Guanglei Song,Lin He,Tao Chen,Jinlei Lin,Linna Fan,Kun Wen,Zhiliang Wang,Jiahai Yang

DOI: https://doi.org/10.1109/tnet.2024.3491314

2024-01-01

IEEE/ACM Transactions on Networking

Abstract:Internet-wide scanning is a commonly used research technique in various network surveys, such as measuring service deployment and security vulnerabilities. However, these network surveys are limited to the given port set, not comprehensively obtaining the real network landscape, and even misleading survey conclusions. In this work, we introduce PMap, a port scanning tool that efficiently discovers the most open ports from all 65K ports in the whole network. PMapuses the correlation of ports to build an open port correlation graph of each network, using a reinforcement learning framework to update the correlation graph based on feedback results and dynamically adjust the order of port scanning. Compared to current port scanning methods, PMapperforms better on hit rate, coverage, and intrusiveness. Our experiments over real networks show that PMapcan find 90% open ports by only scanning 125 ports (90%@125) to each address, which is 99.3% less than the state-of-the-art port scanning methods. It reduces the number of scanned ports to decrease the intrusive nature of port scanning. In addition, PMapis highly parallel and lightweight. It scans 500 networks in parallel, achieving a port recommendation rate of up to 18 million per second, consuming only 7GB of memory. PMapis the first effective practice for scanning open ports using reinforcement learning. It bridges the gap of existing scanning tools and effectively supports subsequent service discovery and security research.

Zhaohui Hu,Qi Chen,Ruizhao Yu

DOI: https://doi.org/10.3321/j.issn:1002-8331.2001.10.020

2001-01-01

Abstract:This article introduces the implementation of TCP Protocol and the technique of Port Scanning based on the characteristic of TCP Protocol,at the same time,the several implementations of Port Scanning are also described. We also analyze the potential external attacks that can be made because of the weakness of operation system and the ways to avoid suck kinds of attack are also put up.

Yirui Luo,Chenglong Li,Zhiliang Wang,Jiahai Yang

DOI: https://doi.org/10.1145/3649470

2024-01-01

Abstract:Internet-wide port and service scanning, a vital tool for network research, is unaffordable in time and network bandwidth consumption. However, scanning only a portion of ports and services may lead to erroneous research conclusions. Previous work has shortened scanning time by predicting potentially active ports and eliminating many invalid scan targets. Still, they suffer from inherent design flaws that compromise their performance in terms of prediction accuracy and efficiency. The vast, unevenly distributed, and noisy nature of active ports presents significant challenges for prediction systems. Meanwhile, service prediction work is still in a shortage state. In this work, we introduce IPREDS, the first efficient prediction system for Internet-wide port and service scanning. IPREDS uses its carefully designed decision model to utilize all input features and predict the scanning reward of each target in parallel, providing high coverage prediction results in minimal time. Our experiment results show that IPREDS can discover 87% of active ports across the entire IPv4 network within two hours, saving at least 87.26% of the total time and 59% of the packets sent compared to existing work. For service scanning, IPREDS finds 91% of all active services using only four handshakes on each active port and saves 85.9% time to find 69% of each active service compared to exhaustive service scanning.

Jian Qu,Xiaobo Ma,Wenmao Liu,Hongqing Sang,Jianfeng Li,Lei Xue,Xiapu Luo,Zhenhua Li,Li Feng,Xiaohong Guan

DOI: https://doi.org/10.1109/tnet.2023.3312162

2024-01-01

Abstract:Cyber search engines, such as Shodan and Censys, have gained popularity due to their strong capability of indexing the Internet of Things (IoT). They actively scan and fingerprint IoT devices for unearthing IP-device mapping. Because of the large address space of the Internet and the mapping's mutative nature, efficiently tracking the evolution of IP-device mapping with a limited budget of scans is essential for building timely cyber search engines. An intuitive solution is to use reinforcement learning to schedule more scans to networks with high churn rates of IP-device mapping. However, such an intuitive solution has never been systematically studied. In this paper, we take the first step toward demystifying this problem based on our experiences in maintaining a global IoT scanning platform. Inspired by the measurement study of large-scale real-world IoT scan records, we land reinforcement learning onto a system capable of smartly scanning IoT devices in a principled way. We disclose key parameters affecting the effectiveness of different scanning strategies, and real-world experiments demonstrate that our system can scan up to around 40 times as many IP-device mapping mutations as random/sequential scanning.

Jian Qu,Xiaobo Ma,Wenmao Liu,Hongqing Sang,Jianfeng Li,Lei Xue,Xiapu Luo,Zhenhua Li,Li Feng,Xiaohong Guan

DOI: https://doi.org/10.1109/infocom48880.2022.9796737

2022-01-01

Abstract:Cyber search engines, such as Shodan and Censys, have gained popularity due to their strong capability of indexing the Internet of Things (IoT). They actively scan and fingerprint IoT devices for unearthing IP-device mapping. Because of the large address space of the Internet and the mapping’s mutative nature, efficiently tracking the evolution of IP-device mapping with a limited budget of scans is essential for building timely cyber search engines. An intuitive solution is to use reinforcement learning to schedule more scans to networks with high churn rates of IP-device mapping. However, such an intuitive solution has never been systematically studied. In this paper, we take the first step toward demystifying this problem based on our experiences in maintaining a global IoT scanning platform. Inspired by the measurement study of large-scale real-world IoT scan records, we land reinforcement learning onto a system capable of smartly scanning IoT devices in a principled way. We disclose key parameters affecting the effectiveness of different scanning strategies, and find that our system would achieve growing advantages with the proliferation of IoT devices.

Menghao Zhang,Guanyu Li,Cheng Guo,Han Bao,Mingwei Xu,Hongxin Hu,Fenghua Li

DOI: https://doi.org/10.1109/tifs.2023.3327665

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Network scanning has been a standard measurement technique to understand the network's security situations, however, probing a large-scale scanning space with existing network scanners is both difficult and slow. To address this issue, we introduce IMap, a fast and scalable in-network scanner based on programmable switches. In designing IMap, we overcome key restrictions posed by computation models and memory resources of programmable switches, and devise numerous techniques and optimizations to turn a switch into a practical high-speed network scanner. We conduct preliminary experiments on the open-source prototype of IMap and evaluation results show that IMap can survey all addresses (i.e., 6 Class B Addresses) and all ports of our campus network in 8 minutes, nearly 4 times faster than state-of-the-art network scanners. As an ongoing work, we plan to continuously improve the design and implementation of IMap, and hope IMap can serve as a foundation for designing next-generation terabit network scanners.

Xiaoxuan Liu,Guozheng Yang,Yi Xie,Xuehu Yan

DOI: https://doi.org/10.3390/electronics13204036

IF: 2.9

2024-10-15

Electronics

Abstract:The development of network measurement technologies has greatly increased the speed of network scans, but it also poses risks for the stability of the scanned networks. How to reduce probing traffic and enhance the effectiveness of probing has become a new research issue. In this paper, we utilize network measurement and machine learning techniques, leveraging public interfaces from network mapping platforms to construct a dataset with 44 feature dimensions. By combining the categorical boosting (CatBoost) model with the particle swarm optimization (PSO) algorithm for heuristic optimization, we propose a host port openness prediction model that integrates the PSO algorithm and the CatBoost model. Through comparisons with various machine learning models, the effectiveness of our proposed model was validated. Using this model in network scanning can save approximately 65% of bandwidth on average, effectively reducing the impact on the probed network.

engineering, electrical & electronic,computer science, information systems,physics, applied

Chao Yuan,Jinze Du,Min Yue,Tao Ma

DOI: https://doi.org/10.3390/s20164423

IF: 3.9

2020-08-08

Sensors

Abstract:The control network is an important supporting environment for the control system of the heavy ion accelerator in Lanzhou (HIRFL). It is of great importance to maintain the accelerator system’s network security for the stable operation of the accelerator. With the rapid expansion of the network scale and the increasing complexity of accelerator system equipment, the security situation of the control network is becoming increasingly severe. Port scanning detection can effectively reduce the losses caused by viruses and Trojan horses. This article uses Go Concurrency Patterns, combined with transmission control protocol (TCP) full connection scanning and GIMP Toolkit (GTK) graphic display technology, to develop a tool called HIRFL Scanner. It can scan IP addresses in any range with any ports. This is a very fast, installation-free, cross-platform IP address and port scanning tool. Finally, a series of experiments show that the tool developed in this paper is much faster than the same type of software, and meets the expected development needs.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Liz Izhikevich,Renata Teixeira,Zakir Durumeric

DOI: https://doi.org/10.48550/arXiv.2301.04841

2023-01-12

Cryptography and Security

Abstract:Internet-wide scanning is a commonly used research technique that has helped uncover real-world attacks, find cryptographic weaknesses, and understand both operator and miscreant behavior. Studies that employ scanning have largely assumed that services are hosted on their IANA-assigned ports, overlooking the study of services on unusual ports. In this work, we investigate where Internet services are deployed in practice and evaluate the security posture of services on unexpected ports. We show protocol deployment is more diffuse than previously believed and that protocols run on many additional ports beyond their primary IANA-assigned port. For example, only 3% of HTTP and 6% of TLS services run on ports 80 and 443, respectively. Services on non-standard ports are more likely to be insecure, which results in studies dramatically underestimating the security posture of Internet hosts. Building on our observations, we introduce LZR ("Laser"), a system that identifies 99% of identifiable unexpected services in five handshakes and dramatically reduces the time needed to perform application-layer scans on ports with few responsive expected services (e.g., 5500% speedup on 27017/MongoDB). We conclude with recommendations for future studies.

Rana Abu Bakar,Boonserm Kijsirikul

DOI: https://doi.org/10.3390/s23177541

2023-08-30

Abstract:Network security is paramount in today's digital landscape, where cyberthreats continue to evolve and pose significant risks. We propose a DPDK-based scanner based on a study on advanced port scanning techniques to improve network visibility and security. The traditional port scanning methods suffer from speed, accuracy, and efficiency limitations, hindering effective threat detection and mitigation. In this paper, we develop and implement advanced techniques such as protocol-specific probes and evasive scan techniques to enhance the visibility and security of networks. We also evaluate network scanning performance and scalability using programmable hardware, including smart NICs and DPDK-based frameworks, along with in-network processing, data parallelization, and hardware acceleration. Additionally, we leverage application-level protocol parsing to accelerate network discovery and mapping, analyzing protocol-specific information. In our experimental evaluation, our proposed DPDK-based scanner demonstrated a significant improvement in target scanning speed, achieving a 2× speedup compared to other scanners in a target scanning environment. Furthermore, our scanner achieved a high accuracy rate of 99.5% in identifying open ports. Notably, our solution also exhibited a lower CPU and memory utilization, with an approximately 40% reduction compared to alternative scanners. These results highlight the effectiveness and efficiency of our proposed scanning techniques in enhancing network visibility and security. The outcomes of this research contribute to the field by providing insights and innovations to improve network security, identify vulnerabilities, and optimize network performance.

Jason M. Pittman

DOI: https://doi.org/10.48550/arXiv.2302.09317

2023-02-18

Abstract:Port scanning is the process of attempting to connect to various network ports on a computing endpoint to determine which ports are open and which services are running on them. It is a common method used by hackers to identify vulnerabilities in a network or system. By determining which ports are open, an attacker can identify which services and applications are running on a device and potentially exploit any known vulnerabilities in those services. Consequently, it is important to detect port scanning because it is often the first step in a cyber attack. By identifying port scanning attempts, cybersecurity professionals can take proactive measures to protect the systems and networks before an attacker has a chance to exploit any vulnerabilities. Against this background, researchers have worked for over a decade to develop robust methods to detect port scanning. One such method revealed by a recent systematic review is the random forest supervised machine learning algorithm. The review revealed six existing studies using random forest since 2021. Unfortunately, those studies each exhibit different results, do not all use the same training and testing dataset, and only two include source code. Accordingly, the goal of this work was to reproduce the six random forest studies while addressing the apparent shortcomings. The outcomes are significant for researchers looking to explore random forest to detect port scanning and for practitioners interested in reliable technology to detect the early stages of cyber attack.

Cryptography and Security,Machine Learning

Liz Izhikevich,Renata Teixeira,Zakir Durumeric

DOI: https://doi.org/10.1145/3544216.3544249

2023-03-02

Abstract:Internet-wide scanning is commonly used to understand the topology and security of the Internet. However, IPv4 Internet scans have been limited to scanning only a subset of services -- exhaustively scanning all IPv4 services is too costly and no existing bandwidth-saving frameworks are designed to scan IPv4 addresses across all ports. In this work we introduce GPS, a system that efficiently discovers Internet services across all ports. GPS runs a predictive framework that learns from extremely small sample sizes and is highly parallelizable, allowing it to quickly find patterns between services across all 65K ports and a myriad of features. GPS computes service predictions in 13 minutes (four orders of magnitude faster than prior work) and finds 92.5% of services across all ports with 131x less bandwidth, and 204x more precision, compared to exhaustive scanning. GPS is the first work to show that, given at least two responsive IP addresses on a port to train from, predicting the majority of services across all ports is possible and practical.

Networking and Internet Architecture,Distributed, Parallel, and Cluster Computing,Machine Learning

Shanthi Komatnani Govindan,Hema Vijayaraghavan,Kolandairaj Kishore Anthuvan Sahayaraj,Alphonse Mary Joy Kinol

DOI: https://doi.org/10.1080/01468030.2024.2342275

2024-05-17

Fiber & Integrated Optics

Abstract:The rapid proliferation of Internet of Things (IoT) devices has spurred the need for robust security mechanisms within wireless local area network (WLAN) environments. Specifically, the IEEE 802.11ah (WiFi-HaLow) technology offers low-power, long-range communication capabilities ideally suited for IoT devices, but these devices face security threats due to constrained computational resources. This research addresses the challenge of optimizing Internet-wide port scanning to enhance IoT security while minimizing disruptions to network performance. In this paper, we propose a novel reinforcement learning-based approach to achieve this optimization. Our approach harnesses the power of the Proximal Policy Optimization (PPO) algorithm to guide decision-making for IoT security and network performance enhancement. The proposed solution entails training an agent to dynamically adjust the port scanning rate, ensuring the delicate balance between security improvement and network responsiveness. We establish a comprehensive system model, encompassing WiFi-HaLow infrastructure, IPv6-enabled IoT devices, and the integration of Internet-security (IPSec) protocols. Mathematical formulations encapsulate constraints such as resource limitations and security-performance trade-offs. Our experimental setup utilizes a carefully curated dataset and a simulation environment to rigorously evaluate the proposed solution's effectiveness. The proposed approach demonstrates remarkable security enhancement through the prevention of unauthorized access attempts, data breaches, and improved intrusion detection. Moreover, network performance is optimized, with reductions in latency, improvements in throughput, and energy-efficient operation. By presenting a plethora of comparison scenarios, we validate the superiority of our solution against various benchmarks. This research contributes a comprehensive framework that not only advances IoT security within WLAN environments but also highlights the intricate relationship between security and network performance optimization.

optics

Akira Tanaka,Chansu Han,Takeshi Takahashi

DOI: https://doi.org/10.1109/access.2023.3249474

IF: 3.9

2023-01-01

IEEE Access

Abstract:Adversaries perform port scanning to discover accessible and vulnerable hosts as a prelude to cyber havoc. A darknet is a cyberattack observation network to capture these scanning activities through reachable yet unused IP addresses. However, the enormous amount of packets and superposition of diverse scanning strategies prevent extracting significant insights from the aggregate traffic. Some coordinated scanners disperse probe packets whose TCP/IP header follows a unique pattern to determine whether the received packets are valid responses to their probes or are part of other background traffic. We call such a pattern a fingerprint. For example, a probe packet from a Mirai-infected host satisfies a pattern whereby the destination IP address equals the sequence number. A fingerprint indicates that the source host has been involved in a particular scanning campaign. Although some fingerprints have been discovered and known to the public, there are and will be more undiscovered ones. We intend to unveil these fingerprints. Our preliminary work automatically identified flexible fingerprints but overlooked low-rate and coordinated scanners. In this work, we improved the fingerprint identifier, enabling it to detect these stealth scans. Moreover, we revealed the scans’ objectives by investigating destination port sets. We associated fingerprints with threat intelligence and verified their reliability. Our approach identified all well-known and eight unknown fingerprints on one month’s worth of darknet data collected from about three-hundred thousand unused IP addresses. We disclosed the fingerprints of the Mozi botnet and destination port sets that were previously unreported.

computer science, information systems,telecommunications,engineering, electrical & electronic

Tianxiang Dai,Haya Shulman

DOI: https://doi.org/10.1145/3485832.3485917

2024-04-16

Abstract:To protect themselves from attacks, networks need to enforce ingress filtering, i.e., block inbound packets sent from spoofed IP addresses. Although this is a widely known best practice, it is still not clear how many networks do not block spoofed packets. Inferring the extent of spoofability at Internet scale is challenging and despite multiple efforts the existing studies currently cover only a limited set of the Internet networks: they can either measure networks that operate servers with faulty network-stack implementations, or require installation of the measurement software on volunteer networks, or assume specific properties, like traceroute loops. Improving coverage of the spoofing measurements is critical. In this work we present the Spoofing Mapper (SMap): the first scanner for performing Internet-wide studies of ingress filtering. SMap evaluates spoofability of networks utilising standard protocols that are present in almost any Internet network. We applied SMap for Internet-wide measurements of ingress filtering: we found that 69.8% of all the Autonomous Systems (ASes) in the Internet do not filter spoofed packets and found 46880 new spoofable ASes which were not identified in prior studies. Our measurements with SMap provide the first comprehensive view of ingress filtering deployment in the Internet as well as remediation in filtering spoofed packets over a period of two years until May 2021. We set up a web service at <a class="link-external link-https" href="https://smap.cad.sit.fraunhofer.de" rel="external noopener nofollow">this https URL</a> to perform continual Internet-wide data collection with SMap and display statistics from spoofing evaluation. We make our datasets as well as the SMap (implementation and the source code) publicly available to enable researchers to reproduce and validate our results, as well as to continually keep track of changes in filtering spoofed packets in the Internet.

Cryptography and Security

LIU Ting-hua,SONG Hua,DAI Yi-qi

DOI: https://doi.org/10.3969/j.issn.1000-7024.2006.09.003

2006-01-01

Abstract:Techniques of the port scan and its detection were introduced briefly.A new self-adaptive distributed detection method of port scan wasdesigned and implemented.By detecting anomalous packets and calculating the class's anomalysum value,it sets adynamic threshold combined with the network traffic,and then judges whether that is a scan.This method could detect slow scans,random scans and distributed scans effectively.And it could detect DDoS(distributed denial of service) attacks as well.

Lanjia Wang,Haixin Duan,Xing Li

DOI: https://doi.org/10.1007/11602897_21

2005-01-01

Abstract:Detecting and identifying port scans is important for tracking malicious activities at early stage. The previous work mainly focuses on detecting individual scanners, while cares little about their common scan patterns that may imply important security threats against network. In this paper we propose a scan vector model, in which a scanner is represented by a vector that combines different scan features online, such as target ports and scan rate. A center-based clustering algorithm is then used to partition the scan vectors into groups, and provide a condense view of the major scan patterns by a succinct summary of the groups. The experiment on traffic data gathered from two subnets in our campus network shows that our method can accurately identify the major scan patterns without being biased by heavy hitters, meanwhile, possessing simplicity and low computation cost.

Li Zeming,Cheng Liang,Zhu Daming,Yan Zhaojin,Ji Chen,Duan Zhixin,Jing Min,Li Ning,Dongye Shengkun,Song Yanruo,Liu Jiahui

DOI: https://doi.org/10.3788/lop202158.2028002

2021-01-01

Laser & Optoelectronics Progress

Abstract:In view of the difficulty of automatic port recognition, the ship-wharf-port progressive recognition model is proposed by combining deep learning and geospatial analysis on high-resolution visible light remote sensing images. Firstly, the constructed wharf sample data set is enhanced, and the enhanced data set is used to train the YOLO v3 algorithm. Then, the multi-scale recognition is carried out by the sliding window on the large remote sensing images, and the underlying features of the images are obtained to calculate the wharf categories and pixel coordinates. Finally, the locations of wharves are transformed into geographical coordinates, and the Getis-Ord Gi* statistical method is used to analyze the hot spots. The classical density clustering method is used to identify and extract the locations and ranges of ports. The recognition comparison results in the experimental area show that the proportion of port basin recognition by improved model reaches 82.79% at aggregated threshold of 1000 m.

Stefan Gvozdenovic,Johannes K Becker,John Mikulskis,David Starobinski

DOI: https://doi.org/10.48550/arXiv.2204.02538

2022-04-06

Abstract:Network reconnaissance is a core networking and security procedure aimed at discovering devices and their properties. For IP-based networks, several network reconnaissance tools are available, such as Nmap. For the Internet of Things (IoT), there is currently no similar tool capable of discovering devices across multiple protocols. In this paper, we present IoT-Scan, a universal IoT network reconnaissance tool. IoT-Scan is based on software defined radio (SDR) technology, which allows for a flexible software-based implementation of radio protocols. We present a series of passive, active, multi-channel, and multi-protocol scanning algorithms to speed up the discovery of devices with IoT-Scan. We benchmark the passive scanning algorithms against a theoretical traffic model based on the non-uniform coupon collector problem. We implement the scanning algorithms and compare their performance for four popular IoT protocols: Zigbee, Bluetooth LE, Z-Wave, and LoRa. Through extensive experiments with dozens of IoT devices, we demonstrate that our implementation experiences minimal packet losses and achieves performance near the theoretical benchmark. Using multi-protocol scanning, we further demonstrate a reduction of 70\% in the discovery times of Bluetooth and Zigbee devices in the 2.4\,GHz band and of LoRa and Z-Wave devices in the 900\,MHz band, compared to sequential passive scanning. We make our implementation and data available to the research community to allow independent replication of our results and facilitate further development of the tool.

Systems and Control,Networking and Internet Architecture

Jan Rüth,Torsten Zimmermann,Oliver Hohlfeld

DOI: https://doi.org/10.48550/arXiv.1901.07265

2019-01-22

Abstract:Internet-wide scans are a common active measurement approach to study the Internet, e.g., studying security properties or protocol adoption. They involve probing large address ranges (IPv4 or parts of IPv6) for specific ports or protocols. Besides their primary use for probing (e.g., studying protocol adoption), we show that - at the same time - they provide valuable insights into the Internet control plane informed by ICMP responses to these probes - a currently unexplored secondary use. We collect one week of ICMP responses (637.50M messages) to several Internet-wide ZMap scans covering multiple TCP and UDP ports as well as DNS-based scans covering > 50% of the domain name space. This perspective enables us to study the Internet's control plane as a by-product of Internet measurements. We receive ICMP messages from ~171M different IPs in roughly 53K different autonomous systems. Additionally, we uncover multiple control plane problems, e.g., we detect a plethora of outdated and misconfigured routers and uncover the presence of large-scale persistent routing loops in IPv4.

Networking and Internet Architecture