Tao Yang,Bingnan Hou,Zhiping Cai,Kui Wu,Tongqing Zhou,Chengyu Wang

DOI: https://doi.org/10.1016/j.comnet.2021.108666

IF: 5.493

2022-02-01

Computer Networks

Abstract:IPv6 target generation is critical in fast IPv6 scanning for Internet-wide surveys and cybersecurity analysis. However, existing techniques generally suffer from low hit rates because the targets are generated from inappropriate address patterns. To address the problem, we propose 6Graph, a graph-theoretic method for IPv6 address pattern mining. It first divides the IPv6 address space into different regions according to the structural information of a set of known addresses. Then, 6Graph maps the addresses of each region into undirected graphs and conducts the density-based graph cutting for address clustering to mine IPv6 address patterns and detect the misclassified addresses iteratively. Besides, we exploit the random IPv6 target generation based on Hamming distance without additional and complicated target selection. Experiments on 11 large-scale candidate datasets show that the address patterns of 6Graph have a higher seed density than the existing methods. Further results over real-world networks indicate that 6Graph can achieve 12.6%–35.8% hit rates on the candidate datasets, which is an 8.8%–275.0% improvement over the state-of-the-art methods in Internet-wide scanning.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Liang Jiao,Yujia Zhu,Wenxiu Zhang,Lei Zhao,Yi Zhou,Qingyun Liu

DOI: https://doi.org/10.1109/cscwd61410.2024.10580769

2024-01-01

Abstract:Global IPv6 scanning has always been a challenge for researchers because of the limited network speed and computational power. In this paper, we introduce 6GAI to implement more efficient target address generation. 6GAI is built with Generative Adversarial Net (GAN) integrated with Convolutional Bottleneck Attention Module (CBAM). 6GAI allows the discriminative net to leak generated address’s high-level features extracted by CBAM to the generative net, while the generative net incorporates such informative signals into all generation steps through an additional Manger module, which takes the extracted features of current generated address nybbles and outputs a latent vector to guide the Worker module for active IPv6 address generation. This work outperformed the state-of-the-art target generation algorithms on two datasets including one public dataset and one independently collected dataset.

LI Guo,HE Lin,SONG Guanglei,WANG Zhiliang,YANG Jiahai,LI Zimu

DOI: https://doi.org/10.11959/j.issn.1000-0801.2019296

2019-01-01

Abstract:Nowadays,the state-of-the-art technologies can spend a very short time to scan the whole IPv4 space,but these methods cannot be applied to the huge IPv6 space easily.Therefore,many researchers propose different heuristic algorithms for the sake of IPv6 scanning.The common way of these algorithms is to input collected IPv6 seed addresses and output new most likely active IPv6 addresses as candidates for later scanning.These methods greatly reduce the scanning range of the active address area.These technologies based on seed addresses were classified,analyzed and summarized,and detailed analysis of the advantages and disadvantages of each method was given.And the several challenges faced by the methods were discussed.73M seed addresses were collected in total from two sources,including published IPv6 datasets in papers and Beijing Node of China Education and Research Network.Through the proposed experiments,time performance and hit rate of four IPv6 address scanning technologies based on seed addresses was compared.Finally,the own thoughts on this field and some future research directions were proposed.

Tianyu Cui,Gaopeng Gou,Peipei Fu,G. Xiong,Chang Liu,Zhen Li

DOI: https://doi.org/10.1109/INFOCOM42981.2021.9488912

2021-05-10

Abstract:Global IPv6 scanning has always been a challenge for researchers because of the limited network speed and computational power. Target generation algorithms are recently proposed to overcome the problem for Internet assessments by predicting a candidate set to scan. However, IPv6 custom address configuration emerges diverse addressing patterns discouraging algorithmic inference. Widespread IPv6 alias could also mislead the algorithm to discover aliased regions rather than valid host targets. In this paper, we introduce 6GAN, a novel architecture built with Generative Adversarial Net (GAN) and reinforcement learning for multi-pattern target generation. 6GAN forces multiple generators to train with a multi-class discriminator and an alias detector to generate non-aliased active targets with different addressing pattern types. The rewards from the discriminator and the alias detector help supervise the address sequence decision-making process. After adversarial training, 6GAN’s generators could keep a strong imitating ability for each pattern and 6GAN’s discriminator obtains outstanding pattern discrimination ability with a 0.966 accuracy. Experiments indicate that our work outperformed the state-of-the-art target generation algorithms by reaching a higher-quality candidate set.

Computer Science,Engineering

Guanglei Song,Lin He,Zhiliang Wang,Jiahai Yang,Tao Jin,Jieling Liu,Guo Li

DOI: https://doi.org/10.1109/iwqos49365.2020.9212980

2020-01-01

Abstract:Fast IPv4 scanning has made sufficient progress in network measurement and security research. However, it is infeasible to perform brute-force scanning of the IPv6 address space. We can find active IPv6 addresses through scanning candidate addresses generated by the state-of-the-art algorithms, whose probing efficiency of active IPv6 addresses, however, is still very low. In this paper, we aim to improve the probing efficiency of IPv6 addresses in two ways. Firstly, we perform a longitudinal active measurement study over four months, building a high-quality dataset called hitlist with more than 1.3 billion IPv6 addresses distributed in 45.2k BGP prefixes. Different from previous work, we probe the announced BGP prefixes using a pattern-based algorithm, which makes our dataset overcome the problems of uneven address distribution and low active rate. Secondly, we propose an efficient address generation algorithm DET, which builds a density space tree to learn high-density address regions of the seed addresses in linear time and improves the probing efficiency of active addresses. On the public hitlist and our hitlist, we compare our algorithm DET against state-of-the-art algorithms and find that DET increases the de-aliased active address ratio by 10%, and active address (including aliased addresses) ratio by 14%, by scanning 50 million addresses.

Zhichao Zhang,Zhaoxin Zhang,Yanan Cheng,Ning Li

2024-01-13

Abstract:The discovery of active IPv6 addresses represents a pivotal challenge in IPv6 network survey, as it is a prerequisite for downstream tasks such as network topology measurements and security analysis. With the rapid spread of IPv6 networks in recent years, many researchers have focused on improving the hit rate, efficiency, and coverage of IPv6 scanning methods, resulting in considerable advancements. However, existing approaches remain heavily dependent on seed addresses, thereby limiting their effectiveness in unseeded prefixes. Consequently, this paper proposes 6Rover, a reinforcement learning-based model for active address discovery in unseeded environments. To overcome the reliance on seeded addresses, 6Rover constructs patterns with higher generality that reflects the actual address allocation strategies of network administrators, thereby avoiding biased transfers of patterns from seeded to unseeded prefixes. After that, 6Rover employs a multi-armed bandit model to optimize the probing resource allocation when applying patterns to unseeded spaces. It models the challenge of discovering optimal patterns in unseeded spaces as an exploration-exploitation dilemma, and progressively uncover the potential patterns applied in unseeded spaces, leading to the efficient discovery of active addresses without seed address as the prior knowledge. Experiments on large-scale unseeded datasets show that 6Rover has a higher hit rate than existing methods in the absence of any seed addresses as prior knowledge. In real network environments, 6Rover achieved a 5% - 8% hit rate in seedless spaces with 100 million budget scale, representing an approximate 200\% improvement over the existing state-of-the-art methods.

Networking and Internet Architecture

Guanglei Song,Jiahai Yang,Zhiliang Wang,Lin He,Jinlei Lin,Long Pan,Chenxin Duan,Xiaowen Quan

DOI: https://doi.org/10.1109/tnet.2022.3145040

2022-01-01

IEEE/ACM Transactions on Networking

Abstract:Fast IPv4 scanning significantly improves network measurement and security research. Nevertheless, it is infeasible to perform brute-force scanning of the IPv6 address space. Alternatively, one can find active IPv6 addresses through scanning the candidate addresses generated by state-of-the-art algorithms. However, the probing efficiency of such algorithms is often very low. In this paper, our objective is to improve the probing efficiency of IPv6 addresses. We first perform a longitudinal active measurement study and build a high-quality dataset, hitlist, including more than 1.95B IPv6 addresses distributed in 58.2K BGP prefixes and collected over 17 months period. Different from the previous works, we probe the announced BGP prefixes using a pattern-based algorithm. This results in a dataset without uneven address distribution and low active rates. Further, we propose an efficient address generation algorithm, DET, which builds a density space tree to learn high-density address regions of the seed addresses with linear time complexity and improves the active addresses’ probing efficiency. We then compare our algorithm DET against state-of-the-art algorithms on the public hitlist and our hitlist by scanning 50M addresses. Our analysis shows that DET increases the de-aliased active address ratio and active address (including aliased addresses) ratio by 10%, and 14%, respectively. Furthermore, we develop a fingerprint-based method to detect aliased prefixes. The proposed method for the first time directly verifies whether the prefix is aliased or not. Our method finds that 10.64% of the public aliased prefixes are false positive.

Guanglei Song,Lin He,Feiyu Zhu,Jinlei Lin,Wenjian Zhang,Linna Fan,Chenglong Li,Zhiliang Wang,Jiahai Yang

DOI: https://doi.org/10.1109/tnet.2024.3406508

2024-01-01

Abstract:Fast Internet-wide scanning is essential for network situational awareness and asset evaluation. However, the vast IPv6 address space makes brute-force scanning infeasible. Despite advancements in state-of-the-art methods, they do not work in seedless regions and suffer low detection efficiency and speed in regions with known active IPv6 addresses (i.e., seed addresses). Moreover, the collected active address list (i.e., IPv6 hitlist) with low coverage cannot truly represent the active IPv6 address landscape of the Internet. This paper introduces, a fast, efficient, and comprehensive global active IPv6 address detection system. We design a systematic active IPv6 address detection strategy that divides the IPv6 space into two detection scenarios based on the presence or absence of seed addresses to discover active IPv6 addresses from scratch and from few to many. In the seedless regions, we present, leveraging a multi-level association policy to probe active addresses. It fills the gap of address detection in seedless regions and successfully discovers active addresses in 39,899 BGP prefixes without seed addresses, with a 1.03 x higher hit rate, 30 similar to 911 x higher speed, and 2.7 x broader coverage, compared to existing solutions. In the regions with seed addresses, our method dynamically generates target addresses using reinforcement learning. Compared to state-of-the-art methods, achieves an impressive 56.3% hit rate and a discovery speed of 839.0/s, which is 1.9 similar to 2153 x and 1.5 similar to 755 x of existing works, respectively. Finally, we deploy and discover 2.1B active IPv6 addresses, including 1.7B de-aliased active addresses and 0.4B aliased addresses, through continuous probing for three years.

Qiankun Liu,Xing Li

DOI: https://doi.org/10.1109/iscc58397.2023.10218311

2023-01-01

Abstract:Active network scanning in IPv6 is hindered by the vast address space of IPv6. Researchers have proposed various target generation methods, which are proved effective for reducing scanning space, to solve this problem. However, the current landscape of address generation methods is characterized by either low hit rates or limited applicability. To overcome these limitations, we propose 6Former, a novel target generation system based on Transformer. 6Former integrates a discriminator and a generator to improve hit rates and overcome usage scenarios limitations. Our experimental findings demonstrate that 6Former improves hit rates by a minimum of 38.6% over state-of-the-art generation approaches, while reducing time consumption by 31.6% in comparison to other language model-based methods.

Xue Chen,Weiwei Shi,Jieyan Liu,Mengshu Hou,Yujun Li

DOI: https://doi.org/10.1145/3625403.3625426

2023-01-01

Abstract:Network management such as topology discovery and network diagnosis needs to be scanned based on the Internet, and the IPV6 address space is huge and it is difficult to perform global scanning. The existing IPV6 target generation method has a low hit rate, mainly because the spatial division of the address is not accurate enough. We propose an IPV6 address prediction method based on community discovery algorithm, which is called 6Community. 6Community first uses the community discovery algorithm to divide the address space, so that similar addresses can be divided into an address area, and then performs anomaly detection on the divided address space, and re-divides the space. Finally, the obtained address patterns are pre-detected to filter out low-quality address patterns and reduce the size of address scanning space, so as to accelerate the speed of address prediction and increase the hit rate of address prediction. We conducted experiments on three data sets. The results show that compared with the existing methods, the IPV6 address hit rate generated by 6Community is improved, which can reach 13.2% -33.5%. At the same time, the results show that the scanning space obtained by this method is reduced, and the abnormal points in the process of experiment are also reduced.

Hammas Bin Tanveer,Rachee Singh,Paul Pearce,Rishab Nithyanand

DOI: https://doi.org/10.48550/arXiv.2210.02522

2022-10-06

Abstract:In this work we identify scanning strategies of IPv6 scanners on the Internet. We offer a unique perspective on the behavior of IPv6 scanners by conducting controlled experiments leveraging a large and unused /56 IPv6 subnet. We selectively make parts of the subnet visible to scanners by hosting applications that make direct or indirect contact with IPv6- capable servers on the Internet. By careful experiment design, we mitigate the effects of hidden variables on scans sent to our /56 subnet and establish causal relationships between IPv6 host activity types and the scanner attention they evoke. We show that IPv6 host activities e.g., Web browsing, membership in the NTP pool and Tor network, cause scanners to send a magnitude higher number of unsolicited IP scans and reverse DNS queries to our subnet than before. DNS scanners focus their scans in narrow regions of the address space where our applications are hosted whereas IP scanners broadly scan the entire subnet. Even after the host activity from our subnet subsides, we observe persistent residual scanning to portions of the address space that previously hosted applications

Networking and Internet Architecture

Guanglei Song,Jiahai Yang,Lin He,Zhiliang Wang,Guo Li,Chenxin Duan,Yaozhong Liu,Zhongxiang Sun

2022-01-01

Abstract:Fast Internet-wide scanning is essential for network situational awareness and asset evaluation. However, the vast IPv6 address space makes brute-force scanning infeasible. Although state-of-the-art techniques have made effective attempts, these methods do not work in seedless regions, while the detection efficiency is low in regions with seeds. Moreover, the constructed hitlists with low coverage cannot truly represent the active IPv6 address landscape of the Internet. This paper introduces AddrMiner, a systematic and comprehensive global active IPv6 address probing system. We divide the IPv6 address space regions into three kinds according to the number of seed addresses to discover active IPv6 addresses from scratch, from few to many. For the regions with no seeds, we present AddrMiner-N, leveraging an organization association strategy to mine active addresses. It fills the gap of address probing in seedless regions and finds active addresses covering 86.4K IPv6 prefixes announced by BGP, accounting for 81.6% of the probed announced prefixes. For the regions with few seeds, we propose AddrMiner-F, utilizing a similarity matching strategy to probe active addresses further. The hit rate of active address probing is improved by 70%-150% compared to existing algorithms. Moreover, for the regions with sufficient seeds, we present AddrMiner-S to generate target addresses based on reinforcement learning dynamically. It nearly doubles the hit rate compared to the state-of-the-art algorithms. Finally, we deploy AddrMiner and discover 2.1 billion active IPv6 addresses, including 1.7 billion de-aliased active addresses and 0.4 billion aliased addresses, through continuous probing for 13 months. We would like to further open the door of IPv6 measurement studies by publicly releasing AddrMiner and sharing our data.

Xiang Li,Baojun Liu,Xiaofeng Zheng,Haixin Duan,Qi Li,Youjun Huang

DOI: https://doi.org/10.1109/DSN48987.2021.00025

2021-01-01

Abstract:Numerous measurement researches have been performed to discover the IPv4 network security issues by leveraging the fast Internet-wide scanning techniques. However, IPv6 brings the 128-bit address space and renders brute-force network scanning impractical. Although significant efforts have been dedicated to enumerating active IPv6 hosts, limited by technique efficiency and probing accuracy, large-scale empirical measurement studies under the increasing IPv6 networks are infeasible now. To fill this research gap, by leveraging the extensively adopted IPv6 address allocation strategy, we propose a novel IPv6 network periphery discovery approach. Specifically, XMap, a fast network scanner, is developed to find the periphery, such as a home router. We evaluate it on twelve prominent Internet service providers and harvest 52M active peripheries. Grounded on these found devices, we explore IPv6 network risks of the unintended exposed security services and the flawed traffic routing strategies. First, we demonstrate the unintended exposed security services in IPv6 networks, such as DNS, and HTTP, have become emerging security risks by analyzing 4.7M peripheries. Second, by inspecting the periphery's packet routing strategies, we present the flawed implementations of IPv6 routing protocol affecting 5.8M router devices. Attackers can exploit this common vulnerability to conduct effective routing loop attacks, inducing DoS to the ISP's and home routers with an amplification factor of \gt 200. We responsibly disclose those issues to all involved vendors and ASes and discuss mitigation solutions. Our research results indicate that the security community should revisit IPv6 network strategies immediately.

Chenhuan Liu,Qiankun Liu,Shanshan Hao,CongXiao Bao,Xing Li

DOI: https://doi.org/10.1007/978-3-030-78612-0_19

2021-01-01

Abstract:The state of the network can be reflected by the background traffic. Negative network measurements can be a very important way to understand the Internet. I would like to express appreciation to CERNET, who provided us with an IPv6 address space allocated but not a fully used network. By announcing a large /20 covering prefixes on this address, we have published routing information on China's domestic education network, business network, and foreign education network. Based on the honeypot method, we collect relative traffic at the last hop router of the experiment network. Thus, we make our experiment environment a network telescope. We discover that background radiation traffic grew more rapidly than it was years ago under the current ipv6 network situation. Moreover, suspicious IPv6 address scanning traffic shows up. We classify and analyze the traffic and classify all the source addresses and destination addresses. We found that the source addresses are mainly from Asian countries. In particular, we conduct further detection and monitor on the suspicious source addresses. We analyze the time when it appears and what it scans, including the destination address and the port type. The most interesting destination ports to the outside world are mainly 80, 8080, 443, 53, 21, 22, 23, and 25, which are related to web services and host system applications. We explain most of the data and highlight the significant attributes of the data. We found several special addresses scanning our address segment periodically. Our work reveals the situation and the problem under the current IPv6 network situation.

Chuan Sheng,Yu Yao,Lianxiang Zhao,Peng Zeng,Jianming Zhao

DOI: https://doi.org/10.1109/tifs.2024.3359002

IF: 7.231

2024-02-10

IEEE Transactions on Information Forensics and Security

Abstract:As the precursor of cyber-attacks, the campaigns of scanning groups are able to reflect the attack target and attack trend to a great extent, which provide highly valuable threat intelligence for cyber defenders to understand the current cyber security situation. However, how to identify scanning groups in the context of limited information, especially in the absence of relevant threat intelligence, remains a challenging problem. In this paper, we utilize the honeynet as the unique data source to propose a scanning group identification system, Scanner-Hunter, which focuses on identifying scanning groups targeting ICS devices. To better characterize scanning patterns, a novel traffic representation scheme for scanning traffic is proposed, which is composed of a set of feature vectors to describe all the ICS request packets. On this basis, we propose a novel self-expanding multi-class classification (SEMCC) model and the IP prefix judgment, which are deliberately integrated to cope with sophisticated scanning groups. Take the Modbus protocol as an example, we implement a prototype of Scanner-Hunter, and use six years of real-world honeynet datasets to evaluate its performance. The experimental results illustrate its effectiveness and superior performance compared with some popular machine learning methods and existing SOTA scanning group identification methods. In addition, Scanner-Hunter is further leveraged to investigate the group distribution and maliciousness of 506 unknown scanners, and some suspicious attack groups with APT characteristics are analyzed. Furthermore, accurate scanning group information will contribute to revealing potential attack organizations and supporting decision making to prevent or interrupt cyber-attacks in time.

computer science, theory & methods,engineering, electrical & electronic

Akira Tanaka,Chansu Han,Takeshi Takahashi

DOI: https://doi.org/10.1109/access.2023.3249474

IF: 3.9

2023-01-01

IEEE Access

Abstract:Adversaries perform port scanning to discover accessible and vulnerable hosts as a prelude to cyber havoc. A darknet is a cyberattack observation network to capture these scanning activities through reachable yet unused IP addresses. However, the enormous amount of packets and superposition of diverse scanning strategies prevent extracting significant insights from the aggregate traffic. Some coordinated scanners disperse probe packets whose TCP/IP header follows a unique pattern to determine whether the received packets are valid responses to their probes or are part of other background traffic. We call such a pattern a fingerprint. For example, a probe packet from a Mirai-infected host satisfies a pattern whereby the destination IP address equals the sequence number. A fingerprint indicates that the source host has been involved in a particular scanning campaign. Although some fingerprints have been discovered and known to the public, there are and will be more undiscovered ones. We intend to unveil these fingerprints. Our preliminary work automatically identified flexible fingerprints but overlooked low-rate and coordinated scanners. In this work, we improved the fingerprint identifier, enabling it to detect these stealth scans. Moreover, we revealed the scans’ objectives by investigating destination port sets. We associated fingerprints with threat intelligence and verified their reliability. Our approach identified all well-known and eight unknown fingerprints on one month’s worth of darknet data collected from about three-hundred thousand unused IP addresses. We disclosed the fingerprints of the Mozi botnet and destination port sets that were previously unreported.

computer science, information systems,telecommunications,engineering, electrical & electronic

Tianyu Cui,Gaopeng Gou,Gang Xiong

DOI: https://doi.org/10.1007/978-3-030-47426-3_47

2022-04-20

Abstract:IPv6 scanning has always been a challenge for researchers in the field of network measurement. Due to the considerable IPv6 address space, while recent network speed and computational power have been improved, using a brute-force approach to probe the entire network space of IPv6 is almost impossible. Systems are required an algorithmic approach to generate more possible active target candidate sets to probe. In this paper, we first try to use deep learning to design such IPv6 target generation algorithms. The model effectively learns the address structure by stacking the gated convolutional layer to construct Variational Autoencoder (VAE). We also introduce two address classification methods to improve the model effect of the target generation. Experiments indicate that our approach 6GCVAE outperformed the conventional VAE models and the state-of-the-art target generation algorithm in two active address datasets.

Networking and Internet Architecture,Artificial Intelligence

Yuanming Zhang,Ting Han,Zelin Hao,Yu Cao,Jing Tao

DOI: https://doi.org/10.1109/ICBK.2019.00053

2019-01-01

Abstract:Application traffic signatures are byte subsequences or behaviors (such as packet sizes and interval times) within traffic that can distinguish which application is contributing to the network traffic, application traffic signatures form the building blocks of many constructions of deep packet analysis rules in numerous areas, such as network management, measurement, and even security systems. Under the pressure of the continual appearance of new applications and their frequent updates, how to efficiently and accurately extract signatures from network traffic becomes a more challenging issue. Although several generating methods have been proposed, because of the problems of efficiency, robustness, and refinement, the application of these methods in real network environments still has limitations. Existing CS (Common Subsequence) based approaches are ineffective in generating signatures from network traffic, especially when the network traffic is massive. In this paper, we propose ESGS, an efficient system to extracts signatures from application traffic traces. ESGS base on the Latent Dirichlet Allocation (LDA) and a modified sequence pattern algorithm. First, we use a semantic analysis algorithm based on the LDA to select the candidate packet from the traffic traces according to the semantic information of the packet and refine the traffic traces. Then, we use a modified sequence pattern algorithm to generate signatures in the filtered traffic trace. We compare ESGS with several existing generating methods via evaluation on real-world application traffic traces. The result shows that ESGS can generate application traffic signatures significantly faster, and the signatures perform high accuracy. In addition, this method can effectively reduce the input traffic of signature generation systems such as Sigbox, and significantly improve the efficiency of signature generation while having a little impact on accuracy.

Deng Yuli,Wang Yijun,Xue Zhi

DOI: https://doi.org/10.3969/j.issn.1000-386x.2022.11.018

2022-01-01

Abstract:Heuristic algorithms that discover potential patterns in IPv6 address collection are not capable of handling random addresses. If address collection includes large quantities of random addresses, it is hard for heuristic algorithms to find any address pattern. A method that filter pattern-based addresses from highly randomized IPv6 address collection is proposed, in order to reduce randomization of address collection and make the collection suitable for heuristic algorithms processing. The proposed method split address collection into multiple sub-collections, compared information entropy between original collection and each sub-collection, then recognized possible parts in address that related to address patterns and corresponding value of these parts based on entropy difference, and filter addresses according to recognized information. Experiments show that the proposed method can successfully filter pattern-based addresses from most of highly randomized address collection, and prove that this method has good performance on address patterns filtering.

Lanjia Wang,Haixin Duan,Xing Li

DOI: https://doi.org/10.1007/11602897_21

2005-01-01

Abstract:Detecting and identifying port scans is important for tracking malicious activities at early stage. The previous work mainly focuses on detecting individual scanners, while cares little about their common scan patterns that may imply important security threats against network. In this paper we propose a scan vector model, in which a scanner is represented by a vector that combines different scan features online, such as target ports and scan rate. A center-based clustering algorithm is then used to partition the scan vectors into groups, and provide a condense view of the major scan patterns by a succinct summary of the groups. The experiment on traffic data gathered from two subnets in our campus network shows that our method can accurately identify the major scan patterns without being biased by heavy hitters, meanwhile, possessing simplicity and low computation cost.