Scan Correlation -- Revealing distributed scan campaigns
This work addresses the challenge of detecting and analyzing distributed scanning activities for network security practitioners, though it appears incremental as it builds on existing scan detection methods.
The paper tackles the problem of detecting distributed port scan campaigns on public networks by presenting a correlation algorithm that identifies and reassembles related scans, and it demonstrates the algorithm's ability to summarize and characterize such campaigns using real-world Internet traffic.
Public networks are exposed to port scans from the Internet. Attackers search for vulnerable services they can exploit. In large scan campaigns, attackers often utilize different machines to perform distributed scans, which impedes their detection and might also camouflage the actual goal of the scanning campaign. In this paper, we present a correlation algorithm to detect scans, identify potential relations among them, and reassemble them to larger campaigns. We evaluate our approach on real-world Internet traffic and our results indicate that it can summarize and characterize standalone and distributed scan campaigns based on their tools and intention.