Scanning Activity Seen @ LBNL Scanning Hosts Seen @ LBNL Services - - PowerPoint PPT Presentation

▶

Sep 18, 2022 194 likes •322 views

Scanning Activity Seen @ LBNL Scanning Hosts Seen @ LBNL Services Scanned Over Time Scans Per Scanner Hosts Scanned Per Scanner Ports Scanned Per Scanner Scanning Speed # Failed Conns Not Enough Info Failure Ratio Much More Distinctive

SLIDE 1

Scanning Activity Seen @ LBNL

SLIDE 2

Scanning Hosts Seen @ LBNL

SLIDE 3

Services Scanned Over Time

SLIDE 4

Scans Per Scanner

SLIDE 5

Hosts Scanned Per Scanner

SLIDE 6

Ports Scanned Per Scanner

SLIDE 7

Scanning Speed

SLIDE 8

# Failed Conn’s Not Enough Info

SLIDE 9

Failure Ratio Much More Distinctive

SLIDE 10

Real-Time Detection

SLIDE 11

Expected Time Until Decision

SLIDE 12

RB-SHT: Rate-Based Detection

n,Tn

( ) fn Tn | Hscanning

( )

fn Tn | Hbenign

( )

= 1

exp 10

( )Tn

FCC’s interarrival times follow exponential dist. with

mean (scanner) or (benign host).

Tn : elapsed time until n FCC arrivals follows

Scanning Activity Seen @ LBNL Scanning Hosts Seen @ LBNL Services - - PowerPoint PPT Presentation

Scanning Activity Seen @ LBNL

Scanning Hosts Seen @ LBNL

Services Scanned Over Time

Scans Per Scanner

Hosts Scanned Per Scanner

Ports Scanned Per Scanner

Scanning Speed

# Failed Conn’s Not Enough Info

Failure Ratio Much More Distinctive

Real-Time Detection

Expected Time Until Decision

RB-SHT: Rate-Based Detection

n,Tn

( ) fn Tn | Hscanning

( )

fn Tn | Hbenign

( )

= 1

exp 10

( )Tn

mean (scanner) or (benign host).

n-Erlang distribution 1

1

1

< 1