discuss several methods to avoid scanners or reduce their identifying capabilities to conceal industrial devices from unauthorized access.

computer science, interdisciplinary applications,engineering, industrial

Akira Tanaka,Chansu Han,Takeshi Takahashi

DOI: https://doi.org/10.1109/access.2023.3249474

IF: 3.9

2023-01-01

IEEE Access

Abstract:Adversaries perform port scanning to discover accessible and vulnerable hosts as a prelude to cyber havoc. A darknet is a cyberattack observation network to capture these scanning activities through reachable yet unused IP addresses. However, the enormous amount of packets and superposition of diverse scanning strategies prevent extracting significant insights from the aggregate traffic. Some coordinated scanners disperse probe packets whose TCP/IP header follows a unique pattern to determine whether the received packets are valid responses to their probes or are part of other background traffic. We call such a pattern a fingerprint. For example, a probe packet from a Mirai-infected host satisfies a pattern whereby the destination IP address equals the sequence number. A fingerprint indicates that the source host has been involved in a particular scanning campaign. Although some fingerprints have been discovered and known to the public, there are and will be more undiscovered ones. We intend to unveil these fingerprints. Our preliminary work automatically identified flexible fingerprints but overlooked low-rate and coordinated scanners. In this work, we improved the fingerprint identifier, enabling it to detect these stealth scans. Moreover, we revealed the scans’ objectives by investigating destination port sets. We associated fingerprints with threat intelligence and verified their reliability. Our approach identified all well-known and eight unknown fingerprints on one month’s worth of darknet data collected from about three-hundred thousand unused IP addresses. We disclosed the fingerprints of the Mozi botnet and destination port sets that were previously unreported.

computer science, information systems,telecommunications,engineering, electrical & electronic

LAI Hai-guang,XU Feng,HUANG Hao,XIE Jun-yuan

DOI: https://doi.org/10.3321/j.issn:0372-2112.2006.11.003

2006-01-01

Abstract:Portscan is used to figure out whether the target system's ports are open by trying to access these ports.It is usually the fist step of a sequence of intrusion actions.Portscan detection is an indispensable part of an intrusion detection system.However,there are only a few portscan detection methods nowadays.Moreover,they are not very accurate.In order to improve the accuracy of portscan detection,the data produced by two portscan detection methods is fused using DempsterShafer theory of evidence.One method is the ports distribution based portscan detection,which is very simple and has a pretty high detection ratio.The other is the sequential hypothesis testing based detection method,which sufficiently exploits the portscan's essential character.The experiment shows that the portscan detection method based on Dempster-Shafer theory of evidence is far more accurate than the one base on ports distribution or sequential hypothesis testing.

Aniket Anand,Michalis Kallitsis,Jackson Sippe,Alberto Dainotti

DOI: https://doi.org/10.48550/arXiv.2305.07193

2023-05-12

Abstract:Aggressive network scanners, i.e., ones with immoderate and persistent behaviors, ubiquitously search the Internet to identify insecure and publicly accessible hosts. These scanners generally lie within two main categories; i) benign research-oriented probers; ii) nefarious actors that forage for vulnerable victims and host exploitation. However, the origins, characteristics and the impact on real networks of these aggressive scanners are not well understood. In this paper, via the vantage point of a large network telescope, we provide an extensive longitudinal empirical analysis of aggressive IPv4 scanners that spans a period of almost two years. Moreover, we examine their network impact using flow and packet data from two academic ISPs. To our surprise, we discover that a non-negligible fraction of packets processed by ISP routers can be attributed to aggressive scanners. Our work aims to raise the network community's awareness for these "heavy hitters", especially the miscreant ones, whose invasive and rigorous behavior i) makes them more likely to succeed in abusing the hosts they target and ii) imposes a network footprint that can be disruptive to critical network services by incurring consequences akin to denial of service attacks.

Networking and Internet Architecture

CAI Hongmin,WU Naiqi,TENG Shaohua

DOI: https://doi.org/10.3969/j.issn.2095-347x.2007.02.026

2007-01-01

Abstract:This article introduces the theorys and the methods of the detection of port scanning and OS scanning,and put forward a model of detecting port scanning and OS scanning.It can effectively detects many types of attack of scanning,by capturing the network packets and matching the snort rules.In the end,the article introduced the significance and prospect of the model.

Liz Izhikevich,Renata Teixeira,Zakir Durumeric

DOI: https://doi.org/10.48550/arXiv.2301.04841

2023-01-12

Cryptography and Security

Abstract:Internet-wide scanning is a commonly used research technique that has helped uncover real-world attacks, find cryptographic weaknesses, and understand both operator and miscreant behavior. Studies that employ scanning have largely assumed that services are hosted on their IANA-assigned ports, overlooking the study of services on unusual ports. In this work, we investigate where Internet services are deployed in practice and evaluate the security posture of services on unexpected ports. We show protocol deployment is more diffuse than previously believed and that protocols run on many additional ports beyond their primary IANA-assigned port. For example, only 3% of HTTP and 6% of TLS services run on ports 80 and 443, respectively. Services on non-standard ports are more likely to be insecure, which results in studies dramatically underestimating the security posture of Internet hosts. Building on our observations, we introduce LZR ("Laser"), a system that identifies 99% of identifiable unexpected services in five handshakes and dramatically reduces the time needed to perform application-layer scans on ports with few responsive expected services (e.g., 5500% speedup on 27017/MongoDB). We conclude with recommendations for future studies.

MA Li-bo,ZHANG Jia,LI Xing

DOI: https://doi.org/10.3321/j.issn:0438-0479.2007.z2.021

2007-01-01

Abstract:A scan detection platform constructed by unused IP addresses will effectively improve detection accuracy and reduce false alarm.Before constructing a real scan detection platform,we need to evaluate the detection effectiveness of controlled monitoring addresses to predict the detecting tagets and determine the necessity of the platform deployment.To match these requirements,a new scan detection model based on network classification is presented.According to this model,we can evaluate the detection effectiveness of a scan detection platform which is used to detect random or local preference scanning sources and provide theory guidance for the platform construction and deployment.We use the Leurre'com Honeynet Project's distributed scan detection platform as a practical evaluation instance.Evaluation results show that the platform can effectively detect high speed random scanning sources like Slammer worm and local preference scanning sources whose average scanning rate is more than 2 scan connections per second.To low speed scanning sources,the detection effectiveness is poor.Statistics of real monitoring data and simulation results validate the veracity of evaluation results.

唐小明,梁锦华,蒋建春,文伟平

DOI: https://doi.org/10.3969/j.issn.1000-7024.2002.09.005

2002-01-01

Abstract:This paper gives a summary and classification of the existing intrusion detection models and technologies, and their merits or shortcomings have been compared in detail. It also gives out the development for the future.

P. Rajesh Kanna,P. Santhi

DOI: https://doi.org/10.1007/s12652-024-04794-y

IF: 3.662

2024-05-09

Journal of Ambient Intelligence and Humanized Computing

Abstract:The field of computer networking is experiencing rapid growth, accompanied by the swift advancement of internet tools. As a result, people are becoming more aware of the importance of network security. One of the primary concerns in ensuring security is the authority over domains, and network owners are striving to establish a common language to exchange security information and respond quickly to emerging threats. Given the increasing prevalence of various types of attacks, network security has become a significant challenge in the realm of computing. To address this, a multi-level distributed approach incorporating vulnerability identification, dimensioning, and countermeasures based on attack graphs has been developed. Implementing reconfigurable virtual systems as countermeasures significantly improves attack detection and mitigates the impact of attacks. Password-based authentication, for instance, can be susceptible to password cracking techniques, social engineering attacks, or data breaches that expose user credentials. Similarly, ensuring privacy during data transmission through encryption helps protect data from unauthorized access, but it does not guarantee the prevention of other types of attacks such as malware infiltration or insider threats. This research explores various techniques to achieve effective attack detection. Multiple research methods have been utilized and evaluated to identify the most suitable approach for network security and attack detection in the context of cloud computing. The analysis and implementation of diverse research studies demonstrate that the based signature intrusion detection method outperforms others in terms of precision, recall, F-measure, accuracy, reliability, and time complexity.

computer science, information systems,telecommunications, artificial intelligence

Zibo Li,Xiangzhan Yu,Dawei Wang,Yiru Liu,Huaidong Yin,Shoushuai He

DOI: https://doi.org/10.1007/978-3-030-24268-8_5

2019-01-01

Abstract:With the rapid development of the Internet, more and more services are emerging on the Internet, but it also brings a lot of security risks. Scanning the services on the network by sending probe packets, user can know which host opens a specific service, and can also know statistical data related, which is very important for the network maintenance and discovering dangerous services. This paper focuses on SuperEye, a large-scale and interactive distributed port scanning system. In order to realize interactive port scanning, an enhanced version of TCP state transition automaton is defined to describe the interactive process of contracting and receiving packets. In order to improve the scanning efficiency and avoid triggering IDS, discusses the distribution of tasks, and the tasks are distributed with redundancy and then intermediate states of the task displayed in time, then process and store the returning results for analysis and statistics and at last show the visual results to users. The system interacts with users by friendly web pages. And heartbeat detection is also implemented to ensure the reliability of scanning tasks. Finally, a series of unit tests and integration tests are carried out, and it’s sure that the completed system meets the expected development requirements.

Steffen Haas,Florian Wilkens,Mathias Fischer

DOI: https://doi.org/10.1109/NOMS47738.2020.9110470

2020-03-11

Abstract:Public networks are exposed to port scans from the Internet. Attackers search for vulnerable services they can exploit. In large scan campaigns, attackers often utilize different machines to perform distributed scans, which impedes their detection and might also camouflage the actual goal of the scanning campaign. In this paper, we present a correlation algorithm to detect scans, identify potential relations among them, and reassemble them to larger campaigns. We evaluate our approach on real-world Internet traffic and our results indicate that it can summarize and characterize standalone and distributed scan campaigns based on their tools and intention.

Cryptography and Security